CrackedCantil: a malware symphony delivered by cracked software; performed by loaders, infostealers, ransomware, et al.

Wednesday 2 October 14:00 - 14:30, Red room

Lena Yu (ANY.RUN)

The digital landscape teems with diverse malware families, each engineered with distinct capabilities – ranging from data theft, deployment of additional malicious payloads, to destruction of data and more.

Yet, beneath their varied functionalities, these pieces of malware may unite in a complex and orchestrated performance, functioning in concert to unleash potent malware infections. This intricate interplay, which I term a “malware symphony”, mirrors the harmonious collaboration of instruments in an orchestra, where each contributes its unique timbre to the overall composition.

A prime exemplar of such orchestrated cyber malevolence is the CrackedCantil campaign – a moniker derived from its roots in cracked software and its analogy to the venomous Cantil viper. This campaign stands out for its collaborative use of numerous distinct families of malware, including PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz and STOP.

This specific CrackedCantil campaign was staged on Google Groups, and the ticket to this malware symphony was delivered by cracked software.

In the grand composition of the CrackedCantil symphony, the initial overture is masterfully executed by loaders such as PrivateLoader and Smoke. These serve as the maestros, setting the stage and tempo for the ensuing performance, by seamlessly facilitating the intrusion of various notorious malware into the system. Their role is pivotal, as they cue the entrance of the ensemble, ensuring each malware is perfectly positioned for their part in this dark opus.

As the symphony progresses into its first movement, a cadre of infostealers – Lumma, RedLine, RisePro, Amadey and Stealc – take centre stage. Like virtuoso soloists, they deftly navigate through the system's defences, extracting sensitive data with precision. Their performance is both intricate and devastating, leaving no stone unturned in their quest to pilfer every piece of valuable information.

Simultaneously, the proxy bot malware Socks5Systemz assumes the role of the chorale, subtly transforming the infected system into a proxy botnet. This collective force operates in the background, supporting the soloists by expanding the attack's reach and complexity, much like a chorus enriches a symphony's depth.

The final movement is heralded by the ransomware STOP, delivering a dramatic finale. This malevolent force acts as the crescendo of the campaign, encrypting the victim's files with a potency that demands a ransom for their release. It's a climactic end to a meticulously orchestrated performance, leaving the audience – in this case, the victims – in a state of shock and despair.

This presentation delves deep into the CrackedCantil campaign's symphonic structure, analysing how each malware component contributes to a harmonious yet malicious concert designed to compromise and exploit systems with unparalleled sophistication.

CrackedCantil Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.crackedcantil

 


Lena-Yu.jpg

Lena Yu

Lena is a malware analyst and researcher from Japan, and the author of the ANY.RUN malware analysis articles. She has investigated several cyber threats including the Roaming Mantis Smishing Campaigns, IPFS phishing campaigns and international scam operations, and has written numerous articles for open-source education. She has also created the MARC I (Malware Analysis Report Competition), fostering contributions to open-source education in malware analysis.

She has spoken at events such as IEICE Technical Committee on Computer Systems, AVTokyo, Nippon CSIRT Association and BSides, on topics related to computer systems, phishing, malware analysis, and threat hunting. Additionally, she has played a role in organizing and teaching at various cybersecurity events. Before venturing into malware analysis, Lena was a low-level developer specializing in computer architecture and RISC-V TEE research.

@LambdaMamba; LambdaMamba.com

Back to VB2024 Programme page

Back to VB2024 conference page

Register for VB2024

Other VB2024 papers

Android Flutter malware

VB2024 paper: Android Flutter malware, Axelle Apvrille

CeranaKeeper: a relentless shape-shifting group targeting Thailand

VB2024 paper: CeranaKeeper: a relentless shape-shifting group targeting Thailand, Romain Dumont

A wild RAT appears: reversing DinodasRAT on Linux

VB2024 paper: A wild RAT appears: reversing DinodasRAT on Linux, Anderson Leite & Fabio Marenghi

Reviewing the 2022 KA-SAT incident & implications for distributed communication environments

