Trend Micro researchers stumbled upon a fileless attack campaign that is leveraging a new crypter to propagate Remote Access Trojans (RATs). The RATs include BitRat, NjRat, LimeRat, Warzone, QuasarRat, and Nanocore RAT. The campaign was the most active in August.

Campaign overview

  • The attackers hosted phishing kits in infected WordPress websites. The malware was hosted in file hosting services.
  • The malicious file is an ISO image disseminated via either the websites or phishing emails.
  • Subsequently, an obfuscated PowerShell script carries the payloads and infuses them into the assigned processes.

About HCrypt

  • Water Basilisk leverages HCrypt version 7.8, a crypter-as-a-service, which is for sale on underground markets for $199.
  • HCrypt is used to build obfuscated PowerShell and VBScripts to deploy the final payloads.
  • This latest version of the crypter features encryption updates for PDF phishing payloads, BTC stealers, JS and VBS payloads, and Windows 10 Defender disabling.

The rise of crypter-as-a-service

The rising popularity of crypter-as-a-service indicates that malware authors are designing and selling code to wannabe threat actors or attackers with less technical sophistication. Consequently, financially motivated attackers can launch better attacks if there’s money to spend.

The bottom line

Crypter tools such as HCrypt can be used to propagate malware, as displayed by this campaign. HCrypt is undergoing active development and researchers expect more versions of it to pop up, which would be able to distribute more RAT strains. It is also anticipated that the obfuscation algorithm will be updated to evade detection. As phishing emails are still the most common attack vector, organizations should stay vigilant and train employees on cybersecurity hygiene.

Cyware Publisher