This report is an overview of the crypter-as-a-service, HCrypt. Similar to ransomware-as-a-service, HCrypt is sold to less technical malicious actors. The end goal of this malware is installation of a user-defined RAT (remote access trojan) on the victim machine. Creation and scale of the malware have been attributed to malware author NYANxCAT, who is also attributed with writing MassLogger, AsyncRAT, and LimeRAT.
HCrypt Tactics, Techniques, and Procedures
As is frequently seen with malware campaigns, phishing is the initial attack vector for this malware. HCrypt relies on user-defined C&C (command and control) infrastructure to execute the attack. In total, Morphisec identifies six stages of HCrypt.
user-defined RAT through a technique known as Process Hollowing to evade detection.
Business Unit Impact
- Infection will lead to end point compromise, giving attacker control over the host and available data.
- May lead to data exfiltration.
- May provide malicious actors with an initial foothold to move laterally to more sensitive endpoints, such as production servers or domain controllers.
- Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
- Implement policies and controls (email scanning/filtering) to prevent phishing emails from reaching end users and their devices.
- Enable and collect enhanced PowerShell logs (ex. script block logging) to monitor for malicious code execution.
- We recommend blocking the below linked IOCs:
- Tracking HCrypt: An Active Crypter-as-a-Service
- Possible Identity of a Kuwait Hacker NYANxCAT
MITRE ATT&CK Techniques
- Phishing: https://attack.mitre.org/techniques/T1566/
- Command and Scripting Interpreter: https://attack.mitre.org/techniques/T1059/
- PowerShell: https://attack.mitre.org/techniques/T1059/001/
- Scheduled Task/Job: https://attack.mitre.org/techniques/T1053/
- Process Injection: https://attack.mitre.org/techniques/T1055/
- Process Hollowing: https://attack.mitre.org/techniques/T1055/001/
- Application Layer Protocol: https://attack.mitre.org/techniques/T1071/
- Web Protocols: https://attack.mitre.org/techniques/T1071/001/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.