VB2024 paper: Reviewing the 2022 KA-SAT incident & implications for distributed communication environments, Joe Slowik

Dark deals: unveiling the underground market of exploits

VB2024 paper: Dark deals: unveiling the underground market of exploits, Anna Pavlovskaia

SO that looks suspicious: leveraging process memory and kernel/usermode probes to detect Shared Object injection at scale on Linux

VB2024 presentation: SO that looks suspicious: leveraging process memory and kernel/usermode probes to detect Shared Object injection at scale on Linux, Daniel Jary

P-wave of malicious code signing

VB2024 paper: P-wave of malicious code signing, Yuta Sawabe, Shogo Hayashi & Rintaro Koike

Project 0xA11C: deoxidizing the Rust malware ecosystem

VB2024 paper: Project 0xA11C: deoxidizing the Rust malware ecosystem, Nicole Fishbein & Juan Andrés Guerrero-Saade

Sugarcoating KANDYKORN: a sweet dive into a sophisticated MacOS backdoor

VB2024 paper: Sugarcoating KANDYKORN: a sweet dive into a sophisticated MacOS backdoor, Salim Bitam

Leveraging AI to enhance the capabilities of SHAREM Shellcode Analysis Framework

VB2024 paper: Leveraging AI to enhance the capabilities of SHAREM Shellcode Analysis Framework, Bramwell Brizendine

Automatically detect and support against anti-debug with IDA/Ghidra to streamline debugging process

VB2024 paper: Automatically detect and support against anti-debug with IDA/Ghidra to streamline debugging process, Takahiro Takeda

Go-ing arsenal: a closer look at Kimsuky’s Go strategic advancement

VB2024 paper: Go-ing arsenal: a closer look at Kimsuky’s Go strategic advancement, Jiho Kim, Sebin Lee & Sojun Ryu

Cybercrime turned cyber espionage: the many faces of the RomCom group

VB2024 paper: Cybercrime turned cyber espionage: the many faces of the RomCom group, Vlad Stolyarov & Dan Black

Don't be a PUP-pet: exposing pay-per-install networks

VB2024 paper: Don't be a PUP-pet: exposing pay-per-install networks, Dmitrij Lenz & James Wyke

Ghosts from the past: become Gh0stbusters in 2024

VB2024 paper: Ghosts from the past: become Gh0stbusters in 2024, Hiroshi Takeuchi

Shadow play: WildCard's malware campaigns amidst Israel-Hamas conflict

VB2024 paper: Shadow play: WildCard's malware campaigns amidst Israel-Hamas conflict, Nicole Fishbein & Ryan Robinson

Supercharge your malware analysis workflow

VB2024 paper: Supercharge your malware analysis workflow, Kevin Hardy-Cooper & Ryan Samaroo

From code to crime: exploring threats in GitHub Codespaces

VB2024 paper: From code to crime: exploring threats in GitHub Codespaces, Jaromir Horejsi & Nitesh Surana

The Mask has been unmasked again

VB2024 paper: The Mask has been unmasked again, Georgy Kucherin & Marc Rivero López

CrackedCantil: a malware symphony delivered by cracked software; performed by loaders, infostealers, ransomware, et al.

VB2024 paper: CrackedCantil: a malware symphony delivered by cracked software; performed by loaders, infostealers, ransomware, et al., Lena Yu

Who plays on AZORult? An unknown attacker collects various data and spreads additional payloads with AZORult for around 5 years

VB2024 paper: Who plays on AZORult? An unknown attacker collects various data and spreads additional payloads with AZORult for around 5 years, Masaki Kasuya

Confronting the surge of macOS stealers in 2024

VB2024 paper: Confronting the surge of macOS stealers in 2024, Kseniia Yamburh & Mykhailo Hrebeniuk

Code blue: energy

VB2024 paper: Code blue: energy, Righard Zwienenberg & Josep Albors

Marketplace scams: neanderthals hunting mammoths with Telekopye

VB2024 paper: Marketplace scams: neanderthals hunting mammoths with Telekopye, Jakub Souček & Radek Jizba

