{ "id": "d6ba529c-2d9c-421d-be39-61dd5d6ae0e3", "created_at": "2026-04-06T00:22:05.227085Z", "updated_at": "2026-04-10T13:12:08.683985Z", "deleted_at": null, "sha1_hash": "450b73379b9a06f7aa7f436f14af0ee50b69da82", "title": "CRAT wants to plunder your endpoints", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3567186, "plain_text": "CRAT wants to plunder your endpoints\r\nBy Asheer Malhotra\r\nPublished: 2020-11-12 · Archived: 2026-04-05 19:09:48 UTC\r\nThursday, November 12, 2020 08:18\r\nCisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT.\r\nApart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious\r\nplugins on the infected endpoint.\r\nOne of the plugins is a ransomware known as \"Hansom.\"\r\nCRAT has been attributed to the Lazarus APT Group in the past.\r\nThe RAT consists of multiple obfuscation techniques to hide strings, API names, command and control\r\n(C2) URLs and instrumental functions, along with static detection evasion.\r\nThe attack also employs a multitude of anti-infection checks to evade sandbox based detection systems.\r\nWhat's new?\r\nCisco Talos has recently discovered a new version of the CRAT malware family. This version consists of multiple\r\nRAT capabilities, additional plugins and a variety of detection-evasion techniques. In the past, CRAT has been\r\nattributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks\r\nagainst the entertainment sector.\r\nIndicators and tactics, techniques and procedures (TTPs) discovered by this investigation resemble those of the\r\nLazarus Group.\r\nHow did it work?\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 1 of 33\n\nThe attack consists of a highly modular malware that can function as a standalone RAT and download and activate\r\nadditional malicious plugins from its C2 servers. Cisco Talos has discovered multiple plugins so far, consisting of\r\nransomware, screen-capture, clipboard monitoring and keylogger components.\r\nSo what?\r\nThis attack demonstrates how the adversary operates an attack that:\r\nUses obfuscation and extensive evasion techniques to hide its malicious indicators.\r\nHas evolved across versions to achieve effectiveness of their attack.\r\nEmploys a highly modular plugin framework to selectively infect targeted endpoints.\r\nMost importantly, it deploys RAT malware to ransack the endpoint, followed by deployment of\r\nransomware to either extort money or burn infrastructure of targeted entities.\r\nDistribution vector\r\nThe first version of CRAT has been known to be distributed via malicious HWPs. The HWPs masquerade as a\r\nCOVID-19 themed document pertaining to an infectious disease management support group from South Korea.\r\nThe HWPs consisted of an exploit for CVE-2017-8291 used to activate malicious shellcode. The shellcode would\r\nthen download and execute CRATv1 on the infected endpoint.\r\nThe distribution vector of the new version of CRAT (v2) is currently unknown. However, it is highly likely the\r\nattackers may have re-used a maldoc-based infection vector to spread CRATv2 as well.\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 2 of 33\n\nMalicious HWP document - downloader for CRATv1\r\nShellcode executing PowerShell to download and activate CRATv1 via regsvr32.\r\nObfuscation\r\nBefore we analyze the attack it is important to understand the extensive measures taken by the attackers to conceal\r\nthe RAT executables. The RAT is highly obfuscated in terms of:\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 3 of 33\n\nString Obfuscation: Almost all of the strings are obfuscated using a four-byte XOR key and subsequent\r\nbase64 encoding. String obfuscations are used to thwart string-based static malware detection signatures.\r\nAPI Resolution: All APIs used are resolved dynamically. The process of selecting the API to call is also a\r\ncumbersome algorithm (overkill) involving index tables, switch cases and API name deobfuscation. This\r\ntechnique is used to make analysis cumbersome for an analyst by hiding API call sequences.\r\nRuntime Code Patching: The malware consists of a select few instrumental subroutines that are decoded,\r\nexecuted and then patched/encoded again (during runtime). On-the-fly patching of subroutines/functions\r\nmay be aimed towards evading detection mechanisms that scan process memory to identify malicious\r\nstrings and code.\r\nWHY THE OCCURRENCE OF MULTIPLE OBFUSCATIONS?\r\nThe use of multiple obfuscations signifies the attackers confidence in selective obfuscation rather than the use of\r\npackers as a means of evasion. Many detection systems look for the presence of a packer using techniques such as\r\nentropy analysis, Import API analyses, etc. Selective obfuscation of code and strings prevents these systems from\r\ndetecting the malware solely on the basis of the obfuscations.\r\nIt is also likely that this group of attackers employs a modular build system that obfuscates different aspects of\r\nmalware. Different modules can thus be used in conjunction to produce a combination of obfuscations for the\r\nsame malware.\r\nMASQUERADING AS LEGITIMATE\r\nThe attackers have also used file names and export API names in the CRAT DLLs to masquerade the RAT as a\r\nbenign application's library. Some examples of the exported function names are:\r\nConfigChrome\r\nDownloadChrome\r\nGetChromeVersion\r\nInstallChrome\r\nUninstallChrome\r\nUpdateChrome\r\nInstallFirefox\r\nSaveMicrosoftEdge\r\nExtractMicrosoftEdge\r\nExtractMicrosoftWord\r\nAnti-Infection Checks\r\nThe implant performs checks to verify its execution on an allowed endpoint. The implant uses a variety of criteria\r\nto identify a blocklisted system by utilizing:\r\nProcess name blocklists\r\nNetwork adapter name blocklists\r\nMAC Address blocklists\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 4 of 33\n\nAnalysis tool names blocklists\r\nThe implant also checks for indicators that the process is being debugged (including\r\nCheckRemoteDebuggerPresent). If the infected endpoint fails any of the anti-infection checks, the implant quits\r\nexecution. The blocklists are provided at the end of this post.