EncryptHub’s OPSEC Failures Expose Its Malware Operation

Outpost24’s KrakenLabs reveals EncryptHub’s multi-stage malware campaign, exposing their infrastructure and tactics through critical OPSEC failures. Learn how this rising cybercriminal group operates and the threats they pose.

In a recent in-depth investigation, Outpost24’s specialized threat intelligence team, KrakenLabs, identified previously undisclosed aspects of a sophisticated malware operation known as EncryptHub. KrakenLabs’ analysis, shared with Hackread.com, provides a detailed understanding of the group’s operational infrastructure, tools, and characteristic behavioural patterns.

This enhanced understanding was made possible by a series of security lapses on the part of EncryptHub, which, according to Outpost24, inadvertently exposed crucial elements of their malicious ecosystem.

These operational errors include the enabling of directory listings on their core infrastructure, the storage of stolen data alongside malware files, and the exposure of Telegram bot configurations used for data theft and campaign oversight.

EncryptHub’s attack campaigns are characterized by multi-layered PowerShell scripts, designed to collect system information, extract valuable data, implement evasion techniques, inject malicious code, and deploy additional data-stealing programs. Their distribution methods include the use of trojanized versions of popular applications and the employment of third-party pay-per-install services. The group prioritizes stolen credentials based on factors such as cryptocurrency holdings, corporate network access, and VPN usage.

Furthermore, EncryptHub is developing a remote access tool, “EncryptRAT,” which features a command-and-control panel for managing infected systems, suggesting potential future commercialization. The group also actively monitors the ongoing cybersecurity trends, integrating newly discovered vulnerabilities into their attacks.

EncryptHub has tested various methods to deploy malware without detection, including disguising malicious software as legitimate applications. During the investigation, researchers observed the group used counterfeit versions of applications like QQ Talk, WeChat, and Microsoft Visual Studio 2022 signed with revoked code-signing certificates, and later with certificates issued by Encrypthub LLC. These trojanized applications contained PowerShell scripts to download and execute further malicious code, gathering system information and deploying data stealers.

Another distribution method involved the use of LabInstalls, a pay-per-install service, which facilitates the rapid deployment of malware through automated Telegram bots. It is available for as low as $10 (for 100 loads) to up to $450 (for 10,000 loads). EncryptHub confirmed their use of this service through feedback posted on an underground forum.

Encrypthub’s positive feedback on an underground forum “XSS” (Source: Outpost24)

The group’s attack process, or killchain, has evolved, with the latest version involving a multi-stage PowerShell script execution. The initial script steals sensitive data, including messaging sessions, cryptocurrency wallet information, and password manager files. It then downloads and executes a second script, which deploys further malicious components, including a modified Microsoft Common Console Document. The final stage involves the deployment of Rhadamanthys, an information stealer.

EncryptHub’s Killchain and Attack Process (Source: Outpost24)

EncryptHub is also developing a command-and-control panel, EncryptRAT, which allows for the management of infected systems, remote command execution, and the monitoring of stolen data. The tool’s development suggests a potential move towards commercialization, with features like multi-user support and segregated data storage.

KrakenLabs’ findings emphasise the need for continuous monitoring and enhancing security measures to counter the evolving threats posed by groups like EncryptHub. The group’s ability to adapt and utilize both in-house tools and third-party services highlights the importance of multi-layered security strategies.