Water Basilisk Campaign Distributes RATs Through a New Crypter
Threat Actors Use HCrypt to Drop Payloads.
Another malicious operation wreaks havoc in the world of malware and trojans. The so-called Water Basilisk campaign makes use of a new crypter with the goal of RATs distribution. Among the propagated RATs we can mention LimeRat, QuasarRat, BitRat, NjRat, Warzone, and Nanocore RAT.
What Is a RAT?
As we also wrote about in a previous post, a RAT, the short form of Remote Access Trojan, stands basically for a malware type that cybercriminals use to gain full control over a targeted computer. How can RATs spread? Through user-requested programs, for instance, games or another example would be via email attachments. The thing with this malware is that it can be downloaded unknowingly.
Then, through a RAT, the hacker can compromise a machine and eventually spread it to other computers by creating a botnet.
The Water Basilisk Campaign: More Details
According to Cyware, the Water Basilisk campaign, discovered by the TrendMicro researchers is a fileless one and can be characterized by the following:
- The cybercriminals made use of compromised WordPress websites to host phishing kits inside file hosting services.
- An ISO picture distributed through phishing emails or websites represents the compromised file.
- The payload can be found in an obfuscated PowerShell script.
- The crypter used in this campaign is called HCrypt, more specifically its version 7.8. This is basically a crypter-as-service.
- HCrypt has the role to create obfuscated VBScripts and PowerShell to distribute payloads.
- What’s new in the most recent variant of HCrypt: phishing payloads in the form of PDFs, BTC stealers, JS, and VBS payloads have updates in terms of encryption.
It’s also interesting to mention that this Water Basilisk campaign reached its peak in August and the HCrypt it uses can be found on the black market for $199.
The crypter-as-a-service model is similar to that of ransomware-as-a-service, though the difference is that the first one is built for and sold to cybercriminals who do not have so much technical expertise.
What’s also interesting to mention is the reason why the threat actors behind the Water Basilisk campaign have chosen ISO files. As the researchers at TrendMicro said, they probably want to bypass email gateway scanners because usually, these do not scan for larger-sized files. And another reason might be that these files are executed on Windows with ease.
We can assume two reasons why this attack uses ISO files. One is how ISO images tend to have larger file sizes, making it so that email gateway scanners would not be able to scan ISO file attachments properly. Another is how opening an ISO file in new operating systems is as simple as double-clicking the file, due to native IOS mounting tools. This improves the chances of a victim opening the file and infecting their system.