Wednesday 2 October 14:00 - 14:30, Red room
Lena Yu (Independent researcher)
The digital landscape teems with diverse malware families, each engineered with distinct capabilities – ranging from data theft, deployment of additional malicious payloads, to destruction of data and more.
Yet, beneath their varied functionalities, these pieces of malware may unite in a complex and orchestrated performance, functioning in concert to unleash potent malware infections. This intricate interplay, which I term a “malware symphony”, mirrors the harmonious collaboration of instruments in an orchestra, where each contributes its unique timbre to the overall composition.
A prime exemplar of such orchestrated cyber malevolence is the CrackedCantil campaign – a moniker derived from its roots in cracked software and its analogy to the venomous Cantil viper. This campaign stands out for its collaborative use of numerous distinct families of malware, including PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz and STOP.
This specific CrackedCantil campaign was staged on Google Groups, and the ticket to this malware symphony was delivered by cracked software.
In the grand composition of the CrackedCantil symphony, the initial overture is masterfully executed by loaders such as PrivateLoader and Smoke. These serve as the maestros, setting the stage and tempo for the ensuing performance, by seamlessly facilitating the intrusion of various notorious malware into the system. Their role is pivotal, as they cue the entrance of the ensemble, ensuring each malware is perfectly positioned for their part in this dark opus.
As the symphony progresses into its first movement, a cadre of infostealers – Lumma, RedLine, RisePro, Amadey and Stealc – take centre stage. Like virtuoso soloists, they deftly navigate through the system's defences, extracting sensitive data with precision. Their performance is both intricate and devastating, leaving no stone unturned in their quest to pilfer every piece of valuable information.
Simultaneously, the proxy bot malware Socks5Systemz assumes the role of the chorale, subtly transforming the infected system into a proxy botnet. This collective force operates in the background, supporting the soloists by expanding the attack's reach and complexity, much like a chorus enriches a symphony's depth.
The final movement is heralded by the ransomware STOP, delivering a dramatic finale. This malevolent force acts as the crescendo of the campaign, encrypting the victim's files with a potency that demands a ransom for their release. It's a climactic end to a meticulously orchestrated performance, leaving the audience – in this case, the victims – in a state of shock and despair.
This presentation delves deep into the CrackedCantil campaign's symphonic structure, analysing how each malware component contributes to a harmonious yet malicious concert designed to compromise and exploit systems with unparalleled sophistication.
CrackedCantil Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.crackedcantil
Lena Yu Lena Yu, aka LambdaMamba, has investigated several cyber threats, including the Roaming Mantis smishing campaigns, IPFS phishing campaigns, and the Snake keylogger, and has written numerous articles for open-source education. She also created the MARC I (Malware Analysis Report Competition) at DEF CON 32, fostering contributions to open-source education in malware analysis, and co-founded the Malware Village at HITCON. Additionally, she created the Malware Monsters, aka Malmons, project. She has spoken at events such as the IEICE Technical Committee on Computer Systems, AVTokyo, the Nippon CSIRT Association, and BSides Vancouver on topics related to computer systems, phishing, malware analysis, and threat hunting. Additionally, she has played a role in organizing and teaching at various cybersecurity events. Before venturing into malware analysis, Lena was a low-level developer specializing in computer architecture and RISC-V TEE research. |
Back to VB2024 conference page