The Ghost in the Machine: Unmasking CrazyHunter's Stealth Tactics
Summary:
CrazyHunter is a sophisticated, Go-based ransomware threat, definitively identified as a fork of Prince ransomware, that is currently targeting the healthcare sector in Taiwan, with at least six confirmed compromises to date. The group utilizes a highly technical attack chain that begins with the exploitation of weak Active Directory credentials, followed by lateral movement via SharpGPOAbuse to distribute payloads through Group Policy Objects (GPOs). To neutralize endpoint defenses, CrazyHunter executes a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack using a modified Zemana anti-malware driver (zam64.sys). A novel CrazyHunter tactic observed by Trellix is that the kill chain utilized a batch script (ru[.]bat) as the orchestrator that initializes all ransomware components, including AV-killer binaries and a "Donut" loader that injects shellcode directly into memory, facilitating fileless execution to evade disk-based detection prior to initiating ChaCha20 and ECIES encryption. The threat actors also leverage a dual-purpose tool that can transform a compromised machine into a file server and also act as a file-monitoring and deletion tool. They maintain a data leak site and communicate via Telegram (@Magic13377) and ProtonMail to facilitate victim extortion.
Security Officer Comments:
Crazyhunter’s operational development practices (Go-developed ransomware) exemplify the importance of the ease of cross-platform compatibility to modern ransomware groups. Their sophisticated "living-off-the-land" and BYOVD-centric attack chain against a high-value sector like healthcare highlights their focus on increasing dwell time for severe compromise and more significant damage. The threat actors demonstrate their sophistication by leveraging compromised Active Directory credentials to weaponize Group Policy Objects via SharpGPOAbuse for lateral propagation, while concurrently neutralizing endpoint detections through the abuse of a vulnerable Zemana driver (zam64.sys). This campaign is distinguished by its use of a multi-stage batch orchestration (ru.bat) that deploys specific "AV-killer" binaries and a Donut loader to facilitate fileless, in-memory shellcode execution, ultimately deploying a ChaCha20/ECIES encryption routine and establishing persistence for data exfiltration and double extortion.
Suggested Corrections:
IOCs: https://www.trellix.com/blogs/research/the-ghost-in-the-machine-crazyhunters-stealth-tactics/
Fortifying your defenses: A CISO's guide to neutralizing CrazyHunter ransomware - Trellix
Secure Active Directory (AD): Enforce MFA for all domain accounts and strictly control GPO modification rights to prevent credential theft and payload distribution via SharpGPOAbuse.
Neutralize Evasion Tactics: Utilize EDR capabilities to counter AV killers and ransomware payloads, and block the execution of BYOVD attacks that exploit vulnerable drivers for privilege escalation and security termination.
Ensure Robust Recovery: Implement a proper backup strategy (offsite/offline) to ensure backups are immutable and inaccessible to the ransomware, and regularly test the incident response plan for effective post-attack recovery.
Restrict Lateral Movement: Use network segmentation and strict access controls to limit the ransomware's rapid propagation capability across the network, particularly by preventing widespread deployment through compromised AD credentials and GPOs.
Link(s):
https://www.trellix.com/blogs/research/the-ghost-in-the-machine-crazyhunters-stealth-tactics/
CrazyHunter is a sophisticated, Go-based ransomware threat, definitively identified as a fork of Prince ransomware, that is currently targeting the healthcare sector in Taiwan, with at least six confirmed compromises to date. The group utilizes a highly technical attack chain that begins with the exploitation of weak Active Directory credentials, followed by lateral movement via SharpGPOAbuse to distribute payloads through Group Policy Objects (GPOs). To neutralize endpoint defenses, CrazyHunter executes a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack using a modified Zemana anti-malware driver (zam64.sys). A novel CrazyHunter tactic observed by Trellix is that the kill chain utilized a batch script (ru[.]bat) as the orchestrator that initializes all ransomware components, including AV-killer binaries and a "Donut" loader that injects shellcode directly into memory, facilitating fileless execution to evade disk-based detection prior to initiating ChaCha20 and ECIES encryption. The threat actors also leverage a dual-purpose tool that can transform a compromised machine into a file server and also act as a file-monitoring and deletion tool. They maintain a data leak site and communicate via Telegram (@Magic13377) and ProtonMail to facilitate victim extortion.
Security Officer Comments:
Crazyhunter’s operational development practices (Go-developed ransomware) exemplify the importance of the ease of cross-platform compatibility to modern ransomware groups. Their sophisticated "living-off-the-land" and BYOVD-centric attack chain against a high-value sector like healthcare highlights their focus on increasing dwell time for severe compromise and more significant damage. The threat actors demonstrate their sophistication by leveraging compromised Active Directory credentials to weaponize Group Policy Objects via SharpGPOAbuse for lateral propagation, while concurrently neutralizing endpoint detections through the abuse of a vulnerable Zemana driver (zam64.sys). This campaign is distinguished by its use of a multi-stage batch orchestration (ru.bat) that deploys specific "AV-killer" binaries and a Donut loader to facilitate fileless, in-memory shellcode execution, ultimately deploying a ChaCha20/ECIES encryption routine and establishing persistence for data exfiltration and double extortion.
Suggested Corrections:
IOCs: https://www.trellix.com/blogs/research/the-ghost-in-the-machine-crazyhunters-stealth-tactics/
Fortifying your defenses: A CISO's guide to neutralizing CrazyHunter ransomware - Trellix
Secure Active Directory (AD): Enforce MFA for all domain accounts and strictly control GPO modification rights to prevent credential theft and payload distribution via SharpGPOAbuse.
Neutralize Evasion Tactics: Utilize EDR capabilities to counter AV killers and ransomware payloads, and block the execution of BYOVD attacks that exploit vulnerable drivers for privilege escalation and security termination.
Ensure Robust Recovery: Implement a proper backup strategy (offsite/offline) to ensure backups are immutable and inaccessible to the ransomware, and regularly test the incident response plan for effective post-attack recovery.
Restrict Lateral Movement: Use network segmentation and strict access controls to limit the ransomware's rapid propagation capability across the network, particularly by preventing widespread deployment through compromised AD credentials and GPOs.
Link(s):
https://www.trellix.com/blogs/research/the-ghost-in-the-machine-crazyhunters-stealth-tactics/