The threat actor Crystalray, previously observed using SSH-Snake, has significantly expanded operations, targeting over 1,500 victims.
Employing mass scanning, exploiting multiple vulnerabilities, and utilizing tools like zmap, asn, httpx, nuclei, platypus, and SSH-Snake, CRYSTALRAY aims to steal and sell credentials, deploy cryptominers, and persist within victim environments.
The self-modifying SSH-Snake worm aids in lateral movement and credential discovery, enhancing stealth and efficiency compared to traditional SSH worms.
Crystalry leverages the ASN tool from ProjectDiscovery to gather network intelligence efficiently, and by querying Shodan for data on specified countries, it generates precise IPv4 and IPv6 CIDR blocks using Marcel Bischoff’s country-ip-blocks repository.
This targeted scanning approach allows for comprehensive reconnaissance without directly probing target systems, providing detailed information on open ports, vulnerabilities, software, and hardware.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
The attacker automates this process using a combination of ASN, jq, and shell scripting to create scannable IP lists for specific countries, enhancing operational efficiency.
By leveraging zmap, a high-speed network scanner, attackers efficiently scan a large IP range for specific ports associated with known vulnerable services like ActiveMQ, WebLogic, and Solr.
By customizing zmap with advanced options and filtering results, the attacker optimized the scan for speed and accuracy.
Subsequently, httpx, a rapid HTTP toolkit, was employed to validate live hosts from the zmap results and gather additional information, expediting the identification of potential targets for further exploitation, researchers said.
Crystalry employs a multi-stage attack process leveraging open-source tools, as they use zmap for port scanning, followed by httpx for HTTP probing, while nuclei, a vulnerability scanner, is used to identify exploitable vulnerabilities, primarily focusing on confluence-related CVEs.
To evade detection, nuclei are also used to detect honeypots. The attacker then modifies publicly available proof-of-concept exploits to inject their malicious payload, often Platypus or Sliver clients, targeting vulnerable systems.
It employs SSH-SNAKE, an open-source worm, to propagate across a victim’s network using discovered SSH keys and credentials, exfiltrating captured keys and bash histories.
Additionally, the threat actor searches for credentials in environment variables, leveraging found credentials for lateral movement to cloud platforms and subsequent sales on black markets.
Crystalray is a threat actor that utilizes open-source tools to compromise systems and exfiltrate sensitive data. These tools employ bash command history extraction, Sliver for persistence, and Platypus for command-and-control.
The group aggressively collects and stores command histories to mine for credentials and tokens, and they leverage the Sliver framework for maintaining persistent access and lateral movement while using Platypus to manage compromised systems.
According to Sysdig, it compromises systems to steal credentials for various services, including cloud and SaaS providers, which are then sold on black markets and stored on the attacker’s C2 server.
It also deploys cryptominers to monetize compromised systems, using both older, less sophisticated scripts and newer, more complex configurations, which terminate competing cryptominers on infected hosts.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo