The discovered infrastructure comprises domains used for distributing payload and extra IP addresses that are linked to GrayAlpha. Insikt Group found a custom PowerShell loader called PowerNet, which decompresses and launches NetSupport RAT. Insikt Group discovered another custom loader called MaskBat that shares similarities with FakeBat but is hidden and has strings linked to GrayAlpha.
The experts discovered three main primary infection techniques:
- Traffic distribution system (TDS) Tag-124
- Fake 7-Zip download site
- Fake browser update pages
All the infection vectors were used simultaneously, and a detailed analysis by the experts revealed the individual alleged to be a member of GrayAlpha operation.
Individuals and organizations are suggested to implement app allow-lists to stop the download of authentic-looking spoof files that contain malware. If allow-lists are not possible, detailed employee security training is a must, especially in detecting malvertising. Besides this, the use of tracking rules like YARA and Malware Intelligence Hunting queries given in this report is important for identifying both present and past compromises. Due to the continuous evolution nature of malware, these rules should be regularly and teamed with wider identification techniques, such as monitoring of network artifacts and use of Recorded Future Network Intelligence.
In the future, experts must keep an eye on the wider cybercriminal ecosystem to predict and address emerging threats in a better way. The constant advancement in the cybercrime industry raises the chance of attacks against organizations. Generally, APT operations are linked to state-sponsored entities, but GrayAlpha shows that threat actors can show the same level of persistence. Similar to the ransomware-as-service (RaaS) model, threat actors are getting more sophisticated day by day, raising the need for adaptive and comprehensive security measures.