\r\nFinding the right process — Sweet Home Alabama\r\nThe CRAT DLL ensures it resides in the desired process on the infected endpoint. Depending on the MS Windows\r\nOS version, it will inject and reflectively-load itself into the right process. The processes trojanized by CRAT v2\r\nare:\r\nWin10:\r\nsihost.exe\r\ntaskhostw.exe\r\nApplicationFrameHost.exe\r\nsvchost.exe\r\nWin 6.1:\r\ndwm.exe\r\ntaskhostex.exe\r\nsvchost.exe\r\nnotepad.exe\r\nOther Win 6.x:\r\ndwm.exe\r\ntaskhost.exe\r\nsvchost.exe\r\nnotepad.exe\r\nOS agnostic injection fall back process: explorer.exe\r\nCommunication mechanisms\r\nBefore detailing CRAT's capabilities, it is important to illustrate the communication mechanism used by CRAT to\r\ntalk to its C2 servers.\r\nBoth versions of CRAT use HTTP to communicate with the C2 servers. The data sent to the C2 is in the form of\r\nURL-encoded form data and may consist of 3 types of requests:\r\nLogin: Login/check-in with the C2 to register the infected endpoint.\r\nQuestion: Request a command code to execute a malicious RAT functionality on the endpoint.\r\nAnswer: Respond to the C2's command with the output of the executed RAT functionality.\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 5 of 33\n\nThe HTTP GET/POST requests are sent to the C2 URLs appended with a 'timestamp' value: http(s)://\u003cC2_url\u003e?\r\nts=\u003cepoch_time\u003e_\u003crand\u003e\r\nEXFILTRATION MECHANISM\r\nCRAT uses the following algorithm to encode the data before sending it out via the HTTP POST request:\r\n1. Generate a random four-byte value (DWORD).\r\n2. XOR the data to be exfiltrated with the DWORD.\r\n3. Base64-encode (std alphabet) the XOR key and the XORed data to achieve the final form of the data.\r\n4. Exfiltrate the encoded data as URL encoded form data.\r\nThe format of the response to the C2 is:\r\ncode=answer\u0026token=\u003ctoken\u003e\u0026content=\u003cbase64_encoded_data\u003efrags=\u003cfragment_count\u003e\u0026limit=10\r\nWhere:\r\ncode = type of the communication being done. Values include:\r\nlogin = login request to C2 from implant\r\nquestion = request command to be processed\r\nanswer = response to command executed\r\ntoken = a token value sent by the C2 as a response to the login (session identifier)\r\ncontent = the actual base64-encoded + XORed data being exfiltrated\r\nfrags = number of fragments of data being POSTed to the C2\r\nlimit = retry count in case of failure to send\r\nThe C2 server will respond with a JSON containing command codes and supporting data to be recognized by the\r\nimplant to execute a corresponding RAT capability.\r\nRAT capabilities\r\nThe CRAT malware consists of multiple RAT capabilities that allow it to be highly versatile and dangerous. CRAT\r\nexecutes these capabilities by receiving command codes and corresponding data from the C2 in the form of\r\nJSONs communicated over HTTP.\r\nApart from the introduction of a wide variety of new RAT capabilities in CRAT version 2 (vs CRAT version 1),\r\nthe biggest update is the spin-off of key RAT capabilities into plugin modules. These plugins (DLLs) are\r\ndownloaded on-the-fly by CRATv2 and injected into specific processes running on the infected endpoint.\r\nThe following capabilities have been observed in CRATv2.\r\nCOLLECT SYSTEM INFORMATION\r\nCollects the following system information:\r\nInstalled AntiVirus software names\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 6 of 33\n\nInstalled FirewallProduct names\r\nDomain Names:\r\nNetbios domain name\r\nDNS domain name\r\nDomain forest name\r\nFile version number from DLLs embedded Version Information\r\nPath to the system folder\r\nFlag if the current user has administrative privileges\r\nImplant checking for ADMIN privileges\r\nTCP/IP enabled MAC Addresses using WMI query:\r\nwmic PATH Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE GET MACAddress.\r\nImplant replacing strings in the output of the WMIC command to obtain only the MAC Addresses\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 7 of 33\n\nENUMERATE DRIVES AND GATHER FILE SIZE INFORMATION\r\nCollects size information about all files and folders on the infected endpoint except:\r\nRecycle Bin\r\n%windir%\r\nThe data gathered is arranged into a specific format:\r\n\u003cDrive_Letter\u003e\\t\u003cDisk_Type\u003e\\r\\n\r\n[DIR]\\t\u003cFolder_Path\u003e\r\n\\t\u003cFile_Name\u003e\u003cspaces\u003e\u003csize_in_bytes\u003e bytes\r\nWhere Disk Type =\r\nLocal Disk\r\nCD ROM\r\nRemovable Disk\r\nRemote Disk\r\nRAM Disk\r\nUnknown Disk\r\nE.g.\r\nSnippet of drive and file size information gathered by the implant.\r\nENUMERATE DRIVES USING DIR\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 8 of 33\n\nEnumerate drives using the 'dir' command:\r\ncmd /c \"dir \u003cdrive_name\u003e /s \u003e\u003e %temp%\\\u003ccustom_prefix\u003eerror.log\"\r\nWhere custom_prefix = file name prefix specified by the C2\r\nE.g. cmd /c \"dir C:\\ /s \u003e\u003e C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\BLAHerror.log\"\r\nImplant constructing the dir cmd to be executed.