CosmicBeetle Rolls Out Personalized CryptoCapture Ransomware, Collaborating with RansomHub
A new personalized ransomware strain named CryptoCapture has been initiated by the threat actor CosmicBeetle, targeting small- and medium-sized businesses (SMBs) across Europe, Asia, Africa, and South America, while potentially acting as a partner for RansomHub.
In a recent analysis, ESET researcher Jakub Souček revealed that “CosmicBeetle has transitioned from their previous ransomware, Scarab, to CryptoCapture, demonstrating continuous enhancements. While not perfect, the threat actor demonstrates capabilities to infiltrate significant targets.”
The sectors targeted by CryptoCapture attacks include manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, as well as regional government bodies.
Known primarily for the malicious toolset called Spacecolon, CosmicBeetle previously used this toolset to distribute the Scarab ransomware within various victimized organizations worldwide.
Identified as NONAME, the adversary has been experimenting with the leaked LockBit builder to pose as the notorious ransomware group in ransom notes and leak sites since November 2023.
The origin of the attack and the attackers remain unknown, although initial speculations pointed towards Turkish origins due to the utilization of a customized encryption method in a tool called ScHackTool. ESET, however, doubts the validity of this attribution.
“The encryption framework used in ScHackTool is present in the legitimate Disk Monitor Gadget,” Solucek mentioned. “It’s plausible that this encryption technique was adapted by VOVSOFT [the Turkish software firm] from a Stack Overflow thread
The intrusion techniques involve brute-force attacks and exploitation of known vulnerabilities (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475, and CVE-2023-27532) to infiltrate target systems. The attack methodology also involves tools such as Reaper, Darkside, and RealBlindingEDR to disable security processes, avoid detection, and then deploy the Delphi-based CryptoCapture ransomware, featuring partial encryption for efficiency and an “ERASE” mode to render files irrecoverable by overwriting them with a constant value. The link to RansomHub is established by the observation of ESET that CryptoCapture and RansomHub payloads were deployed on the same system within a short timeframe. “Due to the challenges involved in developing custom ransomware from scratch, CosmicBeetle tried to piggyback on LockBit’s reputation, possibly to mask deficiencies in the ransomware and enhance victim payment prospects,” explained Souček. The emergence of an updated version of the encryptor associated with the Cicada3301 ransomware (also known as Repellent Scorpius) has been noted with threat actors utilizing it since July 2024. “New functionalities have been added to the encryptor, such as a new command-line parameter, –no-note,” detailed Palo Alto Networks Unit 42 in a report shared with The Hacker News. “Using this parameter prevents the encryptor from creating the ransom note on the system.” An important change involves eliminating hard-coded credentials in the binary, while retaining the ability to run PsExec using these credentials if available, a tactic recently brought to attention by Morphisec. Intriguingly, the cybersecurity firm detected indications that the group possessed data obtained from older breaches preceding the group’s participation in malicious activities. operation under the Cicada3301 label. This has sparked speculation that the malicious actor might have conducted operations under a different ransomware trademark, or acquired the information from alternative ransomware factions. With that being said, Unit 42 highlighted some similarities with a different intrusion orchestrated by an associate who deployed BlackCat ransomware in March 2022. The discoveries also coincide with a transformation of a kernel-mode authorized Windows driver utilized by several ransomware syndicates to deactivate Endpoint Detection and Response (EDR) software, allowing it to operate as a wiper by erasing crucial components linked to those solutions, rather than simply shutting them down. The malicious software in question is POORTRY, which is propagated through a loader named STONESTOP to coordinate a Bring Your Own Vulnerable Driver (BYOVD) assault, successfully circumventing Driver Signature Enforcement protections. Its capacity to “force delete” files on the disk was initially brought to attention by Trend Micro in May 2023. POORTRY, identified as early as in 2021, is also known as BURNTCIGAR, and has been employed by several ransomware factions, including CUBA, BlackCat, Medusa, LockBit, and RansomHub throughout the years. “Both the Stonestop executable and the Poortry driver are heavily encrypted and disguised,” Sophos stated in a recent analysis. “This loader was enshrouded by a proprietary packer named ASMGuard, obtainable on GitHub.” POORTRY is “dedicated to incapacitating EDR products through a sequence of diverse strategies, like eradication or alteration of kernel notify routines. The EDR assassin is designed to terminate security-related processes and render the EDR agent ineffective by wiping out critical files from the disk.” The utilization of an upgraded iteration of POORTRY by RansomHub is noteworthy, considering the fact that the ransomware squad has also been noticed employing another EDR incapacitation tool named EDRKillShifter this year. “It is crucial to acknowledge that malicious actors have consistently been experimenting with varied techniques to hinder EDR products — a pattern we have been monitoring since at least 2022,” Sophos informed The Hacker News. “This experimentation can include multiple strategies, such as exploiting jeopardized drivers or leveraging certificates that have been inadvertently exposed or obtained through unlawful means.” “Although it might appear that there is a substantial surge in these activities, it is more precise to state that this is part of an ongoing progression rather than a sudden escalation.” “The application of different EDR-disablement tools, like EDRKillShifter by factions such as RansomHub, likely mirrors this continual experimentation. It is also plausible that distinct partners are involved, which could elucidate the adoption of diverse approaches, although lacking explicit information, we prefer not to speculate excessively on that matter.”
Cicada3301 Releases Enhanced Version
BURNTCIGAR Transforms into an EDR Wiper
About Author
