New threat group CRYSTALRAY seen using variety of off-the-shelf tools to steal credentials
Sysdig researchers have been following the group since February
The Sysdig Threat Research Team (TRT) has released a report on a new threat actor dubbed "CRYSTALRAY", which has been observed using several open-source penetration testing tools to exfiltrate and sell credentials, install cryptominers and maintain a presence on the victim's networks via backdoors.
Since February, when Sysdig first reported on a group using SSH-Snake to traverse networks, CRYSTALRAY has expanded its operations to over 1,500 victims, using mass scanning, exploits for multiple vulnerabilities, and backdoors.
The group uses a package manager called pdtm to manage its open source tools, which include zmap, asn, httpx, nuclei, platypus and SSH-Snake.
CRYSTALRAY uses ASN, an open source intelligence (OSINT) package, to launch low-key, hard-to-detect scans over a range of target IP addresses, with more precision than a botnet, but less than a typical APT or ransomware attack. ASN includes a lookup tool and traceroute server and provides a breakdown of open ports, known vulnerabilities, and software and hardware running on the target.
"This will quickly give the user a complete breakdown of open ports, known vulnerabilities, known software and hardware running on the target, and more – all without ever sending a single packet to the target," Sysdig TRT says in its report.
The group deploys zmap to scan specific ports for vulnerable services and httpx to verify if a domain is live before checking for known vulnerabilities. It then uses a vulnerability scanner called nuclei to scan for specific vulnerabilities and defences, adapting existing proof-of-concept exploits to gain access.
"With powerful and flexible templating, nuclei can be used to model all kinds of security checks," the post says. "In some cases, they used nuclei tags argument to detect possible honeypots on ports where they scanned, to avoid launching their tools on those targets in order to remain undetected."
For lateral movement it favours SSH-Snake, a worm that uses SSH private keys discovered on systems to traverse the system, while also sending captured keys and bash histories back to the group's command and control server.
For cryptomining, the group often deploys a script to remove other competitive cryptominers that may already exist on the target's devices.
Finally, CRYSTALRAY uses platypus, a reverse shell session manager, to monitor its hacking attempts.
The group's identity and location are unknown, but the majority of its victims have been in China and the US.
"CRYSTALRAY's operations prove how easily an attacker can maintain and control access to victim networks using only open source and penetration testing tools," Sysdig TRT's report concludes.
"Therefore, implementing detection and prevention measures to withstand attacker persistence is necessary."