Threat Research

CrazyHunter ransomware targets Taiwan healthcare

Securonix
CrazyHunter ransomware targets Taiwan healthcare

CrazyHunter is a Go-based ransomware forked from the Prince builder that targets Windows environments—primarily healthcare organizations in Taiwan—using GPO abuse, BYOVD with a vulnerable Zemana driver, memory loaders, and multiple AV-killing components to rapidly propagate and evade defenses. The Trellix analysis details the full attack lifecycle, technical artifacts (including go.exe/go2.exe/go3.exe, bb.exe, crazyhunter.sys), mitigation recommendations, and IOCs for detection and response. #CrazyHunter #SharpGPOAbuse

Keypoints

  • CrazyHunter is a Go-developed ransomware forked from the Prince builder that primarily targeted six companies in Taiwan, with repeated attacks against hospitals in the healthcare sector.
  • Initial access frequently leveraged weak Active Directory domain account passwords, enabling attackers to move laterally and deploy payloads via SharpGPOAbuse and compromised AD credentials.
  • Attackers use AV-killer components (go.exe, go2.exe) that register with and abuse a vulnerable, signed driver (zam64.sys v2.18.371.0) to enumerate and terminate anti-malware processes via IOCTLs (0x80002010, 0x80002048).
  • ru.bat orchestrates the chain: AV-killers, donut loader (bb.exe) executing crazyhunter.sys shellcode in memory, primary encryptor (go3.exe), and a backup encryptor (crazyhunter.exe) to ensure encryption succeeds.
  • Encryption uses ChaCha20 with a 1:2 partial encryption pattern and ECIES to protect per-file keys/nonces; encrypted files are renamed with a .hunter extension.
  • Extortion and exfiltration capabilities include file.exe (file server or file-monitor/delete modes), attacker contact channels ([email protected], Telegram@Magic13377), and a TOR leak site; Trellix provides detection and mitigation signatures.

MITRE Techniques

  • [T1078.002 ] Valid Accounts – Exploited weak passwords on domain accounts to gain initial access. (‘Exploited weak passwords to compromise AD accounts.’)
  • [T1204.002 ] User Execution – Malicious File – Deployed malware via Group Policy Objects using SharpGPOAbuse to execute payloads across the domain. (‘Leveraged SharpGPOAbuse to deploy malware via Group Policy Objects (GPOs).’)
  • [T1484.001 ] Domain Policy Modification – Used GPOs and domain policy modification to persist and execute ransomware across the network. (‘Executed the ransomware payload after gaining initial access.’)
  • [T1068 ] Exploitation for Privilege Escalation – Employed a bring-your-own-vulnerable-driver (BYOVD) tactic using a modified Zemana driver (zam64.sys) to escalate privileges and bypass security controls. (‘Utilised BYOVD with a modified Zemana driver to bypass security controls.’)
  • [T1553.002 ] Code Signing – Signed malicious drivers (or abused signed drivers) to avoid detection and enable privileged operations. (‘Signed malicious drivers to avoid detection.’)
  • [T1036 ] Masquerading – Disguised malicious components as legitimate processes to evade process-based detection. (‘Disguised ransomware as a legitimate process.’)
  • [T1003 ] Credential Dumping – Likely extracted credentials to facilitate lateral movement and further compromise. (‘Credentials will likely be extracted to facilitate lateral movement within the network.’)
  • [T1018 ] Remote System Discovery – Identified accessible systems to expand the attack surface and target additional hosts. (‘Identified accessible systems to expand the attack.’)
  • [T1021 ] Remote Services – Propagated the ransomware using compromised AD credentials and GPOs to reach remote systems. (‘Propagated the ransomware using compromised AD credentials and GPOs.’)
  • [T1486 ] Data Encrypted for Impact – Encrypted files across targets (renamed with .hunter) to disrupt operations and demand ransom. (‘Encrypts the target systems, severely disrupting operations.’)
  • [T1485 ] Data Destruction – Potentially deleted backups or logs to complicate recovery efforts and hinder response. (‘Possibly deleted backups or logs to complicate recovery efforts.’)

Indicators of Compromise

  • [File Hash ] Ransomware and AV-killer executables – f72c03d37db77e8c6959b293ce81d009bf1c85f7d3bdaa4f873d3241833c146b (go3.exe), 754d5c0c494099b72c050e745dde45ee4f6195c1f559a0f3a0fddba353004db6 (go.exe), and 6 more hashes.
  • [Filenames ] Orchestrator, loaders, and shellcode – ru.bat (deployment script), crazyhunter.sys (Donut encrypted shellcode).
  • [Driver ] Vulnerable signed driver used for BYOVD – zam64.sys version 2.18.371.0 (signed by Zemana) used to register and issue IOCTLs.
  • [Email ] Attacker contact – [email protected] (ransom negotiation contact shown in ransom note).
  • [Messaging Channel ] Threat actor communication – Telegram@Magic13377 (attacker Telegram channel linked to negotiations/leak site).
  • [Onion URL ] Leak/negotiation site – 7i6sfmfvmqfaabjksckwrttu3nsbopl3xev2vbxbkghsivs5lqp4yeqd[.]onion (attacker TOR page).
  • [URL ] Wallpaper/remote retrieval used in post-encryption notification – hxxps://ncmep[.]org/files/2023/05/ransomeware-01-1280×640[.]png (downloaded and set as wallpaper).

Read more: https://www.trellix.com/blogs/research/the-ghost-in-the-machine-crazyhunters-stealth-tactics/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint