Crypto24 is new, but very dangerous … disables popular antivirus and other tools

Hello gang,

We’re trying to figure out what’s happening for this week coming up, and we believe we have the perfect set of topics for the next two weeks.

This one may have more of an impact, because it can affect a number of programs, some of whom have been in the industry for quite awhile.

The beginning of the article says:

The Crypto24 ransomware group has been using custom utilities to evade security solutions on breached networks, exfiltrate data, and encrypt files.

The threat group’s earliest activity was reported on BleepingComputer forums in September 2024, though it never reached notable levels of notoriety.

This is probably going to change after the research discussed by Trend Micro affects their Trend Vision 1 product besides about a dozen in total other products.

The security researchers report that Crypto24 appears to be knowledgeable and well-versed, suggesting a high likelihood that it was formed by former core members of now-defunct ransomware operations.

The main heading of this article which is research deals with what happens during the post-compromised activity. They even create their own malicious scheduled tasks, have a reconnaissance behavior set, and can even include key logging mechanisms that can be used if the actors so choose to do so.

After doing the key logger and other activites, the article states:

Next, Crypto24 operators use a custom variant of the open-source tool RealBlindingEDR, which targets security agents from multiple vendors by disabling their kernel drivers:

The applications that are affected include:

• Trend Micro
• Kaspersky
• Sophos
• SentinelOne
• Malwarebytes
• Cynet
• McAfee
• Bitdefender
• Broadcom (Symantec)
• Cisco
• Fortinet
• Acronis

When talking to someone trying to figure out what we were doing for this coming week, which may also lead to this topic on Ransomware and EDR type products, I mentioned F-Secure which may be involved in other similar attacks.

Continuing:

Crypto24’s custom RealBlindingEDR extracts the company name from the driver’s metadata, compares it to a hardcoded list, and if there’s a match, it disables kernel-level hooks/callbacks to “blind” detection engines.

Concerning Trend Micro products specifically, the report mentions that, if the attacker has administrator privileges, they run a batch script that invokes the legitimate ‘XBCUninstaller.exe’ to uninstall Trend Vision One.

This in theory is bad. Hard coded lists, and removing software. Trend Micro goes in to detail on how they were affected and provides indicators of compromise (IOCs) for people to have.

There’s more I’ll include in the show notes and discussion we’re not bringing in to the article, but this will give you some background.

Crypto24 ransomware hits large orgs with custom EDR evasion tool is our article if you’d like to read more. This will be this week’s topic, and we’ll break this down similarly in our show notes as this article.

This is something we need to be aware of, so please at least know about it. Again, it doesn’t state what methods are used to get infected, but I suspect the usual ways of infection are made. (I.E.) links, attachments, installing things for you to run, and other things not mentioned within this article and or discussion.

Thanks so much for reading, make it a great day!