\r\nThe log file is then rolled up into a \".rar\" archive using a pre-existing installation of a RAR archiver program\r\nusing the command:\r\n\u003crar_utility\u003e a -k -r -s -ibck -m5 \u003coutput_rar_filepath\u003e \u003cinput_log_filepath\u003e\r\nThe RAR archive is then read to memory and exfiltrated to the C2, followed by deletion of the .rar and log files.\r\nREAD AND WRITE FILE\r\nCRAT has the capability to read the contents of the file specified by the C2 and exfiltrate these to the C2. The\r\nwrite file capability consists of writing the data received from the C2 to a temporary file in the %temp% folder:\r\n%temp%\\\u003ctemp_name\u003e.tmp\r\nThe implant will also timestomp the tmp file to either a hardcoded value or copy the filetimes from a system file\r\nsuch as %windir%\\system32\\user32.dll.\r\nEXECUTE COMMANDS\r\nExecute commands with two variations of the functionality:\r\nSimply execute the command on the endpoint.\r\nExecute a command and send output of command to C2.\r\nREVERSE SHELL\r\nOpen up a reverse command shell for arbitrary command execution using Windows pipes.\r\nSET QUERY TIMES\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 9 of 33\n\nThis capability allows the C2 to specify delays between consecutive command queries from the implant to the C2\r\nfor:\r\nReceiving commands from the C2.\r\nReceiving arbitrary commands to execute in the reverse shell.\r\nSTEAL BROWSER PASSWORDS: CHROMEPASS\r\nExecute chromepass.exe with the /stext switch to obtain the usernames and passwords stored in Google Chrome.\r\nThe credentials are dumped to a text file which is read and exfiltrated to the C2.\r\nCommand format: chromepass.exe /stext \u003coutput_filepath\u003e\r\nFILE EXPLORER\r\nCRAT contains a RAT functionality that implements a custom-built File Explorer sub-module.\r\nThe C2 specifies the parent functionality command code and an additional sub-command code to specify the sub-capability to be executed in the file explorer. The file explorer sub-module contains the following sub-capabilities:\r\nGather free and total disk space information for each drive on the system.\r\nEnumerate file listings (recursively) in a given directory.\r\nMove files across locations.\r\nFind and remove files and folders.\r\nCreate RAR archive files from files specified.\r\nCreate RAR archives and exfiltrate file contents to C2.\r\nExecute arbitrary commands specified by C2 on the endpoint.\r\nPLUGIN ADMINISTRATION\r\nDownloads and installs a malicious plugin from the C2. The plugin is placed in a standard directory specified by\r\nthe C2, and locations may include:\r\n%PUBLIC%\\Documents\r\n%USERPROFILE%\\Downloads\r\n%PUBLIC%\\Music\r\n%PUBLIC%\\Pictures\r\n%PUBLIC%\\Videos\r\n%windir%\r\n%windir%\\system32\r\n%APPDATA% (%USERPROFILE%\\AppData\\Roaming)\r\nCRAT can also administer the malicious plugins by performing the following actions:\r\nFor EXE based plugins:\r\nExecute plugin as an independent process.\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 10 of 33\n\nFor DLL plugins:\r\nActivate using regsvr32.exe\r\nActivate using rundll32.exe\r\nReflective load into its own process\r\nReflectively load into a target process\r\nDelete files related to plugins\r\nUNINSTALL CRAT\r\nThe RAT comes with an uninstallation routine built into it as well. This routine can be triggered in response to a\r\ncommand issued by the C2 or if the endpoint fails its anti-infection checks. The uninstallation routine consists of:\r\nDeleting .exe and .lnk files associated with the RAT.\r\nSending the uninstall flag to the communications pipe.\r\nDelete associated plugin files (EXEs and DLLs) from the endpoint.\r\nADDITIONAL CAPABILITIES\r\nIn addition to the RAT capabilities, CRAT also consists of additional functionalities that are implemented as part\r\nof independent threads in the infected process:\r\nSend Heartbeat Thread: This will send four bytes of data periodically to a named pipe.\r\nUpload File Thread: This thread will periodically send the contents of a file to the C2 server over HTTP.\r\nThe contents of either the Keylogger or Clipboard monitor files are read and sent to the C2.\r\nUpload Screen Thread: This thread reads and sends the contents of another file to the C2 server over HTTP.\r\nMost likely the content of screenshots taken by the Screen Recorder plugin.\r\nCRATv2 plugins\r\nWith version 2, the attackers have evolved CRAT into a modular RAT with the ability to download and activate\r\nadditional malicious plugins (DLLs) on the infected endpoint. The first version of CRAT had these plugin\r\ncapabilities implemented within the RAT. Cisco Talos has discovered these capabilities so far:\r\nScreen capture plugins\r\nClipboard monitor plugins\r\nKeylogger plugins\r\nRansomware\r\nSCREEN CAPTURE PLUGIN\r\nThe screen capture plugin will capture the current foreground window (every second or so) and save the\r\nscreenshot to a .tmp file in a hardcoded directory. The screenshot is saved in TIFF file format. Since TIFF is\r\nwidely supported by scanning and faxing systems, the malicious screenshots may be mis-identified as document\r\nscans by a forensic analyst instead of malicious screen captures.\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 11 of 33\n\nThe saved screenshot file is also XORed using a variable length XOR key hardcoded into the plugin as saved to\r\nadd a further layer of obfuscation.