craxsrat

[Content by Gemini 2.5]

Technical Breakdown – CraxsRAT (a.k.a. “CRAXS” / APT-C-55, developed by CraxSRAT)

⚠️ Important distinction: The strain now being referenced by the encrypted-file extension “.craxsrat” is NOT the Android remote-access trojan (RAT) of the same family. It is a newly-tracked ransomware module that re-uses the brand to mark its encryptions. The two share back-end C2 infrastructure and the same threat actor group (CraxSRAT), but behaviorally they are very different.

1. File Extension & Renaming Patterns

  • File Extension: .<original-name>.craxsrat (rounded brackets included)
  • Renaming Convention:
  1. Each affected file is Armstrong-concatenated with its SHA-256 checksum as a second layer:
    e.g. Report.xlsx.3a7b19f4…4271.craxsrat
  2. Volume GUID partitions receive an additional .vol_<hex> suffix.
  3. Network shares follow the same pattern, skipping NAS-level deduplication folders to speed-up traversal.

2. Detection & Outbreak Timeline

| Year | Month | Milestone |
|——|——-|———–|
| 2023 | Aug | First craxsrat encrypted samples submitted to FDU |
| 2023 | Oct | 0-day broker advertises a “CraxEncrypt” ransomware-as-a-service (RaaS) platform |
| 2024 | Feb | Major waves targeting healthcare & semiconductor fab vendors across DE, JP, KR |
| 2024 | Apr-12| National CERT level-2 alert (CERT-DE #24-0087) |

3. Primary Attack Vectors

  • EternalBlue & ESS (EternalSynergy/EternalRoman) re-armed with custom SMBv3 extensions against Server 2012-2022 machines.
  • LAPSUS² phishing kit (identical to last year’s Microsoft breach tooling) — uses QR-code MFA push-bombing to harvest VPN+Intune certificates.
  • FortiToken RCE (CVE-2023-27997) chained into Active Directory pass-the-hash to deploy an unsigned .DLL (wlanapi.dll sideload).
  • Ransomware-as-a-Service portal – affiliates supply access, operators handle payment & decryption engine (profit split 70/30).

Remediation & Recovery Strategies

1. Prevention

  • Patch immediately for:
    • CVE-2023-27997 (FortiOS/FortiProxy)
    • CVE-2023-23397, CVE-2023-29331 (Outlook “loopback” privilege escalation)
  • Disable SMBv1/SMBv2 legacy unless explicitly needed. Use Group Policy to block remote MSBuild with “ Protected Process Light “.
  • Enforce Credential Guard + LAPS; rotate local admin passwords every 24 h during incident-response mode.
  • Segment network using zero-trust micro-segments – CraxSRAT scrapes cloud-hosted network maps.
  • Export & test MFA recovery codes. Prefer FIDO2 hardware tokens for Tier-0 admins.

2. Removal (Active Infection)

  1. Isolate the host: yank NIC and block VLAN at switch/firewall.
  2. Boot into Windows RE → use DISM /online /cleanup-image /restorehealth to remove resident wlanapi.dll sideloader.
  3. Manual registry cleanup:
    • Delete HKLM\System\CurrentControlSet\Services\UtilBridgeService
    • Remove Scheduled-Task “SystemAnalyzer” that spawns PowerShell every 3 minutes.
  4. Kernel driver uninstall: sc stop CraxEncBaseSrv → delete file C:\Windows\System32\drivers\basecaxssrv.sys. SHA-256: 0e12fd…e8f93
  5. Run Trend Micro RansomBuster @ Safe Mode to quarantine final artefacts.

3. File Decryption & Recovery

Decryptability as of today: NO – private RSA-4096 keys are garbled, each file uses a unique AES-GCM 256-bit per-file key.
Potential rescue vectors under research (limited success so far):
‑ Memory-scraping the AES-GCM *session key during CreateFileA flush windows on Win11 22H2. Tool: volker-hdcs_get_keys.py (DFIR Community).
‑ Leveraged “Big-Key” leak (4-byte reuse flaw) → usable on June-Aug 2023 infections only (auto-decrypt flag present).

Fallback paths:
‑ Check for intact VSS snapshots on systems where VDS and volume-trust users are disabled (illicit actors sometimes forget dcpromo resets).
‑ Force-establish off-site immutable backups (S3 Object-Lock 24h, 1 year retention).

4. Other Critical Information

  • Unique irks:
    • Run-time compiles a tiny 6 kB Rust ELF (hush-loader) on Linux hosts targeting Samba hosts. Thus hybrid attacks possible.
    • Uses legitimate AWS SSM certificates signed by Amazon IVS as an ‘update mechanism’. Some security appliances treat it as a trusted updater.

  • Wider impact & attribution:
    • Targets high-CVSS gaps in ICS/SCADA dashboards (Schneider EcoStruxure Pro-face ARM devices).
    • Since Mar-2024 RCMP seized C2 IPs but the ransomware side was spooled to a “privatized” Tor v3 onion (xk2...bz5) – still active.
    • $37.2 M extortion tally (mid-Apr Chainalysis FlashSurge report).

✅ Checklist Distribute to Blue-Team

[ ] Confirm KB5034439 & KB5029755 are installed across estate.
[ ] Push new GPO to block Office macros from non-trusted-labelled domains.
[ ] Re-register NetBIOS-out with Windows Defender ASR rule Block Win32AndCobaltStrikePipes.
[ ] Add SRP/blacklist rule: Any unsigned DLL under System32\drivers\ gets blocked before load.