The Crypto24 ransomware group actively uses custom utilities to evade security solutions on breached networks, exfiltrate data, and encrypt files.
Initially, the threat group’s earliest activity surfaced on BleepingComputer forums in September 2024; however, it never reached notable levels of notoriety.
Furthermore, according to Trend Micro researchers who track Crypto24’s operations, the hackers have targeted several large organizations in the United States, Europe, and Asia. They focus specifically on high-value targets in the finance, manufacturing, entertainment, and tech sectors.
Moreover, the security researchers report that Crypto24 demonstrates significant knowledge and expertise, suggesting a high likelihood that it formed from former core members of now-defunct ransomware operations.
Post-compromise activity
After gaining initial access, Crypto24 hackers activate default administrative accounts on Windows systems within enterprise environments or create new local user accounts to ensure stealthy, persistent access.
Following this, they conduct a reconnaissance phase using a custom batch file and commands that enumerate accounts, profile system hardware, and analyze the disk layout. Subsequently, the attacker creates malicious Windows services and scheduled tasks to maintain persistence.
The first service, WinMainSvc, acts as a keylogger, while the second, MSRuntime, serves as a ransomware loader.
Commands and processes used for escalating privileges
Source: Trend Micro
Next, Crypto24 operators employ a custom variant of the open-source tool RealBlindingEDR, which specifically targets security agents from multiple vendors by disabling their kernel drivers. The affected vendors include:
- Trend Micro
- Kaspersky
- Sophos
- SentinelOne
- Malwarebytes
- Cynet
- McAfee
- Bitdefender
- Broadcom (Symantec)
- Cisco
- Fortinet
- Acronis
Crypto24’s custom RealBlindingEDR extracts the company name from the driver’s metadata and compares it to a hardcoded list. If there’s a match, it disables kernel-level hooks and callbacks to “blind” detection engines.
Concerning Trend Micro products specifically, the report mentions that if the attacker has administrator privileges, they run a batch script that invokes the legitimate ‘XBCUninstaller.exe’ to uninstall Trend Vision One.
“We observed cases where attackers executed the Trend Vision One uninstaller, XBCUninstaller.exe, via gpscript.exe,” Trend Micro researchers say.
“The file in question is a legitimate tool provided by Trend Micro for troubleshooting, specifically to resolve issues such as fixing inconsistent agents within Trend Vision One deployments.”
“Its intended use is to cleanly uninstall Endpoint BaseCamp when required for maintenance or support.”
Trend Vision One
This tool essentially prevents the detection of follow-on payloads like the keylogger (WinMainSvc.dll) and the ransomware (MSRuntime.dll), both of which are custom tools.
The keylogger, which masquerades as “Microsoft Help Manager,” logs both active window titles and keypresses, including control keys (Ctrl, Alt, Shift, function keys).
Additionally, the attackers use SMB shares for lateral movement and staging files for extraction.
All stolen data is exfiltrated to Google Drive using a custom tool that leverages the WinINET API to interact with Google’s service.
Moreover, the ransomware payload executes after deleting volume shadow copies on Windows systems to prevent easy recovery.
Overview of a Crypto24 attack
Source: Trend Micro
However, Trend Micro does not provide any details about the ransomware aspect of the attack, such as the encryption scheme, the ransom notes, communication methods, targeted file paths, language, or branding clues.
Finally, the cybersecurity company has shared a list of indicators of compromise at the end of the report that other defenders can use to detect and block Crypto24 ransomware attacks before they reach the ultimate stages.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