\r\nSample screenshot captured by the plugin\r\nCLIPBOARD MONITOR PLUGIN\r\nThis plugin will read the clipboard data and write the contents of the clipboard to a log file. The format of the\r\nclipboard data logged is:\r\n\\r\\n[YYYY-mm-DD HH:MM:SS]\\r\\n\u003cclipboard_data\u003e\r\nThe data is stored in a seemingly benign file location such as:\r\n%localappdata%\\Google\\Chrome\\Application\\Update.chk\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 12 of 33\n\nClipboard monitor implant getting clipboard data.\r\nKEYLOGGER PLUGIN\r\nThe keylogger plugin monitors the state of all the alphanumeric keys pressed. It also logs the following keys:\r\nCtrl\r\nShift\r\nMenu\r\nAlt\r\nEnter\r\nTab\r\nBackspace\r\nCapslock\r\nDelete\r\nEnd\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 13 of 33\n\nHome\r\nUp\r\nDown\r\nLeft\r\nRight\r\nFunction keys\r\nThe keystrokes are logged to another seemingly benign file on the endpoint such as:\r\n%localappdata%\\Google\\Chrome\\Application\\Update.cert\r\nThe format of the log file is:\r\n\\r\\n[\u003cWindow_Name\u003e - YYYY-mm-DD HH:MM:SS]\\r\\n\u003ckeylogger_data\u003e\r\n\\r\\n[YYYY-mm-DD HH:MM:SS]\\r\\n\u003ckeylogger_data\u003e\r\nExample:\r\n[Untitled - Notepad - 2020-06-05 01:02:03]\r\nThese keystrokes are being recorded[ENTER]\r\n[Blah - 2020-06-05 01:02:03]\r\n[CTRL] + c\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 14 of 33\n\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 15 of 33\n\nKeywords used to log keys being pressed.\r\nRansomware plugin — Hansom\r\nWe also discovered a ransomware plugin that encrypts specific file extensions on the infected endpoint.\r\nTraditionally ransomware encrypts files on the infected endpoint using a combination of asymmetric and\r\nsymmetric encryption. This plugin is different.\r\nIt locks files into individually created archives using randomly generated passwords. The passwords are then\r\nencrypted using an embedded public key (part of an embedded pub certificate). Once the infected user gets access\r\nto the private key (after the ransom has been paid), the private key can be plugged into the accompanying\r\ndecryptor .exe that decrypts the archive passwords and subsequently unpacks the original files from the archive.\r\nThe plugin performs the following housekeeping actions before it begins encrypting files on the endpoint:\r\nTerminate specific application processes.\r\nSuppress Windows Defender notifications by setting registry value:\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration | Notification_Suppress =\r\n0x1\r\nTerminate Windows Defender process \"MsMpEng.exe\" specifically.\r\nDisable task manager via registry: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System |\r\nDisableTaskMgr = 0x1\r\nSetup persistence for self via registry and regsvr32:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | HANSOM = regsvr32.exe /s\r\n\u003cfilepath_to_ransomware_dll\u003e\r\nTARGETED FILE EXTENSIONS\r\nThe following file extensions are targeted by the ransomware plugin. The ransomware excludes certain file and\r\nfolder names from encryption to ensure the stability of the Operating System (listed in the IOCs section).\r\ndoc,docx,ppt,pps,pptx,xls,xlsx,mdb,chm\r\ntxt,log,pdf,hwp,hst,ods,odt,rtf,csv,hwpml,show,eps,epub,eml\r\nhtm,html,js,css,vbs,php,jsp,xml,asp,aspx\r\nasm,java,c,cpp,cs,h,m,3ds,max,dwg,cad\r\nrar,zip,alz,tar,tgz,gz,7z,iso,bz2,bzip2,arj,arc,ace,xz,lz\r\njpg,jpeg,png,bmp,tiff,gif,psd,ai,fla,ppm,xbm\r\nexe,dll,jar,war,bat,py,pl,apk,msi,ocx,cmd\r\ndb,frm,myd,myi,mdf,sdf,dbf,sql,sqlite3,dat\r\ncer,crt,der,p7b,p7c,p12,pfx,pem,csr,key\r\nini,inf,reg,bak,ldf,config,conf,cka,au3\r\nRANSOMWARE ENCRYPTION ALGORITHM\r\nThe plugin uses the following sequence of steps to encrypt/lock files on the infected endpoint:\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 16 of 33\n\n1. Create a password by generating random 0x48 bytes and base64 encoding them. Then take the target file\r\nand add it to a password-protected RAR archive using command:\r\n\"C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\WinRar\\Rar.exe\" a -y -ep -k -r -s -ibck -df -m0 -hp\u003cpassword\u003e -\r\nri1:250 \"\u003ctarget_filepath\u003e.rar\" \"\u003ctarget_filepath\u003e\"\r\nThis command also deletes the target file once it has been added to the archive.\r\n2. After the target file has been archived, the random password used for the creation of the RAR archive is\r\nencrypted using an embedded RSA public key.\r\n3. The encrypted password blob is appended to the archive along with a marker indicating that the file has\r\nbeen encrypted successfully. The marker used is:\r\n48 61 6E 73 6F 6D 32 30 30 38 20 20 07 29 Hansom2008 .)\r\n4. Then the RAR archive is renamed (via file move) to the name of the original file.\r\nE.g. C:\\blah\\abc.txt.rar is renamed back to C:\\blah\\abc.txt\r\n5. A ransom note is dropped in the target file's directory named HANSOM_README.txt informing the user\r\nof the ransomware infection.\r\nRansom Note\r\nThe BTC addresses discovered so far do not hold any money (with no transactions made in or out of the BTC\r\naddresses).\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 17 of 33\n\nPOST-PROCESSING ACTIVITIES\r\nThe ransomware plugin performs the following activities after it has encrypted all the targeted files on the system:\r\n1. Create and encrypt sample files on desktop folder \"Hansom_Sample\" for demonstrating the decryptor:\r\nsample.docx\r\nsample.jpg\r\nsample.pdf\r\nsample.zip\r\n1. Drop the decryptor .exe to the current user's desktop as \"Hansom Decryptor.exe\".\r\n2. Copy the ransom note JPG to C:\\Users\\Public\\Pictures\\hansom.jpg and set it as the current wallpaper via\r\nregistry.  \r\nHansom ransomware wallpaper:\r\n1. Remove any registry based persistence mechanisms such as Run keys to prevent re-encryption of files on\r\nstartup.