A sophisticated new Remote Access Trojan (RAT) dubbed CrySome RAT has emerged, posing a significant threat to Windows users. Written in C#, this advanced .NET malware offers attackers comprehensive control over compromised machines, featuring potent capabilities like an AV killer and Hidden Virtual Network Computing (HVNC) for stealthy operations. Its ability to achieve extreme persistence, even surviving a factory reset by embedding itself in the Windows recovery partition, marks it as a particularly dangerous and evolving cyber threat.
Cyfirma analysts recently identified and analyzed CrySome RAT, detailing its modular architecture and robust features. The malware adheres to a structured design where an initial phase loads configuration and activates specific functionalities based on operator commands. Upon establishing a connection, it promptly transmits a detailed profile of the infected system to its command-and-control (C2) server. This profile includes critical information such as the username, operating system version, system uptime, country code, and the title of the currently active window, providing attackers with immediate situational awareness.
Defense Evasion Through the AVKiller Module
A standout feature of CrySome RAT is its integrated AVKiller module, a sophisticated toolkit designed to dismantle existing security defenses. This module actively hunts and terminates antivirus processes, disables crucial security services, and actively prevents the installation of new security software. Furthermore, it manipulates the system’s hosts file to redirect antivirus update servers, effectively isolating security tools from their update sources. The module also employs Image File Execution Options (IFEO) hijacking to prevent security tools from launching, rendering them invisible and non-functional without user awareness.
The AVKiller module maintains extensive, hardcoded lists of known antivirus process names, security service identifiers, and relevant keywords for installer-related programs. A core function, ScanAndKillProcesses(), operates continuously in the background, scanning all active processes and terminating any that match its internal threat list. This process is optimized for speed, utilizing parallel execution to ensure that security processes are eliminated almost instantly upon detection or restart, leaving the system vulnerable.
Beyond direct process termination, the AVKiller module leverages the Windows Image File Execution Options registry key to assign a malicious debugger to targeted security executables. When a protected application attempts to launch, Windows silently reroutes it to a benign command that performs no action. This deceptive mechanism makes it appear as though the security application has started, while in reality, it remains inactive, leaving the victim unaware that their protection has been neutralized.
Additionally, the module’s PoisonHostsFile() function modifies the system’s hosts file. This action redirects domain names associated with antivirus updates to a null route (0.0.0.0), effectively blocking any attempts by security software to download the latest signature and definition updates. Over time, even if a security product manages to evade initial termination, it becomes progressively outdated and far less effective against emerging threats.
Stealthy Control with Hidden Virtual Network Computing (HVNC)
CrySome RAT’s offensive capabilities are further amplified by its Hidden Virtual Network Computing (HVNC) module. This component allows attackers to establish a completely invisible desktop session on the victim’s machine. Through this hidden session, threat actors can navigate the compromised system, open web browsers, access files, and execute commands without any visible indication to the legitimate user. This stealthy remote access, combined with other modules, transforms CrySome RAT into a potent post-exploitation framework.
The RAT also incorporates functionalities for credential harvesting, specifically targeting information stored in Chromium-based browsers, a common vulnerability for many common browsers today. It includes keylogging capabilities to record user keystrokes, direct webcam access for surveillance, and the ability to capture screenshots of the user’s activity. The inclusion of SOCKS proxy support further enhances its utility for attackers, facilitating lateral movement within a compromised network and expanding the attack surface.
Given these advanced capabilities, cybersecurity professionals and system administrators are advised to implement a robust defense-in-depth strategy. Any systems exhibiting indicators consistent with CrySome RAT should be immediately isolated to prevent further spread. The deployment of Endpoint Detection and Response (EDR) solutions capable of detecting process injection, unauthorized registry modifications, and service abuse is crucial across all network environments.
Regularly auditing scheduled tasks, Windows services, and the Run/RunOnce registry keys for any unauthorized entries is recommended. Network-level blocking of the identified C2 domain, crysome[.]net, and any associated infrastructure is essential. Enabling tamper protection on security tools can prevent unauthorized scripts or policy changes from disabling them. For thorough remediation, forensic examination of recovery partitions and offline registry hives is necessary to ensure the complete removal of persistent threats.
Enforcing application control policies to restrict the execution of unknown or unsigned binaries, particularly those originating from user-writable directories, is a key preventative measure. Maintaining offline backups and verified system images will be critical for facilitating full system recovery in the event of a successful compromise. The ongoing vigilance and proactive security measures are paramount in mitigating the risks posed by advanced threats like CrySome RAT.