Malware

Sophisticated CrySome RAT examined

Windows environments are at risk of significant compromise with the new, advanced CrySome remote access trojan, which integrates antivirus-killing and hidden virtual desktop control capabilities with post-exploitation tooling, GBHackers News reports.

Attacks with CrySome commence with the delivery of an executable using Costura.Fody for dependency embedding, which triggers a bootstrap phase that creates the command-and-control channel and ensures persistence before prompting a continuous network loop for packet processing and the eventual injection of the RAT, according to CYFIRMA researchers. Apart from featuring PowerShell command execution and file uploading, downloading, and removal features, CrySome RAT also conducts process enumeration and comprehensive system profiling, while allowing HVNC sessions, keylogging, Chromium-based credential and cookie exfiltration, and webcam compromise.

Further examination of CrySome RAT revealed a multi-layered persistence design composed of registry startup entries, scheduled tasks, and recovery partition exploitation. Researchers also observed CrySome RAT to include an AVKiller module that deactivated Microsoft Defender, Avast, CrowdStrike, SentinelOne, ESET, and Kaspersky tools.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds