CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat, particularly targeting Taiwanese organizations.

The group, which started its operations in the healthcare, education, and industrial sectors of Taiwan, leverages sophisticated cyber techniques to disrupt essential services.

Sophisticated Techniques and Open-Source Exploitation

CrazyHunter’s toolkit is largely composed of open-source tools sourced from GitHub, with about 80% of their arsenal being open-source.

Notably, they’ve integrated tools like the Prince Ransomware Builder and ZammoCide, enhancing their capabilities significantly.

The use of the Bring Your Own Vulnerable Driver (BYOVD) method has been pivotal in their strategy to bypass security measures by exploiting vulnerabilities in existing system drivers.

Targeted Campaign Against Taiwanese Organizations

The focus of CrazyHunter’s attacks has been exclusively on Taiwan, with the group launching its public face through a leak site where ten victims were initially disclosed, all hailing from the region.

According to the Report, their targets span critical sectors, including hospitals, educational institutions, and industrial companies, which indicates a strategic intent to compromise organizations with valuable and sensitive operations.

The group’s operations, tracked since January, reveal a deliberate pattern of cyber-attacks, leveraging tools for evasion, privilege escalation, and direct impact through ransomware.

For defense evasion, CrazyHunter adapts an open-source process killer called ZammoCide into a formidable anti-virus (AV) and endpoint detection and response (EDR) killer.

This tool, when executed, employs the vulnerable Zemana Anti-Malware driver (zam64.sys) to forcefully terminate security processes, thus facilitating the group’s malicious activities without detection.

Their ransomware, a bespoke variant using the Go programming language, employs advanced ChaCha20 and ECIES encryption to lock files, appending them with a “.Hunter” extension.

The ransomware campaign includes the creation of ransom notes and altering the victim’s desktop wallpaper.

To counter such advanced threats, organizations must adopt rigorous cybersecurity measures:

• Access Control: Ensure that users only have access to necessary data and systems, implementing Multi-Factor Authentication (MFA) for critical access points.
• Regular Updates: Keeping all systems, including drivers, up-to-date can prevent exploitation of known vulnerabilities.
• Backup and Recovery: Regular backups to isolated environments are crucial to minimizing data loss.
• Endpoint Protection: Utilize endpoint security solutions that focus on monitoring and blocking unauthorized driver installations.
• Training and Awareness: Ongoing education to recognize and respond to phishing and other attack vectors is vital.

This proactive stance is necessary as ransomware groups evolve, adapting their tactics to include more sophisticated and complex methods of operation.

The use of open-source tools for nefarious purposes underscores the need for vigilance in managing and securing these resources against misuse.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!