CrazyHunter Campaign Targets Taiwanese Critical Sectors

Key takeaways

• CrazyHunter has established itself as a significant ransomware threat, specifically targeting Taiwanese organizations, predominantly in healthcare, education, and industrial sectors. Attacks on these critical sectors could disrupt the delivery of essential services.
• CrazyHunter employs sophisticated techniques, notably the Bring Your Own Vulnerable Driver (BYOVD) method, which allows them to circumvent security measures effectively.
• The group broadened its toolkit by integrating open-source tools from GitHub, such as the Prince Ransomware Builder and ZammoCide, to further enhance their operational capabilities.
• Approximately 80% of CrazyHunter’s toolkit consists of open-source tool. It is important to monitor and secure these resources to prevent the adaptation for malicious use.
• Trend Vision One™ detects and blocks the malicious components used in the CrazyHunter campaign. Trend Vision One customers can also access hunting queries, threat insights, and intelligence reports to gain rich context on the latest CrazyHunter IoCs. For additional best practices, see security recommendations provided below.

CrazyHunter has quickly emerged as a serious ransomware threat. The group made their introduction in the past month with the opening of their data leak site where they posted ten victims – all located from Taiwan. We have followed some of their operations through internal monitoring since the start of January and have witnessed a clear pattern of specifically targeting organizations in Taiwan. The victims of the group consists mainly of hospitals and medical centers, educational institutions and universities, manufacturing companies, and industrial organizations, which reflects a targeted focus on organizations with valuable data and sensitive operations.

This report introduces the tactics, techniques, and procedures (TTPs) utilized by CrazyHunter. It highlights the use of Bring Your Own Vulnerable Driver (BYOVD) and open-source tools on the GitHub platform, like the Prince ransomware builder. Recent findings indicate CrazyHunter’s toolset expansion, modification of the tools it initially used, and improved capability.

During hunting in our internal telemetry, we encountered malicious artifacts that contains the following interesting items: a hack tool taking advantage of Group Policy Object (GPO) policies, a vulnerable driver exploits in the form of a process killer, and a few executable files compiled with the Go programming language.

Key findings on CrazyHunter’s campaigns

The addition of the Prince ransomware builder in their toolkit is especially concerning. This tool is readily accessible from GitHub and further lowers the barriers to entry for cybercriminals by providing a user-friendly means to create ransomware variants. Its BYOVD technique to evade security shows its advanced methods. Improvements on newly shared utilities from SharpGPOAbuse, better AV/EDR capabilities, and Go-compiled executables have made CrazyHunter’s operations increasingly prevalent.

CrazyHunter’s emergence presents a significant threat to critical sectors in Taiwan, particularly in sectors such as healthcare and education. Disruptions in these areas could affect the delivery of essential services.

During our investigation, we identified three main points of interest:

• Use of open-source software found on GitHub.
• An enhanced toolkit and tools for implementation.
• Attacks focusing mainly on Taiwan.

Our research discovered that the attackers strategically and deliberately targeted Taiwan, which indicates a campaign specifically against the region. They used open-source tools from GitHub and expanded their range of tools and methods to increase the sophistication of their operations.

The use of open-sourced tools from GitHub

Around 80% of CrazyHunter’s toolset consists of open-source tools from GitHub. Our observations suggest that they modify these freely available source codes to fit their specific needs and significantly enhance their capabilities.

We’ve identified three open-sourced tools that came from GitHub, each serving a distinct purpose:

Defense Evasion

The group uses a tailored variant of an open-source process killer tool called ZammoCide and adapts it to be an AV/EDR killer capable of terminating processes belonging to EDR products through a BYOVD approach taking advantage of the vulnerable driver zam64.sys.

Read More HERE