A threat group tracked as Crypto24 is attacking large organizations across the U.S., Europe, and Asia, aiming at finance, manufacturing, entertainment, and technology firms. First discussed publicly on security forums in September 2024, the group has since shown mature tradecraft, according to researchers monitoring its campaigns.
How they gain and keep access
After breaking in, the attackers enable built-in administrator accounts on Windows machines or create new local admins to keep a quiet foothold. They run a scripted recon phase that lists user accounts, profiles hardware, and maps disks. For persistence, they add malicious Windows services and scheduled tasks, most notably:
WinMainSvc: a keylogger that pretends to be “Microsoft Help Manager,” recording active window titles and keystrokes (including Ctrl/Alt/Shift and function keys).
MSRuntime: a loader that later launches the file-encrypting payload.
How they bypass security tools
Crypto24 deploys a customized version of the open-source RealBlindingEDR utility to neutralize endpoint detection and response (EDR) products. The tool reads a driver’s metadata to extract the vendor name, compares it to a built-in list, and, on a match, tampers with kernel callbacks/hooks to “blind” detections. Vendors targeted include Trend M
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: