Crypt-Ghouls: Unveiling the Shared Arsenal of Hacktivist Groups

Crypt-Ghouls

Ready to dive deeper into the intriguing world of hacktivism? Let’s uncover how groups like Anonymous Sudan, KillNet, and the newly identified Crypt-Ghouls are not just sharing their hacking tools but also expanding their arsenals with sophisticated software.

A New Player on the Scene: The Crypt-Ghouls

In December of last year, cybersecurity researchers discovered a new group targeting Russian businesses and government agencies with ransomware attacks. Dubbed the Crypt-Ghouls, this group has been linked to other hacktivist organizations currently focusing on Russia. The connections aren’t just speculative; there are clear overlaps in their indicators of compromise (IoCs), tools, tactics, techniques, and procedures (TTPs). Even their attack infrastructures show partial overlaps, suggesting a web of collaboration or at least a shared playbook among these groups.

The Crypt-Ghouls’ Toolkit

The Crypt-Ghouls have an extensive toolkit that mirrors those used by other hacktivist groups:

1. XenAllPasswordPro: Used to harvest authentication data, helping attackers collect usernames and passwords from compromised systems.
2. CobInt Backdoor: A stealthy backdoor that grants unauthorized access to infected machines, allowing hackers to execute commands remotely.
3. Mimikatz: A well-known tool for extracting victims’ credentials, particularly useful for retrieving passwords stored in memory.
4. dumper.ps1: A PowerShell script designed to dump Kerberos tickets from the Local Security Authority (LSA) cache, aiding in lateral movement within networks.
5. MiniDump: Utilized to extract login credentials from the memory of the lsass.exe process, revealing sensitive user information.
6. cmd.exe: The classic command-line utility, repurposed here to copy credentials stored in browsers like Google Chrome and Microsoft Edge.
7. PingCastle: A network reconnaissance tool that assesses Active Directory security, helping attackers map out the network structure.
8. PAExec: An application similar to Microsoft’s PsExec, allowing hackers to run remote commands on compromised systems.
9. AnyDesk and resocks SOCKS5 Proxy: Tools for remote access, enabling attackers to control systems and route their traffic through compromised machines.

Initial Access and Persistence

In at least two documented attacks, the Crypt-Ghouls gained initial access by exploiting contractors’ login credentials to connect to the victims’ internal systems via VPN. These VPN connections originated from IP addresses linked to Russian hosting providers and contractors’ networks. This method highlights a growing trend where attackers infiltrate organizations through their third-party partners, often exploiting unpatched vulnerabilities or compromised VPN services.

Hacktivists Shopping from the Same Tool Shed

It’s becoming increasingly clear that many hacktivist groups are using similar, if not identical, tools to carry out their cyber campaigns. Imagine different chefs using the same secret sauce in their recipes — that’s what’s happening here. This tool-sharing isn’t merely coincidental; it hints at a level of collaboration or a shared marketplace where these digital weapons are exchanged.

Why the Overlap?

You might be wondering why these groups are using the same tools. There are a few reasons:

1. Accessibility: Many of these tools are available on the dark web or even on regular forums, making them easily accessible to anyone with the know-how.
2. Effectiveness: If a tool works, why reinvent the wheel? These groups opt for proven methods to maximize impact.
3. Collaboration: There’s a blurred line between some of these groups, with members possibly overlapping or collaborating on certain operations.

The Bigger Picture

This overlap raises concerns about the evolving nature of hacktivism. With tools becoming more sophisticated and accessible, the barrier to entry lowers, potentially leading to more groups joining the fray. For organizations and governments, understanding this shared toolkit is crucial in bolstering defenses and staying one step ahead.

Wrapping Up

The world of hacktivism is as dynamic as it is enigmatic. As these groups continue to share and refine their tools, staying informed is key. Whether you’re a cybersecurity pro or just someone curious about the digital underworld, it’s essential to keep an eye on these trends.

Stay safe out there, and until next time, keep your passwords strong and your firewalls stronger!

Indicators of compromise

Note: Network addresses specified in this section are valid at the time of publishing, but may change over time.

SHA256:

01fba22c3e6cf11805afe4ba2f7c303813c83486e07b2b418bf1b3fabfd2544edismcore.dll3edb6fb033cc00c016520e2590e2888e393ad5ed725e853eea3bc86cee3b28b8resocks5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32dumper.ps192804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50Mimikatzdec147d7628d4e3479bc0ff31413621fb4b1b64a618469a9402a42816650f92bLockbit 3.0a54519b7530039b9fba9a4143bf549b67048f441bbebf9f8d5cff1e539752189Lockbit 3.056682344aa1dc0a0a5b0d26bd3a8dfe8ceb8772d6cd9e3f8cbd78ca78fe3c2abBabuka27d900b1f94cb9e970c5d3b2dcf6686b02fb722eda30c85acc05ba55fdabfbcMiniDump Tooleb59a4b1925fdf36dbe41091cb7378291a9116d8150118e4f449cbd1147e204ekxxxxxxx.sys

File paths:
С:\ProgramData\oracle\dismcore.dll
odbcconf.xml — payload
C:\Users\User\Downloads\dumper.ps1 — dumper.ps1
C:\Users\User\Desktop\x86\x64\mimikatz.exe
C:\programdata\1c\allinone2023\xenallpasswordpro.exe
С:\programdata\allinone2023\xenallpasswordpro.exe
С:\programdata\dbg\allinone2023\xenallpasswordpro.exe
С:\programdata\1c\allinone2023\xenallpasswordpro.exe
$user\desktop\allinone2023\xenallpasswordpro.exe
C:\programdata\allinone2023\XenAllPasswordPro.exe
C:\Windows\Temp\nssm-2.24\win64\nssm.exe
C:\Users\[redacted]\Downloads\AnyDesk.exe
C:\Windows\Temp\localtonet.exe
C:\ProgramData\t.exe (MiniDump Tool)
C:\Users\User\AppData\Local\Temp\kxxxxxxx.sys
C:\Windows\Temp\kxxxxxxx.sys
/tmp/lock.out (Babuk)
/usr/sbin/xfs-healthcheck (resocks)
/usr/sbin/xfs-modules (resocks)
c:\programdata\intell\intellpui.vbs (CobInt)

IP addresses and URLs:
45.11.181[.]152 — netstaticpoints[.]com — CobInt C2
169.150.197[.]10 — SurfShark VPN
169.150.197[.]18 — SurfShark VPN
91.142.73[.]178 — VDSINA-NET
91.142.74[.]87 — VDSINA-NET
95.142.47[.]157 — VDSINA-NET
185.231.155[.]124 — VDSINA-NET

Utilities:
XenAllPasswordPro
PsExec
PAExec
SoftPerfect Network Scanner
Localtonet
PingCastle
Mimikatz
AnyDesk
NSSM
resocks