ITG23 crypters continue to be deployed by post-Conti factions, providing a window into current campaigns and collaborations. The research tracks how crypters like Forest, Snow, Dave, Tron, and others remain active across multiple malware families and ransomware operations, including ties to BlackBasta, Quantum, and Royal, even after ITG23’s fragmentation. #ITG23 #Crypters #Trickbot #Conti
Keypoints
- Former ITG23 members and affiliates (e.g., Quantum, Royal, Zeon, BlackBasta, Karakurt) continue to use the same crypters, signaling ongoing cooperation.
- Post-ITG23 factions retain access to crypters for initial access and post-compromise tooling, with Crypters seen alongside Emotet, IcedID, Qakbot, Bumblebee, Gozi, CobaltStrike, NetSupport, and Ligolo-NG.
- Eight crypters went inactive in early 2022, while Snow and Forest emerged as new successors, reflecting shifts after Conti’s shutdown.
- New malware families have been crypted with these loaders (e.g., SVCReady, CargoBay, Matanbuchus, Pikabot, Aresloader, Vidar, Minodo, LummaC2 Stealer) and used with ransomware (Quantum, Royal, BlackBasta, Nokoyawa).
- The article details numerous crypters (Forest, Snow, Dave, Tron, Lore, Mirror, Hexa, etc.) and their evolving roles across factions and partners.
- Additional loaders linked to Qakbot (Quartz, Quixotic, Quicksand) and CryptOne continue to be used with ITG23-related activity, notably with Qakbot and BlackBasta.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files or Information – Crypters encrypt and obfuscate malware to evade detection by antivirus (AV) scanners…
“crypters, which are also referred to as loaders or packers, are applications designed to encrypt and obfuscate malware to evade detection by antivirus (AV) scanners and hinder analysis.” - [T1140] Deobfuscate/Decode Files or Information – Forest/Snow decrypt and decompress payloads to load final payloads; “decrypts the payload using a XOR-based algorithm, and decompresses it using QuickLZ.”
- [T1055] Process Injection – Loaders execute payloads by injecting into other processes and hooking API calls; “the loader installs hooks within the library functions NtOpenFile, NtCreateSection and NtMapViewOfSection, such that when these APIs are called the loader’s own functions will be executed.”
- [T1055.012] Process Hollowing – Some variants create a suspended process and inject payload via process hollowing; “created in suspended mode and the payload injected into it via process hollowing.”
- [T1105] Ingress Tool Transfer – Downloaders retrieve and load payloads from remote URLs; “the downloader variant updated to download and load a payload from the URL.”
- [T1071.001] Web Protocols – C2 communications and domain-based callbacks observed in crypter activity; “Forest-crypted CobaltStrike sample contacting a C2 domain … Nokoyawa ransomware attack.”
Indicators of Compromise
- [Hash] Example crypt-loader payloads – ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b, a6807d559eedefff6ff1d9d7e90e5765d1a0a1843139ec8eb03527b60e0630e4
- [Hash] Snow/Qakbot related payloads – 09ed2cf56af8385c87f297c2a4f168efdfc78434b8a42a9122328e775f5f0400, e2723661efa1115c81bb13238b5925422ef3abf89909e005f7da6c4671d67930
Read more: https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/