Operators behind the Crypto24 strain are employing highly coordinated, multi-stage attacks that blend legitimate system tools with bespoke malware to infiltrate networks, maintain persistence, and evade endpoint detection and response (EDR) systems.
According to detailed analysis from Trend Micro researchers, these adversaries target high-profile organizations across Asia, Europe, and the United States, with a particular focus on financial services, manufacturing, entertainment, and technology sectors.
The attacks often unfold during off-peak hours to minimize detection, leveraging tools like PSExec for lateral movement, AnyDesk for remote access, and keyloggers for credential harvesting, while exfiltrating data via Google Drive.
This “living off the land” (LotL) approach integrates malicious activities seamlessly with routine IT operations, allowing threat actors to create privileged accounts, reset passwords, and reactivate default administrative profiles using native Windows utilities such as net.exe.
Persistence is further ensured through scheduled tasks and malicious services masquerading as legitimate processes like svchost.exe, which execute batch scripts from hidden directories like %ProgramData%Update to deploy payloads including keyloggers and the ransomware itself.
Crypto24 Ransomware Campaigns
According to the report, The attack chain begins with reconnaissance, where scripts like 1.bat utilize WMIC commands to enumerate disk partitions, physical memory, local user accounts, and group memberships, providing attackers with a comprehensive system profile for targeted exploitation.
Privilege escalation follows, employing runas.exe and PSExec to run elevated commands, adding newly created users to Administrators and Remote Desktop Users groups.
Defense evasion reaches advanced levels with a customized variant of RealBlindingEDR, an open-source tool that disables EDR callbacks by loading vulnerable drivers such as WdFilter.sys or MpKslDrv.sys, specifically targeting products from vendors including Trend Micro, Kaspersky, and Bitdefender.
This tool, detected in paths like %USERPROFILE%AppDataLocalTempLowAVB.exe, filters callbacks based on company metadata, demonstrating the actors’ deep knowledge of security stacks.
Lateral movement exploits remote services, enabling RDP via registry modifications and firewall rules, while tools like IP scanners identify additional endpoints.
Credential access involves deploying WinMainSvc.dll as a keylogger service, which captures keystrokes, logs control keys, and uploads data to Google Drive using WinINet API calls after verifying functionality with test files.
In later stages, attackers patch termsrv.dll to allow multiple RDP sessions, install TightVNC for enhanced remote control, and attempt ransomware deployment via MSRuntime.dll services.
When initial executions are blocked by security solutions, adversaries resort to abusing legitimate uninstallers like XBCUninstaller.exe through gpscript.exe from network shares, highlighting post-compromise exploitation rather than inherent vulnerabilities.
This sequence culminates in encryption and ransom notes, often preceded by data exfiltration and surveillance.
Defensive Recommendations
To counter such adaptive threats, organizations must prioritize robust security configurations, including enabling agent self-protection features to prevent tampering with EDR agents and adhering to the principle of least privilege.
Implementing a Zero Trust framework, with continuous verification of access, alongside regular audits of privileged accounts, scheduled tasks, and service creations, can disrupt persistence mechanisms.
Limiting RDP and remote tool usage, enforcing multi-factor authentication (MFA), and monitoring for anomalous uses of LOLBins like sc.exe or reg.exe are essential.
Keeping offline backups, ensuring up-to-date security solutions, and training users on phishing risks further bolster defenses.
Rapid incident response, including proactive hunting for IOCs like unusual outbound traffic to cloud services, remains critical to mitigating the prolonged dwell times that enable extensive reconnaissance and exfiltration in Crypto24 operations.
As ransomware groups evolve to study and bypass defenses, agile adaptation of cybersecurity postures is imperative for enterprise resilience.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
