Overview of the Crypter-as-a-Service: HCrypt

TIR-20210329 Overview

This report is an overview of the crypter-as-a-service, HCrypt. Similar to ransomware-as-a-service, HCrypt is sold to less technical malicious actors. The end goal of this malware is the installation of a user-defined RAT (remote access trojan) on the victim machine. The creation and scale of the malware have been attributed to malware author NYANxCAT, who is also attributed with writing MassLogger, AsyncRAT, and LimeRAT.

HCrypt Tactics, Techniques, and Procedures

As is frequently seen with malware campaigns, phishing is the initial attack vector for this malware. HCrypt relies on user-defined C&C (command and control) infrastructure to execute the attack. In total, Morphisec identifies six stages of HCrypt.

The purpose of the initial phishing email is to deliver a JavaScript file as an attachment or link but could theoretically be delivered through other means outside of phishing. Within the JavaScript is code to download additional files from the C&C server to be used within later stages of the attack. Currently analyzed attacks reveal that files downloaded from the C&C server have a consistent naming scheme such as encoding.txt, ALL.txt, Startup.txt, Server.txt. These files are used to execute malicious PowerShell commands and set up persistence on the victim.

Once the malicious JavaScript downloads from the C&C server, it attempts to establish persistence (seen as a scheduled task), bypass any anti-virus software installed on the host, and execute a PowerShell script. The PowerShell stage ultimately attempts to install the

user-defined RAT through a technique known as Process Hollowing to evade detection.

Business Unit Impact

• Infection will lead to endpoint compromise, giving the attacker control over the host and available data.
• May lead to data exfiltration.
• May provide malicious actors with an initial foothold to move laterally to more sensitive endpoints, such as production servers or domain controllers.

Our Recommendations

• Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
• Implement policies and controls (email scanning/filtering) to prevent phishing emails from reaching end-users and their devices.
• Enable and collect enhanced PowerShell logs (ex. script block logging) to monitor for malicious code execution.
• We recommend blocking the below linked IOCs:
  • https://otx.alienvault.com/pulse/6050fb82f9a8e34a3ce2b4c1

Sources

• Tracking HCrypt: An Active Crypter-as-a-Service
  • https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service
• Possible Identity of a Kuwait Hacker NYANxCAT
  • https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat

MITRE ATT&CK Techniques

• Phishing: https://attack.mitre.org/techniques/T1566/
• Command and Scripting Interpreter: https://attack.mitre.org/techniques/T1059/
  • JavaScript/Jscript: https://attack.mitre.org/techniques/T1059/007/
  • PowerShell: https://attack.mitre.org/techniques/T1059/001/
• Scheduled Task/Job: https://attack.mitre.org/techniques/T1053/
• Process Injection: https://attack.mitre.org/techniques/T1055/
  • Process Hollowing: https://attack.mitre.org/techniques/T1055/001/
• Application Layer Protocol: https://attack.mitre.org/techniques/T1071/
  • Web Protocols: https://attack.mitre.org/techniques/T1071/001/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.