\r\n2. Delete disk shadow copies using wmic command: shadowcopy delete\r\nThe ransomware plugin also communicates with a C2 server URL, sending it details (as JSONs) such as:\r\nUnique ID of machine (generated similar to CRAT)\r\nRansom ID of the plugin\r\nNumber of files encrypted\r\nPrivilege level of the process, etc.\r\nLoaders\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 18 of 33\n\nIn addition to the CRATv2 DLLs, Cisco Talos discovered multiple loaders related to the RAT family. This section\r\nprovides an overview of these components.\r\nEXE LOADERS\r\nThe EXE based loader serves two primary purposes:\r\n1. Establish persistence for itself using a scheduled task on the infected endpoint. Usually scheduled to run\r\nonce every few minutes. The loader may also obtain persistence using a registry RUN key.\r\n2. Perform anti-infection checks and inject the CRAT DLL into a target process.\r\n3. The CRAT DLL isn't dropped or downloaded by the .exe based loader to the endpoint.\r\n4. It simply reads the DLL from a hardcoded filepath, un-XORs it using a 4-byte key and the resulting DLL is\r\nreflectively injected into a specified target process.\r\nVARIANT #2\r\nThe latest variant of the EXE loader contains the following capabilities/upgrades:\r\n1. Establish persistence for itself using two mechanisms:\r\n2. Create and run a malicious service on the endpoint to run itself.\r\n3. Create a malicious LNK for itself which is persisted via a malicious RUN registry key value.\r\n4. Read an implant (most likely CRATv2) into memory and reflectively load it into the loader's process space.\r\nDLL LOADERS\r\nApart from EXE based loaders, this CRAT also uses DLL based loaders. The DLL loaders carry out the same\r\nfunction of decoding the CRAT DLL and reflectively injecting it into a specified process.\r\nThe differences are in the persistence techniques used:\r\nThe DLL loader copies itself to a specified directory and creates a LNK that activates the loader via\r\nrundll32.exe\r\nThe LNK file is then persisted across reboots via the registry RUN key:\r\nHKCU\\Software\\Microsoft\\windows\\CurrentVersion\\Run | \u003cValue_Name\u003e = \u003cLNK_filepath\u003e\r\nVARIANT #2\r\nCisco Talos discovered another variant of the DLL-based loader that acts as a packager as well. Depending\r\non the option specified, the loader will either:\r\nActivate CRAT:\r\nActivate unpacked CRAT DLL:\r\nReflectively inject an existing CRAT DLL into a hardcoded process.\r\nUnpack and activate:\r\nExtract components of the attack from a RAR archive and execute an accompanying EXE file (Most likely\r\nused to load the CRAT DLL).\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 19 of 33\n\nThe extraction isn't carried out directly. This variant will create a VBS file to run rar.exe to extract CRAT\r\ncomponents. Syntax used:\r\nSet s = Wscript.CreateObject(\"Wscript.Shell\"): s.Run \"\"\"%s\"\" x -y -p%s \"\"%s\"\" \"\"%s\"\"\", 0, TRUE:\r\ns.Run \"\"\"%s\\%s\"\"\", 0: Set s = Nothing\r\nE.g.\r\nSet s = Wscript.CreateObject(\"Wscript.Shell\"): s.Run \"\"\"C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\WinRar\\Rar.exe\"\" x -y -p[password] \"\"\u003cpath_to_rar_file\u003e\\\r\n\u003cfilename\u003e.rar\"\" \"\"\u003ctarget_dir\u003e\"\"\", 0, TRUE: s.Run \"\"\"\u003ctarget_dir\u003e\\\u003cextracted_exe\u003e.exe\"\"\", 0: Set s =\r\nNothing\r\nJust like the previous DLL loader, this variant will create an LNK file to run the VBS script upon reboot by\r\nsetting up registry key: HKCU\\Software\\Microsoft\\windows\\CurrentVersion\\Run | \u003cValue_Name\u003e =\r\n\u003cLNK_filepath\u003e\r\nPackage CRAT: This variant of the loader also has the capability to create an archive from a specified file\r\non disk. This functionality may be used to create deployment packages for another part of the infection\r\nchain. Syntax used:\r\n\"\u003cpath_to\u003e\\Rar.exe\" a -k -r -s -ibck -m5 -df -ep -hp[password] \"\r\n\u003cfilepath_of_rar_archive_to_be_created\u003e.rar\" \"\u003cfile_to_be_archived\u003e\"\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 20 of 33\n\nInfection chain of CRATv2\r\nEvolution Timeline of CRAT and Components\r\nThe earliest versions of CRAT discovered were compiled in April 2020. The following is a timeline of events in\r\nthe lifecycle of CRAT with the introduction/modification of its components at different stages of the engineering\r\nprocess.\r\nAPRIL 2020\r\nEarliest known version of CRAT (v1) created. Limited capabilities and basic string obfuscation. Downloaded by\r\nmalicious HWPs from an infected Wordpress website.\r\nMAY 2020\r\nThe following components were first built May 2020:\r\nEXE loader v1 in early May 2020.\r\nDLL loader v1 in late May 2020.\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 21 of 33\n\nCRATv2 seen for the first time in early May 2020.\r\nThree CRAT plugins seen for the first time in early May 2020.\r\nScreen Recorder.\r\nClipboard Monitor.\r\nKeylogger.\r\nJUNE 2020\r\nDLL loader v2 first seen in June 2020.\r\nJULY 2020\r\nEXE loader v1 continues evolving to add more persistence mechanisms (LNK and registry Run key\r\ncombination) in July 2020.\r\nRansomware plugin - Hansom spotted in the wild.\r\nAUGUST 2020\r\nEXE loader v2 first seen in August 2020.\r\nSEPTEMBER 2020\r\nLatest version of the Ransomware plugin spotted in mid September.\r\nThis timeline shows that the attackers have been busy developing a new component of the infection chain\r\nalmost every month since April 2020.\r\nA visual timeline of the evolution is presented here:\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 22 of 33\n\nVisual timeline of the evolution of the infection chain of CRAT.