Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Crypto24. Show all posts
Windows
Crypto24 EDR Google Drive malware McAfee Windows

Crypto24 ransomware uses custom “EDR-blinding” tool to hit high-value targets




A threat group tracked as Crypto24 is attacking large organizations across the U.S., Europe, and Asia, aiming at finance, manufacturing, entertainment, and technology firms. First discussed publicly on security forums in September 2024, the group has since shown mature tradecraft, according to researchers monitoring its campaigns.


How they gain and keep access

After breaking in, the attackers enable built-in administrator accounts on Windows machines or create new local admins to keep a quiet foothold. They run a scripted recon phase that lists user accounts, profiles hardware, and maps disks. For persistence, they add malicious Windows services and scheduled tasks, most notably:

WinMainSvc: a keylogger that pretends to be “Microsoft Help Manager,” recording active window titles and keystrokes (including Ctrl/Alt/Shift and function keys).

MSRuntime: a loader that later launches the file-encrypting payload.


How they bypass security tools

Crypto24 deploys a customized version of the open-source RealBlindingEDR utility to neutralize endpoint detection and response (EDR) products. The tool reads a driver’s metadata to extract the vendor name, compares it to a built-in list, and, on a match, tampers with kernel callbacks/hooks to “blind” detections. Vendors targeted include Trend Micro, Kaspersky, Sophos, SentinelOne, Malwarebytes, Cynet, McAfee, Bitdefender, Broadcom (Symantec), Cisco, Fortinet, and Acronis.

On systems running Trend Micro, the operators have been seen, once they have admin rights — launching the legitimate XBCUninstaller.exe (Trend Vision One’s uninstaller) via gpscript.exe (a Group Policy script runner). The tool is intended for support tasks like cleaning inconsistent agents, but here it’s repurposed to remove protections so follow-on payloads can run undetected.


How they move and what they steal

For lateral movement, the intruders rely on SMB shares to copy tools and spread across the network. Before encryption, they exfiltrate data to Google Drive, using a custom program that calls the Windows WinINET API to talk to the cloud service. This gives them an off-network stash of sensitive files for double-extortion.


What remains unknown

Researchers have not yet published details about the final ransomware stage, such as the encryption method, ransom note, payment channel, or any language/branding clues. However, they have released indicators of compromise (IOCs) to help defenders detect and block the intrusions earlier in the kill chain.


Why it matters

Crypto24 blends custom malware with “living-off-the-land” techniques and legitimate admin tools, making alerts easier to miss. Organizations should harden admin account policies, monitor for suspicious driver tampering and service creation, restrict outbound cloud traffic where possible, and use the published IOCs to hunt proactively.


Read more »
Subscribe to: Posts (Atom)