CypherIT (Dropper) – Malware

Overview

CypherIT, a potent and versatile crypter, has emerged as a critical component in various cybercriminal operations, enabling attackers to deliver malicious payloads while evading detection. Originally developed as a commercial tool for legitimate purposes, CypherIT has since found its way into the hands of threat actors who have repurposed it to obfuscate and protect their malware from antivirus solutions and security systems. Its ability to bypass traditional security measures makes it a preferred choice among cybercriminals, and its presence in attack chains is a red flag for sophisticated, stealthy threats.

The evolution of CypherIT over the years has seen it transition from a straightforward tool into a more complex and resilient crypter. It has been widely observed in various campaigns, used by multiple threat actors to deliver a range of malware, from remote access trojans (RATs) to data stealers. The crypter’s functionality allows it to wrap malicious payloads in layers of encryption and compression, effectively hiding them from signature-based detection methods. This capability not only delays detection but also complicates the analysis process for cybersecurity professionals attempting to dissect and understand the malware.

Targets

Public Organizations in Russia and Belarus: Their early activities focused on public sector entities in these countries, suggesting an interest in geopolitical intelligence or local governmental affairs.

Pharmaceutical Companies: They have targeted pharmaceutical firms, potentially aiming to access sensitive research data, proprietary information, or intellectual property related to medical advancements.

Research Institutes: Particularly those involved in microbiology and vaccine development. This indicates a focus on scientific and technological advancements, possibly for espionage or competitive advantage.

Aerospace Industry: Recent campaigns have targeted organizations in the aerospace sector, including companies involved in the production and maintenance of aircraft and spacecraft. This reflects a strategic interest in aerospace technologies and defense-related information.

Defense Sector: Their operations have also extended to defense-related entities, aligning with their broader geopolitical and espionage objectives.

How they operate

The operation of CypherIT begins with the obfuscation of the malicious code. When an attacker decides to deploy malware, they first pass the payload through CypherIT, which encrypts or otherwise obscures the code. This process can involve several layers of encryption, compression, or other techniques that hide the true nature of the code from analysis tools. The crypter may also inject junk code, which further complicates the reverse engineering process. The resulting output is an executable or script that appears harmless to security software but is, in reality, a weaponized piece of malware ready to be deployed on target systems.

Once the obfuscated payload is delivered to a victim’s system, the decryption and execution process begins. The CypherIT-protected file often includes a loader, a small piece of code that runs when the file is executed. This loader is responsible for decrypting the malicious payload in memory, rather than on disk, which further reduces the chances of detection. Once decrypted, the actual malware is executed, allowing it to perform its intended malicious activities, such as stealing data, encrypting files for ransom, or providing remote access to the attacker.

CypherIT’s ability to evade detection is further enhanced by its use of various techniques to avoid sandboxing and analysis by security researchers. For example, it may include checks to determine if the malware is running in a virtual machine or sandbox environment, which are commonly used by analysts to study malware behavior. If such an environment is detected, the malware may alter its behavior, terminate itself, or remain dormant, thus preventing analysts from uncovering its true capabilities.

In addition to its primary function of defense evasion, CypherIT can also aid in establishing persistence on the victim’s system. After the initial payload is decrypted and executed, it may create registry entries, schedule tasks, or use other methods to ensure that the malware remains active even after the system is rebooted. This persistence is crucial for long-term cyber espionage campaigns or sustained ransomware operations, where attackers need ongoing access to compromised systems.

MITRE Tactics and Techniques

Defense Evasion (T1070, T1027): CypherIT is primarily used for defense evasion by obfuscating malicious code and hiding the true nature of the payloads it delivers. This can involve various techniques like code obfuscation, encryption, and compression.

Execution (T1059, T1047): The payloads delivered by CypherIT often include scripts or binaries that execute malicious actions on the victim’s system. The execution of these payloads can occur through various methods, such as running scripts (e.g., PowerShell, batch files) or executing binaries.

Persistence (T1053): CypherIT may be used in malware that establishes persistence on the victim’s system. This can involve adding registry keys, creating scheduled tasks, or other mechanisms to ensure the malware continues to operate after reboots.

Command and Control (T1071): The final payloads delivered by CypherIT, such as Remote Access Trojans (RATs), may establish command and control channels with a remote server. This allows attackers to control the compromised system, exfiltrate data, or perform other malicious actions.

Impact / Significant Attacks

Sticky Werewolf Campaigns (2023-2024): CypherIT was used in the operations of the Sticky Werewolf group, a threat actor known for its espionage and data exfiltration activities. In these campaigns, CypherIT played a crucial role in obfuscating the payloads, which included Remote Access Trojans (RATs) like Rhadamanthys Stealer and Ozone RAT. These attacks targeted critical sectors, including the aviation industry, and leveraged phishing emails with malicious attachments to gain initial access to targeted networks.

Ransomware Distribution Campaigns: CypherIT has been used in various ransomware distribution efforts, including those involving well-known ransomware families like Conti and LockBit. By encrypting the ransomware payloads, CypherIT helped attackers bypass security defenses, leading to successful encryption of victims’ data and subsequent ransom demands. These campaigns have impacted organizations across multiple industries, including healthcare, finance, and manufacturing.

APT Attacks on Critical Infrastructure: Advanced Persistent Threat (APT) groups have utilized CypherIT in attacks targeting critical infrastructure. These attacks often involve long-term espionage campaigns where the goal is to gather intelligence or disrupt operations. CypherIT’s ability to evade detection was instrumental in enabling these groups to maintain a foothold in compromised systems for extended periods.

Financial Sector Breaches: The financial sector has been a prime target for cybercriminals using CypherIT. In several incidents, CypherIT was employed to protect malware designed to steal banking credentials, siphon funds, or facilitate fraudulent transactions. These breaches often involved spear-phishing campaigns aimed at high-value targets within financial institutions.

Espionage Operations Against Government Entities: CypherIT has been linked to espionage operations targeting government entities and defense contractors. In these cases, the crypter was used to hide sophisticated spyware and RATs, allowing attackers to exfiltrate sensitive information over time. These operations have had significant geopolitical implications, as they often involved state-sponsored actors.

References

• Howling at the Inbox: Sticky Werewolf’s Latest Malicious Aviation Attacks