Multimodal AI: the sixth sense for cyber defence

VB2024 paper: Multimodal AI: the sixth sense for cyber defence, Younghoo Lee

Down the GRAYRABBIT hole - exposing UNC3569 and its mastermind

VB2024 paper: Down the GRAYRABBIT hole - exposing UNC3569 and its mastermind, Steve Su, Aragorn Tseng, Chi-Yu You (YCY) & Cristiana Brafman Kittner

Hospitals, airports and telcos - modern approach to attributing hacktivism attacks

VB2024 paper: Hospitals, airports and telcos - modern approach to attributing hacktivism attacks, Itay Cohen

Breaking boundaries: investigating vulnerable drivers and mitigating risks

VB2024 paper: Breaking boundaries: investigating vulnerable drivers and mitigating risks, Jiří Vinopal

Life and DEaTH: building detection, forensics, and intelligence at scale

VB2024 paper: Life and DEaTH: building detection, forensics, and intelligence at scale, Selena Larson & Konstantin Klinger

Workshop: Writing malware configuration parsers

VB2024 Workshop: Writing malware configuration parsers, Mark Lim & Zong-Yu Wu

Unveiling shadows: key tactics for tracking cyber threat actors, attribution, and infrastructure analysis

VB2024 paper: Unveiling shadows: key tactics for tracking cyber threat actors, attribution, and infrastructure analysis

Open by default: the hidden cost of convenience in network security

VB2024 paper: Open by default: the hidden cost of convenience in network security, Aurelio Picon

Octopus Prime: it didn't turn into a truck, but a widely spread Android botnet

VB2024 paper: Octopus Prime: it didn't turn into a truck, but a widely spread Android botnet, Thibault Seret

Modern-day witchcraft: a new breed of hybrid attacks by ransomware operators

VB2024 paper: Modern-day witchcraft: a new breed of hybrid attacks by ransomware operators, Vaibhav Deshmukh, Ashutosh Raina & Sudhanshu Dubey

Unveiling the dark side of set-top boxes: the Bigpanzi cybercrime syndicate

VB2024 paper: Unveiling the dark side of set-top boxes: the Bigpanzi cybercrime syndicate, Alex Turing

SPYDEALER used for mobile Chinese domestic surveillance

VB2024 paper: SPYDEALER used for mobile Chinese domestic surveillance, Paul Rascagneres & Charles Gardner

Arming WinRAR: deep dive into APTs exploiting WinRAR’s 0-day vulnerability - a SideCopy case study

VB2024 paper: Arming WinRAR: deep dive into APTs exploiting WinRAR’s 0-day vulnerability - a SideCopy case study, Sathwik Ram Prakki

Over the cassowary’s nest - dissecting Turla’s latest revision of the Kazuar backdoor

VB2024 paper: Over the cassowary’s nest - dissecting Turla’s latest revision of the Kazuar backdoor, Daniel Frank & Tom Fakterman

TA577 walked just past you: indirect syscalls in Pikabot

VB2924 paper: TA577 walked just past you: indirect syscalls in Pikabot, Emre Güler

An open-source cloud DFIR kit - Dredge!

VB2024 paper: An open-source cloud DFIR kit - Dredge!, Santiago Abastante

Byteing back: detection, dissection and protection against macOS stealers

VB2024 paper: Byteing back: detection, dissection and protection against macOS stealers, Patrick Wardle

Extending STIX 2.1 to capture malware incidents

VB2024 paper: Extending STIX 2.1 to capture malware incidents, Desiree Beck

Spot the difference: Earth Kasha's new LODEINFO campaign and the correlation analysis with APT10 umbrella

VB2024 paper: Spot the difference: Earth Kasha's new LODEINFO campaign and the correlation analysis with APT10 umbrella, Hiroaki Hara

How to hunt geopolitically driven Bitter APT operations

VB2024 paper: How to hunt geopolitically driven Bitter APT operations, Shengbin Bao

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.