LevelBlue detected and contained a multi-stage intrusion that used a logistics-themed spear-phishing lure to deliver the CrySome RAT through staged downloads, PowerShell abuse, AMSI bypass, and Defender tampering. The operation ended with persistent remote access, browser credential theft, and C2 communication to 193.26.115[.]42:5555, while reusing tools and infrastructure such as WinDefCtl, signindat[.]com, and kvckiller.sys. #CrySomeRAT #WinDefCtl #signindatcom #kvckillersys #LevelBlue
Keypoints
- The intrusion began with a spear-phishing email impersonating a freight rate confirmation and linking to a fake portal on signindat[.]com.
- Clicking the lure downloaded a batch file that launched hidden PowerShell, bypassed execution policy, and patched AMSI in memory.
- A first-stage loader, ElevatorShellCode.exe, attempted UAC bypass through ICMLuaUtil before fetching and executing the next stage in memory.
- The second-stage PowerShell script created logs, added Microsoft Defender exclusions, deployed WinDefCtl, and launched the final payload.
- WinDefCtl was used to weaken Microsoft Defender by manipulating IFEO settings and loading kvckiller.sys to stop security processes.
- CrySome RAT established persistence via a scheduled task named CrysomeLoader and provided remote access, command execution, reconnaissance, and credential theft.
- The malware targeted Chromium browsers, injecting abe_decrypt.dll to extract passwords.json and cookies.json for exfiltration.
MITRE Techniques
- [T1566.002 ] Phishing: Spearphishing Link â The victim received a logistics-themed lure that directed them to a fake document portal (âthe email impersonated a legitimate freight rate confirmation and directed the recipient to hxxps://signindat[.]comâ).
- [T1204.002 ] User Execution: Malicious File â The user was tricked into downloading and running the batch file (âClicking Download Rate Confirmation does not deliver a PDF as expected. Instead, the site downloads a batch fileâ).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell â PowerShell was used with hidden windows, execution-policy bypass, in-memory execution, and payload staging (âlaunches a hidden PowerShell process with -ExecutionPolicy Bypassâ, âexecutes it in memory using IEXâ).
- [T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control â The loader attempted privilege escalation using ICMLuaUtil (âattempts privilege elevation using the ICMLuaUtil UAC bypass techniqueâ).
- [T1562.001 ] Impair Defenses â The actor patched AMSI, added Defender exclusions, and ran WinDefCtl/AVKiller to weaken endpoint security (âpatches AMSI in memoryâ, âadds Microsoft Defender exclusionsâ, âused to weaken Microsoft Defenderâ).
- [T1036.005 ] Masquerading: Match Legitimate Name or Location â The attacker renamed update.exe to svchost.exe and ran it from a user-writable temp folder (âsaved as %TEMP%svchost.exeâ, âexecution from %TEMP% is anomalousâ).
- [T1105 ] Ingress Tool Transfer â Multiple payloads and the decoy PDF were downloaded from attacker-controlled infrastructure (âdownloads the next-stage payloadâ, âdownloads update.exeâ, âdownloads the primary payloadâ, âdownloads a legitimate-looking freight rate confirmation PDFâ).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task â Persistence was achieved by creating a recurring scheduled task (âcreates a scheduled task named CrysomeLoaderâ, âexecute the current client executable every five minutesâ).
- [T1546.012 ] Event Triggered Execution: Image File Execution Options Injection â WinDefCtl used IFEO manipulation as part of Defender interference (âleverages Image File Execution Options (IFEO) manipulationâ).
- [T1055 ] Process Injection â The credential module injected abe_decrypt.dll into browser processes (âinjects abe_decrypt.dllâ, âinto Chromium-based browser processesâ).
- [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers â Stored browser credentials and cookies were extracted (âretrieving decrypted passwords.json and cookies.json filesâ).
- [T1071.001 ] Application Layer Protocol: Web Protocols â The malware used HTTP(S) to retrieve staged payloads and connect to infrastructure (âdownloads stage.ps1 from the attacker-controlled infrastructureâ, âC2 endpoint (193.26.115[.]42:5555)â).
- [T1219 ] Remote Access Software â CrySome RAT provided persistent remote access and operator control (âfeatures including HVNC, remote command execution, system reconnaissance, and credential theftâ).
Indicators of Compromise
- [Domain/URL ] phishing and payload hosting infrastructure â signindat[.]com, hxxps://signindat[.]com/patch.exe, and 2 more URLs
- [Email address ] phishing sender used in lure â [email protected]
- [IP address ] command-and-control server â 193.26.115[.]42, 193.26.115[.]42:5555
- [SHA-256 hash ] batch file and loader samples â ec68666e8f0a3b9870d7177bab684c8dcfb8ca0bc7c8c484a71b2b33ea4e26f4, 53f1da8a032115aa682749a114f4cfebcb5ef933400a89b4bbfa84f2057222ff
- [SHA-256 hash ] stage and payload binaries â ced4407f4ac7e43c1a3010a394d111d2ad1b50a2e95668b4e9cfe739235e67bd, b7ca8fd9ebe0a76f16deea315fac7ee94dcb18e6ac2832b5c4cb562fbc6e0ed3
- [SHA-256 hash ] final payload and driver â c380268d493e0cba914ce2bc55faa1d7c050c599893c3196fee01fa745e6466a, ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8
- [File name ] dropped and executed artifacts â Rate_Confirmation_LD-2026-0847.bat, ElevatorShellCode.exe, patch_diag.exe, and xeno_diag.log
- [File name ] credential theft artifacts â abe_decrypt.dll, passwords.json, cookies.json, and svchost.exe running from %TEMP%
- [Persistence artifact ] scheduled task and command â CrysomeLoader, schtasks.exe /create /tn âCrysomeLoaderâ /tr âC:UsersAppDataLocalTemppatch_diag.exeâ /sc minute /mo 5 /f
- [Registry path ] Defender tampering locations â HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options, IFEO Debugger entries for PSUAMain.exe, avp.exe, avpui.exe, and ekrn.exe