CrypRAT Infostealer actively spreading in the wild.

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of CrypRAT Infostealer  actively spreading in the wild.

Memory Snapshot of the CrypRAT Infostealer ( Raw and Encrypted Data )

Infection Cycle:

The Malware adds the following file to the system:

• Malware.exe
  • %APPDATA%\roaming\system.exe

The Malware adds the following keys to the Windows registry:

• HKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS
  • 1
• • Keylogger data

Once the computer is compromised, the Malware installs following components to record the activity of the user via key logging and clipboard:

The Malware terminates the Self-Extractor process and installs the System.exe on the target system.

The Malware saves raw data in the following registry:

The Malware checks if data is available for transfer to the command and control (C&C) server every 10 seconds.

The Malware uses base64 to encrypt its strings as well as its network communication, here an example:

Command and Control (C&C) Traffic

CrypRAT.A performs C&C communication over port 1177. The Malware transfers stolen data in Base64 format, here are some examples:

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: CrypRAT.A (Trojan)