Full Report
A threat actor tracked as 'EncryptHub,' aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks. [...]
Analysis Summary
# Threat Actor: EncryptHub (and associated activity group LARVA-208)
## Attribution & Identity
The activity described is attributed to the threat actor **EncryptHub**. Researchers also refer to the spear-phishing aspect of their operation as **LARVA-208**. This actor is described as sophisticated, tailoring attacks for effectiveness, achieving high-value breaches on large organizations.
## Activity Summary
EncryptHub has been linked to the breach of **618 organizations**. Their operations involve deploying infostealers followed by ransomware. They utilize sophisticated social engineering tactics (spear-phishing) and advanced obfuscation methods to evade detection and compromise high-value targets.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Use of highly customized social engineering tactics (spear-phishing) and meticulously crafted lures.
- **Command and Control (C2):** Utilizing custom PowerShell scripts for remote control and maintaining long-term access.
- **Lateral Movement:** Implied capability to move laterally within compromised networks.
- **Information Theft:** Deployment of various infostealers, including **Stealc, Rhadamanthys, and Fickle Stealer**, often via custom PowerShell scripts. Python scripts are used for similar data exfiltration on Linux/Mac systems.
- **Data Staging:** Attempting to steal large amounts of sensitive data, including credentials, session cookies, and cryptocurrency wallet passphrases.
- **Exfiltration Targeting:** Specifically targeting data related to cryptocurrency wallets (MetaMask, Coinbase, Trezor, etc.), VPN configurations (Cisco VPN, FortiClient, OpenVPN), and password manager data (1Password, LastPass, KeePassXC, etc.). Also targets files matching keywords like "pass," "wallet," "seedphrase," "2fa," and "secret."
- **Impact/Encryption:** Deploying ransomware, described as a custom PowerShell-based encryptor that uses **AES** encryption and appends the **".crypted"** extension, deleting original files.
## Targeting
- **Sectors:** Not explicitly detailed, but noted for achieving high-value breaches on **large organizations**.
- **Geography:** Not specified in the description.
- **Victims:** 618 organizations breached in total. Specific organization names are not provided in the summary text.
## Tools & Infrastructure
- **Malware Families/Tools:**
- Infostealers: Stealc, Rhadamanthys, Fickle Stealer.
- Custom PowerShell scripts (for C2/deployment).
- Custom Python scripts (for Linux/Mac systems).
- Custom PowerShell-based ransomware encryptor (uses AES).
- **Infrastructure:**
- Ransom note demands payment via **Telegram**.
- No explicit C2 domains or IPs were provided in the context snippet.
## Implications
EncryptHub (LARVA-208) represents a significant, sophisticated threat actor demonstrating a strong capability to bypass security measures through advanced social engineering and obfuscation. Their focus on high-value targets and the comprehensive exfiltration of credentials, VPN keys, and cryptocurrency data suggest high financial motivation and capability for significant follow-on attacks.
## Mitigations
- Implement stronger email filtering and security awareness training focused on sophisticated spear-phishing lures.
- Use Endpoint Detection and Response (EDR) solutions capable of detecting anomalous PowerShell execution and script obfuscation methods.
- Strictly limit the scope of data accessible to standard user accounts to reduce the overall potential for credential theft.
- Monitor for signs of post-exploitation activity, particularly the use of known infostealer payloads or PowerShell execution patterns associated with C2 activity.
- Ensure regular, offline backups are maintained in case of ransomware deployment.