\r\nLinks to Lazarus\r\nAttribution is hard. Although prior reporting has linked CRAT to Lazarus, there has been no solid evidence to back\r\nthese claims. There are however some aspects of the attack that resemble Lazarus' practices:\r\nCode Reuse - CRAT uses the same HTTP wrapper library used by other Lazarus implants such as Wild\r\nPositron and Rising Sun. Although this may be a weak attribution link, it does make sense for the group to\r\nreuse code they've had success with in the past.\r\nFunctionality Duplication - Lazarus tends to mix-and-match RAT capabilities and peripheral\r\nfunctionalities to stitch together variations of the same implant. That is, different obfuscations mechanisms,\r\ncommunication techniques and RAT capabilities are assembled together to create variations of the implant.\r\nThis may cause duplication of certain functionalities. In the case of CRAT, the occurrence of the same\r\ncapability like 'execution of arbitrary commands' multiple times as independent RAT commands and also\r\nas part of the File Explorer sub-module indicates a factory-based build approach for the implants. Although\r\na weak link, this process is still in sync with Lazarus' build paradigms.\r\nRansomware Plugin - Lazarus has been known to distribute ransomware as a means of sponsoring their\r\nmalicious activities. The BTC addresses used by the ransomware plugin in the case of CRAT (Hansom\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 23 of 33\n\nRansomware) do not currently hold any funds. Thus, it is unclear whether this module is in fact\r\nransomware or a pseudo-ransomware (posing as ransomware but meant to burn endpoints).\r\nWordpress C2s - CRAT uses Wordpress based websites to act as its C2 servers. This practice is in sync\r\nwith Lazarus' TTPs of using Wordpress websites to place C2 modules that act as intermediaries between\r\nthe implants and real C2 servers.\r\nPast Attribution - CRAT has been attributed to Lazarus in the past by the security community\r\nTargets - Based on the lures observed so far by Cisco Talos, CRAT aims to infect Korean-speaking\r\nentities. This may also be an indicator of Lazarus targeting specific parties of interest.\r\nConclusion\r\nThis investigation illustrates the continued use and evolution of the CRAT implant. CRAT started out as a nascent\r\nRAT with limited capabilities, which evolved to introduce a wide variety of malicious capabilities including a full-fledged File Explorer.\r\nThe latest iteration of CRAT now has the capability to download and deploy arbitrary plugins on the infected\r\nendpoint. These plugins have capabilities ranging from spying to encrypting and holding the user's data hostage.\r\nThe ransomware plugin in particular has the potential to cause extensive loss of services, time and money to\r\naffected organizations.\r\nThe continued evolution of loaders used to deploy CRAT also indicates that the attackers are actively developing\r\nnovel ways of infecting their targets. The extensive use of obfuscation, patching and anti-infection techniques\r\nindicates that the attackers have taken great care towards evading detection systems. Thus, while static and\r\nnetwork-based detection is important, it should be complimented with system behavior analysis and endpoint\r\nprotections.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 24 of 33\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat. For specific OSqueries on this threat, click here.\r\nIOCs\r\nCRATV1 HWPS\r\neae3dc403d36b115aa4f7db64cb1a64fa50dbff2b6ce3d118eeb1f745d1ecd14\r\n7050af905f1696b2b8cdb4c6e6805a618addf5acfbd4edc3fc807a663016ab26\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 25 of 33\n\nb962e4580e05e004df9fe2c22b34556bc513370c9a775bfe185e05a9d0df494e\r\nbd1a0425ffaafa54a1c950fbb3d0defe9fa145131e4bd15d392597de408f5287\r\nc0bd35a36ea5227b9b981d7707dff0e2c5ca87453a5289dc4a5cd04c7e8b728c\r\nCRATV1 HASHES\r\n8edfc15862e3a9b7824fcb4b55c4fefdb4b28b66e3689a6f854e05aef5206dbb\r\n833a896b9236164472fa3ba30e63446b474f9f204fee06ac297877246b674871 win32\r\n88c168cd261dabea1b7223e8c05042be7e0505dedf6fd5effea90ae42e127968 win32\r\ne99c9190cfdc6ad1e45efc6b993078f3122857607f1fede91757a04064f71ad7 win32\r\nc77e5533285871b888257e32653b33acf7e6a7b06d200d02995ae365dfa0a26f win32\r\na36a7e247ea5920514b4d918a6dcdcc7c7f84f0c657b2297a1a0eba3558e24c2 win32\r\ne0fa30565977fb3b97102eef8d28f86cdcd6685aa0d20eee4baaa72216fa562b win32\r\n3689c56b854a99133818618dc97465d9303b3a4009a3c890f7afdfacadd0e1af win32\r\nCRATV1 DOWNLOAD LOCATIONS\r\nhxxp://teslacontrols[]ir/wp-includes/images/detail31.jpg\r\nhxxp://teslacontrols[]ir/wp-includes/images/detail32.jpg\r\nhxxp://www[]sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg\r\nCRATV2 DLLS\r\n40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13\r\n1e34709734b401413cc38818c1d7e34126fdc01a9bc47a1607e1371dd8d1385b\r\n389518ac65595ad9138b5dd0185aae851d979d4705d74f191492f002e63438c5\r\n916654e2ee43d2ee43f0d5e9d41f8527aaf239684f91f9b92ac5c1937cd45c91\r\n098d190bdfe85b9c366f8ead0fd2c4e469c54ad2d484f19647f0bba8e5d84fe7\r\ne893b4f6b6f3ab977c96ab5e2c6115969cbe46a143531bfc9920d1b9972ebc12\r\neab9136da8cc5c1a8a9fc528d64ef1ce11e385def98957712887785178e202a3\r\n04c46c55336ac40d567ef0aac98ff8424872b584ea169c1a098ced833dd9bab4\r\n2cff5e7d4405bf09f423db1d7a8e535a6be2f68cc4ce4a5817ae01bee09f088a\r\n4aa2dc282c56e397b501d84cfd6c582cc256c42e8b6722b45a592cf2008a6495\r\n05d4da2cb9f6d5d44c399f42a81bb393b2ff6669d64ea773b58d2daf4df10d00\r\n5b627647df675d746f63280cf10a221abfe0a93bab88a96e45b4734beb05c021\r\n11c266c1b0f0428585d40fc95d1a7d3eedb3d0f304cf7ebc692c4487e18c9afb\r\n26c70fa62e1d092ad1855900cd0db4e224b11e84fdf14105ade5e2b2a3dc1b62\r\n37f3f6cdb0a35b4cea75b7cf2dae613c71370e00acdb2cebfc7d95fe33eb97a9\r\n87ce3a13a58ae8007b002ac81f43dc364c1b93b0d3c2a19d46a4480caca9ae29\r\n88f5c94ad66e75a66795875bacafb3cbbe87d1533ae3ddb41575b9711965c75b\r\n844d60691d843de53d42b73d635314d50c4ba4d3b2aa2b93465ac0336e4c0588\r\n931f57262214890f3eff9add25fb5dc2521185e4567c722637f173343b02b9fb\r\n2263031c15809b49e7d8161e147a4844722f6f576d276b2be38a0c794417dd2a\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 