Last Updated on 13/03/2023 by TheDigitalHacker
A group of cybercriminals (8220 Gang) has been observed using a new technique to evade detection by security systems and it is concerning to both government and private sector.
The gang touches china in connection, and has reportedly been utilizing a new crypter called “ScrubCrypt” to obfuscate their malware and avoid detection by antivirus programs.
ScrubCrypt is a form of crypter that can be used to encrypt malware in such a way that it becomes undetectable to security systems. The tool is reportedly able to evade both signature-based and behavioral-based detection methods used by antivirus programs.
The cybercriminals behind the use of ScrubCrypt are believed to be using it to distribute banking trojans and other malware through phishing campaigns.
Security experts have warned that the use of crypters such as ScrubCrypt is likely to become more common as cybercriminals continue to search for ways to evade detection by security systems.
As a result, it is important for individuals and organizations to remain vigilant and take steps to protect themselves against these types of threats.
This can include regularly updating antivirus software, implementing strong passwords in all devices, multi-factor authentication enablement, and avoiding suspicious emails and attachments on very basic level.
Enabling logging, storing log data, access data for a longer period for later use cases.
Process level analysis, Defined data access process with 0 trust security.
Security experts say, trusting the internal system to access the data should also be considered as a big threat. If one machine is exposed, organizations having open data or microservices for internal usage can put the company in danger.
The primary reason behind ScrubCript is to remain undetected, these issues can sit in the system for years before they cause any harm.
| Topic | Information |
|---|---|
| Threat | Control Access/Partial Control Access |
| Technique | ScrubCrypt, A behavior-based crypter used to obfuscate malware and bypass security measures |
| Detection | Yes not detected by most antivirus programs. This is enabling another layer of security. |
| Distribution | Email-based, Weak Ports, Social Engineering |
| Implications | Any attack in the future based on potential |
| Recommendations | Keeping basic security in the system, employee awareness, scheduled scans, 0 trust enablement in internal applications, and longer access data retention |
How to tell if my computer or my organization is affected by ScrubCrypt?
Since ScrubCrypt is a tool used by cybercriminals to obfuscate malware, it can be difficult to tell if your computer or organization has been affected by it.
However, there are a few signs that may indicate the presence of malware that has been obfuscated by a crypter like ScrubCrypt.
Possible indicators of ScrubCrypt malware infection include
The possibilities are endless for an attacker to use the system. From asking for a ransom to decrypt the file to using web servers to do DDOS attacks, they go top and beyond to achieve their goals.
If you are an IT administrator or a techie, here are some of the patterns you can observe to analyze an attack.
Slow System performance:
Malware can cause your computer or network to slow down, as it consumes system resources and bandwidth.
This often happens in consumer devices and is also quite common in organization attacks. Here the attacker often uses computing power to make money, like by doing a mining botnet attack. As the cryptocurrency trends have come down, these types of attacks have come down.
But having said that, if your organization opens its servers to the Internet, it’s quite easy to use the same systems to do global DDOS attacks and much more.
Pop-ups and other unusual behavior:
Malware may cause pop-up windows to appear, change your browser’s home page, or redirect your web searches to unfamiliar sites.
Generally seen on the consumer end and often not shown in any organization. In an organization, either confidential/valuable data is sent or encrypted for ransom.
Unusual network activity:
Malware may communicate with a command and control server, which can result in unusual network activity such as unexpected outbound traffic.
One of the strongest pillars in ransomware attacks.
Unusual files or processes:
Malware may create new files or processes on your system, or modify existing ones. Look for files with unusual names or locations or processes that are running but do not have a clear purpose.
Enabling process profiling, and 0 trust systems is the way to go. If your organization lacks there, it’s time to implement ASAP.
Resources:
