This script executes a 1-liner PowerShell code that executes the described Microsoft.ps1 above. vbs file to the victim’s “startup” directory.
If configured by the user (actor), persistence is achieved by downloading and saving a.Usually, this file will refer either to an AV bypass or server.txt depends on the version/configuration. The name of the saved file, which is also one of the focal fingerprints for this crypter, is ‘Microsoft.ps1’.Usually, it can be identified by the author fingerprint, which names the code`s function “HBar.” This stage’s purpose is to set up persistence along with downloading, saving, and executing the next stage on the victim’s host. Its purpose is to elevate the execution flow to PowerShell and get the additional code by downloading it from a user-defined custom URL (the user here is the ‘actor’ who uses the crypter).įigure 3: Encoding.txt example The Second HCrypt Stage: ALL.txt This is usually the first stage execution (sometimes wrapped in a. txt file names mentioned in the diagram and within this blog refers to the specific stage internal name within the crypter application (this will be presented later). The above diagram covers the main Crypter functionality for several versions that we have observed since Jan 2021. Within all of its versions, the crypter maintains the same execution flow with different code tweaks in an attempt to avoid detection by AV.
Along the way, the actors and the author use free accessible code and file sharing services such as, , and. Net reflective loader which loads the RAT of choice. The next stages involve persistence and AV evasion through PowerShell, and then the final stage consists of a standard. hta file execution described as Encoding.txt. Although the initial access infection vector is missing, we have identified cases in which a VBS code is executed that leads to an. Our description of the attack chain flow follows the artifacts that are known to us. Technical Introductionįigure 2: Summarized loader execution flow This results in many groups putting forward the bare-minimum effort required to execute sophisticated malware campaigns. As a result, more financially motivated threat actors can adopt better attacks if they have the money to spend. The crypter-as-a-service model is indicative of the trend toward malware authors creating and selling code to other groups with less technical sophistication. We chose to dissect the crypter’s operations along with tracking several actors that utilize it.įigure 1: The logo from the crypter interface In this post, we will lockpick “HCrypt” – a crypter as a service that is marketed as a FUD (fully undetectable) loader for the client`s RAT of choice. During 2021 Morphisec identified an increased usage of the “ HCrypt” crypter.