Threat Research

Crypters And Tools. One tool for thousands of malicious files

PTsecurity-ESC
Crypters And Tools. One tool for thousands of malicious files

This article discusses the malicious use of a subscription service called Crypters And Tools, enabling cybercriminals to generate malware loaders. Various hacker groups, including PhaseShifters, TA558, and Blind Eagle, utilize this service to conduct cyber attacks on organizations worldwide, primarily through phishing emails and malicious scripts. The article emphasizes the importance of understanding such tools to mitigate cybersecurity threats. Affected: PhaseShifters group, Blind Eagle group, TA558 group, Russian companies, hospitality and tourism businesses, governmental institutions in Colombia and Latin America, US organizations.

Keypoints :

  • Crypters And Tools is a subscription service allowing users to obfuscate files.
  • PhaseShifters group and other criminal organizations extensively use this service for cyber attacks.
  • The tool employs various techniques for evading detection, including obfuscation and process injection.
  • Attack vectors predominantly include phishing emails with malware-laden attachments.
  • Criminal infrastructure includes domains, private servers, and real-time databases.

MITRE Techniques :

  • T1608.001 – Staging: The tool allows users to store malware on a separate server.
  • T1059.001 – Command and Scripting Interpreter: PowerShell: Multiple consecutive PowerShell scripts are used to deliver the Ande Loader dropper.
  • T1059.003 – Command and Scripting Interpreter: Windows Command Shell: Some obfuscated scripts are generated as BAT files.
  • T1059.005 – Command and Scripting Interpreter: Visual Basic: Other obfuscated scripts are produced in VBS format.
  • T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: Malware persists via Startup folder.
  • T1027 – Obfuscated Files or Information: The tool encodes its payload via Base64.
  • T1027.003 – Obfuscated Files or Information: Steganography: Uses steganography to store Ande Loader in image bytes.
  • T1027.010 – Obfuscated Files or Information: Command Obfuscation: PowerShell scripts obfuscated in various ways.
  • T1140 – Deobfuscate/Decode Files or Information: Builds a chain to decode the user’s malware during infection.
  • T1055.012 – Process Injection: Process Hollowing: Ande Loader decodes and injects into a legitimate running process.

Indicator of Compromise :

  • [Domain] cryptersandtools.com
  • [Domain] cryptersandtools.ddns.com.br
  • [Domain] servidorwindows.ddns.com.br
  • [IP Address] 91.92.254.14
  • [IP Address] 158.69.36.15

Full Story: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/crypters-and-tools-one-tool-for-thousands-of-malicious-files