Cyber Security News

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat, particularly targeting Taiwanese organizations.

The group, which started its operations in the healthcare, education, and industrial sectors of Taiwan, leverages sophisticated cyber techniques to disrupt essential services.

Sophisticated Techniques and Open-Source Exploitation

CrazyHunter’s toolkit is largely composed of open-source tools sourced from GitHub, with about 80% of their arsenal being open-source.

Notably, they’ve integrated tools like the Prince Ransomware Builder and ZammoCide, enhancing their capabilities significantly.

The use of the Bring Your Own Vulnerable Driver (BYOVD) method has been pivotal in their strategy to bypass security measures by exploiting vulnerabilities in existing system drivers.

CrazyHunter HackerCrazyHunter Hacker
The flow of the ransomware deployment process

Targeted Campaign Against Taiwanese Organizations

The focus of CrazyHunter’s attacks has been exclusively on Taiwan, with the group launching its public face through a leak site where ten victims were initially disclosed, all hailing from the region.

According to the Report, their targets span critical sectors, including hospitals, educational institutions, and industrial companies, which indicates a strategic intent to compromise organizations with valuable and sensitive operations.

The group’s operations, tracked since January, reveal a deliberate pattern of cyber-attacks, leveraging tools for evasion, privilege escalation, and direct impact through ransomware.

For defense evasion, CrazyHunter adapts an open-source process killer called ZammoCide into a formidable anti-virus (AV) and endpoint detection and response (EDR) killer.

Command-Line Interface (CLI) of the open-source tool ZammoCide

This tool, when executed, employs the vulnerable Zemana Anti-Malware driver (zam64.sys) to forcefully terminate security processes, thus facilitating the group’s malicious activities without detection.

Their ransomware, a bespoke variant using the Go programming language, employs advanced ChaCha20 and ECIES encryption to lock files, appending them with a “.Hunter” extension.

The ransomware campaign includes the creation of ransom notes and altering the victim’s desktop wallpaper.

To counter such advanced threats, organizations must adopt rigorous cybersecurity measures:

  • Access Control: Ensure that users only have access to necessary data and systems, implementing Multi-Factor Authentication (MFA) for critical access points.
  • Regular Updates: Keeping all systems, including drivers, up-to-date can prevent exploitation of known vulnerabilities.
  • Backup and Recovery: Regular backups to isolated environments are crucial to minimizing data loss.
  • Endpoint Protection: Utilize endpoint security solutions that focus on monitoring and blocking unauthorized driver installations.
  • Training and Awareness: Ongoing education to recognize and respond to phishing and other attack vectors is vital.

This proactive stance is necessary as ransomware groups evolve, adapting their tactics to include more sophisticated and complex methods of operation.

The use of open-source tools for nefarious purposes underscores the need for vigilance in managing and securing these resources against misuse.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows Remote…

11 minutes ago

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed critical…

45 minutes ago

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing malicious…

48 minutes ago

Kaspersky Alerts on AI-Driven Slopsquatting as Emerging Supply Chain Threat

Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the widespread…

49 minutes ago

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later this…

51 minutes ago

Europol Dismantles DDoS-for-Hire Network and Arrests Four Administrators

Significant blow to cybercriminal infrastructure, Europol has coordinated an international operation resulting in the arrest…

59 minutes ago