“Investigating Crypt Ghouls: Analyzing Ongoing Attacks on Russia”

hendryadrian.com

hendryadrian.com

In December, investigators identified an active ransomware cluster they named “Crypt Ghouls” that focused attacks on Russian businesses and government agencies. The group’s operations exhibited clear links to other threat actors through shared tools, techniques, and partial infrastructure overlap, suggesting either cooperation or common access to the same toolsets.

Across multiple incidents, Crypt Ghouls relied on a toolkit composed of public and freely available utilities as well as bespoke loaders. Notable tools included Mimikatz and XenAllPasswordPro for credential harvesting, PingCastle and SoftPerfect Network Scanner for reconnaissance, Localtonet and NSSM for persistence and tunneling, resocks for proxying traffic, and remote-access software such as AnyDesk and PAExec. For final-stage impact, the actors deployed LockBit 3.0 against Windows environments and Babuk against Linux/ESXi hosts.

Where initial access could be reconstructed, attackers commonly used compromised contractor credentials to connect via VPN into victims’ networks. Those VPN connections originated from IP ranges tied to a Russian hosting provider and contractor networks, and investigators suspect that contractors are often targeted through vulnerable VPN services or by exploiting unpatched software. To preserve access after initial compromise, the actors installed and ran NSSM to create persistent services and used Localtonet to open encrypted tunnels. Samples of these utilities were obtained from localtonet.com using URLs such as hxxp://localtonet.com/nssm-2.24.zip and hxxp://localtonet.com/download/localtonet-win-64.zip.

Credential harvesting was a major focus of the intrusions. XenAllPasswordPro was executed from several characteristic locations—paths like C:ProgramDataallinone2023XenAllPasswordPro.exe and similar variants—and run under wmiprvse.exe parent processes, with artifacts consistent with Impacket’s WmiExec.py module in command-line outputs. In one case, actors deployed a CobInt backdoor via a VBScript loader, Intellpui.vbs, which executed obfuscated PowerShell and fetched a CobInt payload from a C2. In some attacks the group used RDP rather than WMI to launch XenAllPasswordPro, and in others they saved the HKLMSECURITY registry hive to a temporary file in order to access secrets managed by the Local Security Authority.

Mimikatz featured in several incidents: the utility was used to inject code into rundll32.exe and to dump LSASS memory using commands such as “sekurlsa::minidump lsass.dmp”, enabling extraction of authenticated user credentials. The actors also ran publicly available PowerShell scripts renamed to evade detection—for example, an open-source Kerberos ticket dumping script was renamed to .gpo_compliance.ps1. In addition to Mimikatz and PowerShell-based dumping, the group used the MiniDump Tool (invoked as T.exe with the LSASS PID) to create process dumps; that tool generated a driver file under AppDataLocalTempkxxxxxxx.sys to read process memory and save the dump to disk.

To steal browser-stored credentials, the attackers copied Login Data files from Microsoft Edge and Google Chrome into temporary directories with commands executed via WMI. They also used PowerShell executed through wmiprvse.exe to enumerate local user accounts. On domain controllers they leveraged compromised credentials and WMI to run ntdsutil and create an NTDS.dit snapshot; this task was automated by modifying an existing scheduled task several times to create the dump, archive it using 7zr (downloaded from GitHub), and then remove the temporary folder before restoring the task to its original state. Although the attackers archived the directory containing the NTDS dump, investigators did not observe further exfiltration after archiving.

Network discovery and lateral movement were supported by tools like PingCastle (used to enumerate domain infrastructure; the sample had MD5 F4A84D6F1CAF0875B50135423D04139F) and SoftPerfect Network Scanner for port and share discovery. The Impacket WmiExec.py module and remote-execution utilities such as PAExec were used to run commands across hosts.

Infrastructure analysis revealed varied remote-access tooling and proxy usage. AnyDesk binaries and Localtonet executables were found in victim environments, and resocks—a reverse SOCKS5 proxy—was configured to contact 91.142.73[.]178, an IP in VDSina’s hosting network, using a connection key embedded in its parameters. Several remote-connection IPs tied to AnyDesk and Localtonet resolved to Surfshark VPN addresses, indicating the actors used VPN services to mask their connection origins.

The attackers also abused DLL sideloading by placing a legitimate dism.exe alongside a malicious dismcore.dll in C:ProgramDataoracle; the loader attempted to locate an odbcconf.xml file that would contain the payload, although that specific payload file was not recovered. For impact, the group used public ransomware builds: a LockBit 3.0 sample for Windows and Babuk for Linux/ESXi. The LockBit configuration instructed encryption of local drives, termination of specific services and processes, disabling of Windows Defender, and deletion of event logs, while excluding system folders and an “intel” folder—where credential-harvesting tools had been staged—from encryption. Investigators observed a destructive and unusual recycle-bin routine in which the malware encrypted files and then repeatedly renamed a file through sequences of alphabetic names (aaaaaaaaaaa -> bbbbbbbbbbb -> … -> zzzzzzzzzzz) before attempting to delete the last version, a behavior that makes file recovery extremely difficult.

After encryption, the attackers left a ransom note linking to a Session messaging contact containing an attacker ID. Session provides end-to-end encryption and has been used previously by other ransomware operations such as GhostLocker, SEXi, and MorLock. Against ESXi servers, the actors uploaded a Babuk binary via SSH and ran commands like “/tmp/lock.out ‘/vmfs/volumes/[redacted]’” to encrypt virtual machine files, indicating an intention to disrupt core business operations in addition to monetary extortion.

There are strong overlaps between Crypt Ghouls and several other groups active against Russian targets. MorLock, as documented by F.A.C.C.T., shares many tools (SoftPerfect Network Scanner, XenAllPasswordPro, AnyDesk, PingCastle, Localtonet, NSSM, resocks, LockBit 3.0, Babuk) and even naming conventions for resocks binaries (e.g., “xfs-healthcheck”) and the “allinone2023” directory used for XenAllPasswordPro. BlackJack and Twelve have also been observed using XenAllPasswordPro, and the Intellpui.vbs CobInt loader seen in a Crypt Ghouls incident was previously associated with Twelve. Shedding Zmiy (linked to the (Ex)Cobalt cluster) has used DLL sideloading with dismcore.dll and hosted C2 on VDSina, echoing elements found in Crypt Ghouls activity. These commonalities suggest resource sharing, reuse of leaked or publicly available tooling, or collaboration among different actors, complicating attribution efforts.

Victims attributed to Crypt Ghouls include Russian government entities and companies across mining, energy, finance, and retail sectors. In conclusion, Crypt Ghouls represents another actor in a broader pattern of attacks that leverage compromised subcontractor credentials and widely available offensive tools and ransomware builds. Because many groups are using leaked or publicized ransomware code and overlapping toolchains, distinguishing individual perpetrators is increasingly difficult; the shared toolkit and infrastructure elements imply either cooperation or a marketplace-driven reuse of capabilities among multiple actors.

Read more: https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/114217/