IBM X-Force researchers dissect ITG23’s crypter operations, revealing a sprawling ecosystem where ITG23 and partner groups crypt, distribute, and deploy malware across Trickbot, Emotet, IcedID, Qakbot, MountLocker, Gozi, and more. The findings show a highly coordinated “build machine” operation, multiple crypter families, and extensive inter-group cooperation evidenced by ContiLeaks chats, with ties to TA551/Hive0106 and Emotet/IcedID ecosystems. #ITG23 #Emotet
Keypoints
- ITG23 operates a widespread crypting operation, creating crypters used with Trickbot, BazarLoader, Conti, Colibri, Emotet, IcedID, Qakbot, MountLocker, and Gozi.
- A Jenkins-based “Build Machine” automates mass crypting, enabling ITG23 and affiliates to crypt malware at scale.
- ContiLeaks chatter reveals a formal internal hierarchy (Bentley, Mango, Stern) and the use of a Jenkins server for crypter building and sample distribution.
- ITG23 has close, long-running ties with Emotet and IicedID, with mutual malware seeding and coordinated development efforts.
- ITG23 crypters have been used with Gozi and Qakbot, indicating wider distribution partnerships (TA551 Hive0106).
- Thirteen known crypters (Dave, Pear, Lore, Mirror, Galore, Rustic, Tron, Hexa, Stub, Error, Charm, Graven, Skeleton) are in active use, each with distinct loading/decryption approaches.
- The crypters leverage obfuscation, stubs, and in-memory loading (often via Reflective DLL Injection) to evade detection and facilitate ransomware deployment.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information – Crypters encrypt and obfuscate malware to evade antivirus scanners and malware analysts. ‘Crypters encrypting the pre-compiled malware payload and embedding it within a secondary binary, known as a stub, which contains code to decrypt and execute the malicious payload.’
- [T1055] Process Injection – The stub loads the decrypted payload into memory and executes it. ‘loads the payload into memory and executes’
- [T1620] Reflective DLL Injection – Lore and related crypters use Reflective DLL Injection to load payloads at runtime. ‘Reflective Dll Injection’ and related loading behavior
- [T1583] Acquire Infrastructure – Build Jenkins-based infrastructure (Build Machine) to automate crypting and distribution. ‘The Build Machine was created in April 2021… coinciding with an increase in the use of crypters’
- [T1587.001] Acquire Capabilities – Establishing tooling and processes (build server) to mass-produce crypts for malware operations. ‘build machine for cryptors’ and related discussions
- [T1497] Virtualization/Sandbox Evasion – Crypters include functions to detect sandbox environments. ‘additional functionality to detect sandbox environments’
- [T1620] Reflective DLL Injection – See above for loading payloads via Reflective DLL Injection in Lore/Mirror families
- [T1059] Command and Scripting Interpreter (Build/Automation Context) – Jenkins and build scripts used to automate crypting and testing processes (build automation context)
Indicators of Compromise
- [SHA256 Hash] 947c81aefdb479de7e75f14be2921bb829478680e039c2bc40a4c258524819b8 – Trickbot sample crypted via Dave crypter
- [SHA256 Hash] 8661bd7d893fe1dd2109fac55cf9cea5f609012769732039e20165a3198c1086 – BazarLoader payload crypted with Pear crypter
- [File Name] zev4.dll – Zeus-related crypting request observed in ContiLeaks chats
- [File Name] zem1.dll – Zeus-related crypting request observed in ContiLeaks chats
- [File Name] stager_1_tr.dll – Crypted Qakbot stager discussed in Tramp/Bentley exchanges
Read more: https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/