Código HTML do Conteúdo
Post: Crypto24 ransomware hits large orgs with custom EDR evasion tool - Against Invaders - Notícias de CyberSecurity para humanos.
<div>
<div>
<p>The Crypto24 ransomware group has been usingcustom utilities to evade security solutions on breached networks,exfiltrate data, and encrypt files.</p>
<p>The threat group’searliest activity was reported on BleepingComputer forums <a href="https://www.bleepingcomputer.com/forums/t/800910/crypto24-ransomware-crypto24;-decryptiontxt/" rel="nofollow noopener" target="_blank">in September 2024</a>, though it never reached notable levels of notoriety.</p>
<p>According to Trend Micro researchers tracking Crypto24’s operations, the hackers havehit several large organizations in the United States, Europe, and Asia, focusing on high-value targets in the finance, manufacturing, entertainment, and tech sectors.</p>
<p>The security researchers report that Crypto24 appears to be knowledgeable and well-versed, suggesting a high likelihood that it was formed by former core members of now-defunct ransomware operations.</p>
<h2>Post-compromise activity</h2>
<p>After gaining initial access, Crypto24 hackers activate default administrative accounts on Windows systems within enterprise environmentsor create new local user accounts for stealthy, persistent access.</p>
<p>Following a reconnaissance phase using a custom batch file and commands that enumerate accounts, profile system hardware, and the disk layout, the attackercreatesmalicious Windows services and scheduled tasks for persistence.</p>
<p>The first is WinMainSvc, a keylogger service, and the second is MSRuntime, a ransomware loader.</p>
<div>
<p><img decoding="async" alt="Command and processes to escalate privileges" height="594" src="https://datalake.azaeo.com/wp-content/uploads/2025/08/priv-esc.jpg" width="887 /></div>
<p>Next, Crypto24 operators use a custom variant of the open-source tool RealBlindingEDR, which targets security agents frommultiple vendors by disabling their kernel drivers:</p>
<ul><li>Trend Micro</li>
<li>Kaspersky</li>
<li>Sophos</li>
<li>SentinelOne</li>
<li>Malwarebytes</li>
<li>Cynet</li>
<li>McAfee</li>
<li>Bitdefender</li>
<li>Broadcom (Symantec)</li>
<li>Cisco</li>
<li>Fortinet</li>
<li>Acronis</li>
</ul><p>Crypto24’s custom RealBlindingEDR extracts the company name from the driver’s metadata, compares it to a hardcoded list, and if there’s a match, it disables kernel-level hooks/callbacks to “blind” detection engines.</p>
<p>Concerning Trend Micro products specifically, the report mentions that, if the attacker hasadministrator privileges, they run a batch script that invokes the legitimate ‘XBCUninstaller.exe’ to uninstall Trend Vision One.</p>
<p>“We observed cases where attackers executed the Trend Vision One uninstaller, XBCUninstaller.exe, via gpscript.exe,” <a href=">Trend Micro researchers say.</p>
<p>“The file in question is a legitimate tool provided by Trend Micro for troubleshooting, specifically to resolve issues such as fixing inconsistent agents within Trend Vision One deployments.”</p>
<p>“Its intended use is to cleanly uninstall Endpoint BaseCamp when required for maintenance or support.”</p>
<p>This tool essentially prevents the detection of follow-on payloads like the keylogger (WinMainSvc.dll) and the ransomware (MSRuntime.dll), both custom tools.</p>
<p>The keylogger, which masquerades as “Microsoft Help Manager,” logs both active window titles and keypresses, including control keys (Ctrl, Alt, Shift, function keys).</p>
<p>The attackers also use SMB shares for lateral movement and staging files for extraction.</p>
<p>All stolen data is exfiltrated to Google Drive using a custom tool that leverages the WinINET API to interact with Google’s service.</p>
<p>The ransomware payload executes after deleting volume shadow copies on Windows systems to prevent easy recovery.</p>
<div>
<p><img decoding="async" alt="Overview of Crypto24 attacks" height="600" src="https://datalake.azaeo.com/wp-content/uploads/2025/08/figure-scaled-1.jpg" width="234 /></div>
<p>Trend Micro does not provide any details about the ransomware part of the attack, such as encryption scheme, the ransom notes, communication methods, targeted file paths, language, or branding clues.</p>
<p>The cybersecurity company has shared at the end of the report a list of <a href=">indicators of compromise that other defenders can use to detect and block Crypto24 ransomware attacks before they reach the ultimate stages.</p>
</div>
</div>
<div>
<div>
<h5><a href="https://www.bleepingcomputer.com/author/bill-toulas/" target="_blank">Bill Toulas</a> <span> <a aria-label="Email bill.toulas@bleepingcomputer.com" href="https://www.bleepingcomputer.com/news/security/crypto24-ransomware-hits-large-orgs-with-custom-edr-evasion-tool/mailto:bill.toulas@bleepingcomputer.com" target="_blank"><i aria-hidden="true" title="Email bill.toulas@bleepingcomputer.com"></i></a> <a aria-label="Open Author's twitter page" href="https://twitter.com/billtoulas" rel="noopener" target="_blank"><i aria-hidden="true" title="Open Author's twitter page"></i></a></span></h5>
<p>
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
</p>
</div>
</div>
<h3>You may also like:</h3>
</div></div>