26 of 33\n\nEXE LOADERS V1\r\n6f79db3e7fa1f3c9e1ea2e0fe098994f109949f82b97c6612386693164d3c7e2\r\nca3372bb37e7109896c28247faadd157759d5e68ac324a54ff0759590f956094\r\n0eca58ef6f2aba6b3e686f76039945b3a8a8110d357a4f8d857757c218ca0c1e\r\n59628b36ba65a57600c48eaa57c8dcfffc955e447cb3e41b7351e875b359f714\r\na668af2c1b45bf83d509c88ad4b3e6fbadc7e9e3db4ea688888c7712866d1339\r\n955abf30fd464dd572938eaf324d3447ecd8cb6df183bbddee2a58f54da83f4c\r\nEXE LOADERS V2\r\n2916801be5b6d26d735aaa11eb5631fc6dbe234ed2e0980b8d7366c89ad7ba39\r\n8377a53f7890f3cf01f8919207c981fb63b1b0e63860d5731622a0cad94fdd09\r\n8ae6f663bf40036379857d65521ce1c78c11cd9b5b4848cec0e7f1ad56e65743\r\nab794769599c3f046d34d00051685b7235bce119f212ec8739b6e206dd73b0bf\r\nDLL LOADERS V1\r\n4dc302e1f7cf8bdc4983fdf02cf5b13bcd9314bb87953b9c6797187700192665 win32\r\n1fc8fb396a22f98c1230d0d8877f3806d52c1a2723add033223753f83628c826\r\nb27c02b4a272453194d0f03c395c4e3dbdf0efc4b8a61cd33b1a70320acf5345\r\nDLL LOADERS V2 (LOADERS/PACKAGERS)\r\n1ea8b9f307f2c4202380f1fe14044ff4b9140337b53fdf627e5411e979b4b5ea\r\n3b55f8467b2d3bc34c7fe4e0c4502bc1045c50d7c7fedda4a14eaf9094dfc8bf\r\n3f47d73a9d6597da1bdbf36f804b0b69a9958225ace088747098d3a24f5a5957\r\n5464728537836d4aa3d03e4d29ef21e59a324252c4b2a15ec21e9f5280f7c280\r\n7a78dacbb7ff88b536d4a8db4e647df9efed8cea2d26cef0e21f7791e61bfbad\r\n1101d00223a62e77718da28053758208897d1dc627a06a01f0e620a6ccad3812\r\n277931bf51f195fceb9befad6f4cc9e613d203ed90d3e4a05a16bc603809dec6\r\n4dccd9861da3b47bef43c72546044c1d136a5cb020aaa65a1ea494aec35e4910\r\n5e10cda5415e28b3efc9b909da6518d1cbcb56957e9850b99a4eee3893400012\r\n5fd89dbd129877d5141f9731a61af867b74fc7a33213233307b725ec97532a7b\r\n72d7b55e82080ff84693e1ecdfa7128ef9c513b3b8cc5e411715a40ef4ee0557\r\n8f0bfbde00e5e86223e586874df892e6fb2b97b133a909b7fdeacf7614df478f\r\n9461599bc85cf2ef11cb79a827fd365a086726b7c022fb2bfe5fb9f83e71cf9a\r\nf051c2f99b2d94b0fc5ae7893ec0467f4175cfa926cfc573a6b65a40c566f94d\r\ne93423a1c8add21c5676680a090ddc913d359c29ea9e44ffc91fb10396e3e858\r\na24d66f4356de33ba9227d4e496cc975995f1bd72d72e47f74f07648c45c5308\r\n147f1de257ccbe54b0fca9e61e0f2061172459bef4eeb12014d27e48d99f27ab\r\n1c17b631988d0b8b722adf9c973c6577c7983a9b0cb069dd1d442d04f4dd73df\r\n2ef70a256dde1a9700527c995be417447dee1857759e8279aa7a287f85c9de96\r\n359bfd21ed9a5deedc19700355776ede266e5c8532584289db45ebe2fd8d8afe\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 27 of 33\n\n3c2e708989193b3497c2c97c3957d4abd2d5989c82832ce5c4a3b5a4c9ecd3f8\r\na1c7709d147d8182892585bc965317816367ebabc273e8a99559ade24b19ed7f\r\n057cffe539a414ec4cef730e4fbf7861b61a7331bbd6d7feb55c76221a8cc6d3\r\n12a7cec5631141f61ef159fbb43103a3cdd79ddd3a0270df62d4c4fa4635b03e\r\n6d57df368c3e58be61bc36ee35123dcc5ce6d7a04cd6acfe7e10588038589ad4\r\na7da1ec5745bb7ef5a4fd05d37d83b49b41ab70fae518e6a00b7caa30c417576\r\n3c6b9fb9d680704a1a6c17ef5b3e10b043d15c137dc04688f5802cddbddf90fe\r\na52a8a9c99f58fb18ca3f969736f1deffd611c35851cff1bd5bd36ef27f2426d\r\nf070b78ca7269addb922f9ea9a31f76198edb2e1064d9b04ca8d80ecba175ca4\r\n683b4472a0df8af6c93ff10179e981a7908173bfb81bac2e12a3b9a022cf08d7\r\n49aa98e2100752c09d01a7638ea9ead3dd2fc72d826c4b77d188990b3599b08c\r\n9f953f544afd265176ecb904cc8286cafc27270df0cec56265259c1588083202\r\na052ee9f75231a60ad1210411b7296ff5adf7e9e268bf2f123f0560e0cb37b09\r\n46fd13169cf8e3dcefbd552918a0914261fd22dc22bd9cba167042288432f2b2\r\n9a6d3d07e784247fac1292c0f17a46247e8bdeb1f468c9b8b48c4459063c3ed5\r\n70d92da003eb044d9c5aa057400256a51836466d2f20066deedf64e294466c20\r\neb9382b77f7ed3429b0fcfb5d5d64c0702f0c4d91c45bb8d3442ff1f851b8035\r\ncd20d7209db84b35cae88affe228f42258b497eee2b36f0e3364779e58e5e2ce\r\ne4c1eaf014773cc25e2881fa2b2a67490a73c66683f5746276af7067777ed8b2\r\n396ffa925165de08d0b5bf6cc6974a02a18b44ce60c3d3e657ba6c6153760138\r\n9fc572e3a6c30221e5eecdd488efabbaf1bab04dff34860263495620fa4706c1\r\n0313641c0ed1defa6cb52e787f81eab3de8c0c546b4e157d803aab721fec3dc8\r\n7a3915a7d919fb266496616a06311c456c8e45b98cfd24c92ac4bf0af75fa3ef\r\n02c4ba967900b49828985f7b67ebd21daa11b8bc9e4e0b6e5e9fef2de8fdc6d4\r\n3d47ca0810b2d296aaa2541ef621f5d834dfbbd89cb671a2a95b7f2bddbd3e4e\r\nbb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751\r\nfb2ad747903f46d03b19b12c46a3e678e8a0c156092fb334aab47714a041265c\r\nPLUGINS: CLIPBOARDMONITOR\r\n562c4102d48414ab32c6742f270948a5d92e3b2af6d30d04ba1f7411302cbea8\r\nc4875cc728e7c4bc00646df57c8c38370fe11439e4c95e38040ba84fe27eb0b9 win32\r\nPLUGINS: SCREENCAPTURE\r\n1764ceca4425c6f577ecdb5c9435cf01807663508c3e1bbe1de2800d6c725a01\r\n6caa98870efd1097ee13ae9c21c6f6c9202a19ad049a9e65c60fce5c889dc4c8 win32\r\nPLUGINS: KEYLOGGER\r\nc9ba7e700276e0fd3e7060f81d4487f81d06bc3cba1e0a0eacd1ca21faca4400\r\n6d461bf3e3ca68b2d6d850322b79d5e3e647b0d515cb10449935bf6d77d7d5f2 win32\r\nPLUGINS: HANSOM RANSOMWARE\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 28 of 33\n\ncb141c743ac41784501e2e84ccd9969aade82b296df077daff3c0734bb26c837\r\n5384e1ab95d2cbac7e4cd5b781ad2520\r\nC2 