Do Son 
Trend Microβs latest research sheds light on Crypto24, a highly coordinated ransomware operation that blends legitimate administrative tools, advanced evasion techniques, and custom malware to infiltrate, persist, and steal from its victims before encrypting their systems. The group has been active against financial services, manufacturing, entertainment, and technology sectors across Asia, Europe, and the USA.
βOur analysis reveals that the threat actor operates with a high level of coordination, frequently launching attacks during off-peak hours to evade detection and maximize impact,β the report states.
Crypto24 operators rely on a hybrid toolkit, using both legitimate IT utilities and purpose-built malicious payloads. Commonly abused tools include PSExec for lateral movement, AnyDesk for persistent remote access, and Google Drive for covert data exfiltration.
They also deploy keyloggers for credential harvesting and custom backdoors, while leveraging βa customized version of RealBlindingEDRβ to disable endpoint protection. This variant is designed to selectively target security products from over two dozen vendors, including Trend Micro, Microsoft, Symantec, Kaspersky, and Fortinet.
Persistence is achieved through a mix of scheduled tasks, malicious Windows services, and privileged account creation. Trend Micro observed attackers reactivating default administrator accounts, creating generically named user accounts, and assigning them to both the Administrators and Remote Desktop Users groups.
Privilege escalation is then carried out using runas.exe and PSExec, enabling execution of commands under higher-privileged contexts.
A hallmark of Crypto24βs campaign is its targeted dismantling of security controls. Trend Micro notes:
βWhat we observed represents a classic example of βliving off the landβ tactics, where threat actors leverage legitimate administrative tools to further their attacks in post-compromise scenarios.β
In one case, the attackers abused gpscript.exe, a legitimate Group Policy utility, to remotely execute Trend Vision Oneβs uninstaller after obtaining administrator privileges.
Crypto24βs surveillance phase is meticulous. The deployed keylogger (WinMainSvc.dll) is configured to run only when hosted by svchost.exeβa tactic to evade sandbox analysisβand sends captured keystrokes, along with active window titles, to Google Drive. Before exfiltration, the ransomware tests its upload capability by sending a βTest.txtβ file containing the word βTestβ.
After mapping the network, stealing credentials, and disabling defenses, the operators deploy the MSRuntime.dll ransomware payload. In some observed incidents, initial execution failed due to Trend Micro detection, prompting the attackers to remove EDR components before successfully encrypting files and leaving ransom instructions.
Trend Micro emphasizes that Crypto24 βdemonstrates a clear understanding of enterprise defense stacks and an ability to circumvent them.β This operational maturity, coupled with the blending of legitimate and malicious tools, makes detection challenging and prolongs dwell time before the final payload is delivered.
Related Posts:
- Pro-Russian Threat Actors Launch Coordinated DDoS Attacks Against Japanese Organizations
- North Korean Cyberattacks Persist: Developers Targeted via npm
- China-Linked Phishing Campaign Exploits Geopolitical Tensions, Ravages Asian Finance Sector
- Premium Panel Phishing Toolkit Exposed: Two Years of Global Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
