Full Report
During a recent security alert, the LevelBlue MDR SOC successfully triaged and contained a structured, multi-stage infection chain designed to deliver the CrySome remote access trojan (RAT). The incident was subsequently analyzed in depth by LevelBlue's Threat Hunting Operations and Research (THOR) team, whose reverse engineering and malware analysis reconstructed the full infection chain and determined that initial access was achieved through a targeted spear-phishing lure masquerading as a logistics rate confirmation document, leveraging expected business workflows to trick the recipient into executing the initial payload.
Analysis Summary
# Tool/Technique: CrySome RAT Infection Chain
## Overview
The CrySome RAT infection chain is a sophisticated, multi-stage attack designed to deploy a persistent Remote Access Trojan (RAT). It utilizes a combination of spear-phishing, Living-off-the-Land (LotL) techniques, and specialized defense evasion tools to bypass modern security controls like AMSI and Microsoft Defender.
## Technical Details
- **Type:** Malware Family (RAT) / Multi-stage Infection Chain
- **Platform:** Windows
- **Capabilities:** Remote command execution, credential theft, hidden VNC (hVNC), and defense disruption.
- **First Seen:** July 2026 (Reported)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- **[TA0004 - Privilege Escalation]**
- [T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control] (via ICMLuaUtil)
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (WinDefCtl/IFEO manipulation)
- [T1055 - Process Injection]
- [T1622 - Debugger Evasion] (AMSI patching)
- **[TA0006 - Credential Access]**
- [T1555.003 - Credentials from Web Browsers]
- **[TA0011 - Command and Control]**
- [T1219 - Remote Access Software]
- [T1071.001 - Application Layer Protocol: Web Protocols]
## Functionality
### Core Capabilities
- **Remote Access:** Full system control via Hidden Virtual Network Computing (hVNC).
- **Remote Command Execution (RCE):** Ability to execute arbitrary commands via PowerShell or Command Shell.
- **System Reconnaissance:** Gathering host information and environment details.
- **Credential Theft:** A specialized module (`abe_decrypt.dll`) targets Chromium-based browsers, terminating processes to extract passwords and session cookies.
### Advanced Features
- **Silent UAC Bypass:** Leverages the `ICMLuaUtil` COM interface to gain administrative privileges without user prompts.
- **AMSI Patching:** Performs in-memory patching of the Antimalware Scan Interface to prevent the scanning of malicious PowerShell scripts.
- **Defense Disruption:** Integrates **WinDefCtl**, an open-source tool that uses a kernel driver (`kvckiller.sys`) and Image File Execution Options (IFEO) to disable Microsoft Defender.
## Indicators of Compromise
- **File Hashes:**
- `ElevatorShellCode.exe` (aka `es.exe`)
- `kvckiller.sys` (Kernel driver)
- `abe_decrypt.dll` (Credential stealer)
- **File Names:**
- `ยง Rate_Confirmation_LD-2026-0847.bat`
- `es.exe`
- `svchost.exe` (Fake instance running from %TEMP%)
- **Network Indicators:**
- `hxxps://signindat[.]com` (Fake portal)
- `loadofferstender@gmail[.]com` (Phishing sender)
- **Behavioral Indicators:**
- PowerShell execution with `-ExecutionPolicy Bypass`.
- Unauthorized manipulation of Image File Execution Options (IFEO).
- Termination of browser processes (`chrome.exe`, `msedge.exe`) followed by DLL injection.
## Associated Threat Actors
- Unknown (Targeted logistics sector lure).
## Detection Methods
- **Signature-based:** Monitoring for known hashes of WinDefCtl components and the `kvckiller.sys` driver.
- **Behavioral:**
- Detecting the elevation of privileges via `ICMLuaUtil`.
- Alerting on PowerShell processes attempting to patch memory (AMSI bypass).
- Monitoring for `svchost.exe` executing from non-standard paths like `%TEMP%`.
- **YARA:** Target strings related to "ElevatorShellCode" and the specific AMSI patching logic found in Stage 1.
## Mitigation Strategies
- **Email Security:** Implement robust phishing filters to block high-risk attachments (.bat) and suspicious links.
- **Endpoint Hardening:**
- Enforce PowerShell Constrained Language Mode.
- Disable or restrict the use of COM interfaces commonly used for UAC bypass.
- **Access Control:** Follow the principle of least privilege to limit the impact of successful initial execution.
- **Monitoring:** Enable "Audit Process Creation" and "Audit PowerShell Script Block Logging."
## Related Tools/Techniques
- **WinDefCtl:** Open-source utility for disrupting Microsoft Defender.
- **LOTL (Living off the Land):** Extensive use of native Windows binaries to minimize the footprint of the attack.