URLS\r\nwww[]publishapp.co/update/check.php\r\nwww[]sideforum.cc/forum/list.php\r\nwww[]freeforum.co/forum/list.php\r\nwww[]goodfriend.pro/projects/list.php\r\nwww[]friendship.me/users/register.php\r\nwww[]threegood.cc/api/manage/customers\r\nwww[]Engpro.xyz/images/detail.php\r\nwww[]infocop.me/products/list.php\r\nwww[]teamspit.pro/adverts/follow.php\r\nwww[]dodoi.cc/photos/preview.php\r\nwww[]advertapp.me/user/invite.php\r\nwww[]insideforum.me/forum/list.php\r\nwww[]anyoneforum.cc/forum/list.php\r\nwww[]goodproject.xyz/projects/list.php\r\nwww[]hellofriend.pro/users/register.php\r\nwww[]moonge.cc/wp-content/plugins/google-sitemap-generator/sitemap-builder-embed.php\r\nhxxps://calculactcal[]org/wp-content/themes/twentysixteen/body.php\r\nhxxp://3cuartos[]com/wp-content/plugins/music-press-pro/templates/global/update.php\r\nhxxps://www[]worldfoodstory.co.uk/wp-includes/register.php\r\nhxxps://bokkeriejesj[]nl/wp-content/plugins/music-press-pro/upload.php\r\nhxxps://encontrosmaracatu[]com.br/wp-content/plugins/music-press-pro/templates/global/topmenu.php\r\nhxxps://www.theblackout[]fr/wp-content/plugins/music-press-pro/music-pro.php\r\nhxxps://mokawafm[]com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php\r\nhxxps://www.tiramisu[]it/wp-content/plugins/wp-comment-form.php\r\nhxxp://www.kartacnictvi[]cz/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/upload.php\r\nhxxp://www.dimer-group[]com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/download.php\r\nhxxps://ecolerubanvert[]com/wp-content/plugins/image-intense/know.php\r\nhxxp://lwac[]com/wp-content/plugins/gallery-plugin/includes/demo-data/images/music/photo.php\r\nhxxps://www[]copansrl[]it/wp-admin/user/invite.php\r\nhxxps://arar-musique[]fr/wp-content/plugins/music-press-pro/includes/admin/upgrade.php\r\nhxxps://www[]firstalliance[]church/wp-content/plugins/music-press/templates/404.php\r\nhxxps://erickeleo[]com[]br/wp-content/plugins/music-press-pro/go.php\r\nhxxp://www[]kingsvc.cc/index.php\r\nhxxp://www[]sofa.rs/wp-admin/network/server_test.php\r\nhxxp://www[]afuocolento.it/wp-admin/network/server_test.php\r\nhxxp://www[]mbrainingevents.com/wp-admin/network/server_test.php\r\nhxxp://www[]afuocolento.it/wp-includes/process.php\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 29 of 33\n\nMUTEX NAMES\r\nCRAT\r\nCRAT2\u003cFileVersionNumber_from_rsrc\u003e E.g. \"CRAT21.0.0.7\"\r\nCratScreenCaptureMutex\r\nCratClipboardMonitor2Mutex\r\nCratKeyLog2Mutex\r\nMutex_Hansom2008\r\nAnti-Infection Checks\r\nThe following is the blocklist of the various artifacts checked on the infected endpoint. If any of these are detected\r\nthe malware stops execution.\r\nVmtoolsd.exe\r\nVmwaretrat.exe\r\nVmwareuser.exe\r\nVmacthlp.exe\r\nvboxservice.exe\r\nvboxtray.exe\r\nNETWORK ADAPTER DESCRIPTIONS\r\nVMware Virtual Ethernet Adapter\r\nVirtualBox Host-Only Ethernet Adapter\r\nMACADDRESS PREFIXES\r\n00:05:69\r\n00:0C:29\r\n00:1C:14\r\n00:50:56\r\nWINDOW NAMES\r\nWinDbg\r\nx64_dbg\r\nx64dbg\r\nOllyICE\r\nOllyDbg\r\nImmunity\r\nida\r\nwww.sysinternals.com\r\nProcess Explorer\r\nProcess Monitor\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 30 of 33\n\nFiles Monitor\r\nWireshark\r\nFiddler\r\nTcpdump\r\nTcpView\r\nBurp Suite\r\nANALYSIS TOOLS PROCESS NAMES\r\nWinDbg\r\nx64_dbg\r\nx64dbg\r\nOllyICE\r\nOllyDbg\r\nImmunity\r\nida\r\nProcExp\r\nProcMon\r\nFileMon\r\nWireshark\r\nFiddler\r\nTcpdump\r\nTcpView\r\nBurpSuite\r\nRansomware Plugin Details\r\nBTC ADDRESSES\r\nbc1q3tdfzfjngzdlup7x50x3tkfs2mx90a85en9z74 [0 BTC as of publication date]\r\nbc1qpy4dn79xyac8ep6a2daupqmxd6c4cxlywq4fe3 [0 BTC as of publication date]\r\nATTACKER EMAIL ADDRESSES\r\nkeepcredit015[at]protonmail.com\r\nhonestman0023[at]protonmail.com\r\nhansom2008[at]protonmail.com\r\nhansompay2008[at]yandex.com\r\nPROCESSES TERMINATED\r\nmsftesql.exe\r\nsqlbrowser.exe\r\nsqlagent.exe\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 31 of 33\n\nsqlwriter.exe\r\nsqlservr.exe\r\nocssd.exe\r\noracle.exe\r\nsynctime.exe\r\ndbsnmp.exe\r\nagntsvc.exe\r\nmydesktopqos.exe\r\nxfssvccon.exe\r\nisqlplussvc.exe\r\nocautoupds.exe\r\nmydesktopservice.exe\r\nagntsvc.exe\r\nagntsvc.exe\r\nencsvc.exe\r\nagntsvc.exe\r\ntbirdconfig.exe\r\nfirefoxconfig.exe\r\nmysqld.exe\r\nocomm.exe\r\nmysqld-opt.exe\r\nmysqld-nt.exe\r\nsqbcoreservice.exe\r\ndbeng50.exe\r\ninfopath.exe\r\nexcel.exe\r\nmspub.exe\r\nmsaccess.exe\r\noutlook.exe\r\nonenote.exe\r\nsteam.exe\r\npowerpnt.exe\r\nthebat.exe\r\nsqlservr.exe\r\nthunderbird.exe\r\nthebat64.exe\r\nwinword.exe\r\nvisio.exe\r\nWordpad.exe\r\nFILE NAME EXCLUSIONS\r\ndesktop.ini\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 32 of 33\n\nntuser.dat\r\nautorun.inf\r\nbootsect.bak\r\niconcache.db\r\nntuser.dat.log\r\nboot.ini\r\nthumbs.db\r\nHANSOM_README.txt\r\nShowNote.vbs\r\nFOLDER NAME EXCLUSIONS\r\nThe following folders are excluded from the encryption process by the ransomware plugin.\r\nIETldCache\r\nProgramData\r\nProgram Files\r\nBoot\r\nTor Browser\r\nProgram Files (x86)\r\nAll Users\r\nHansom_Sample\r\nWindows\r\nLocal Settings\r\nINetCache\r\n$Recycle.bin\r\ncache2\r\nLocalCache\r\nSample9\r\nSource: https://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nhttps://blog.talosintelligence.com/2020/11/crat-and-plugins.html\r\nPage 33 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2020/11/crat-and-plugins.html" ], "report_names": [ "crat-and-plugins.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434925, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/450b73379b9a06f7aa7f436f14af0ee50b69da82.pdf", "text": "https://archive.orkl.eu/450b73379b9a06f7aa7f436f14af0ee50b69da82.txt", "img": "https://archive.orkl.eu/450b73379b9a06f7aa7f436f14af0ee50b69da82.jpg" } }