blog

Exploiting OSS Tools and Evading Detection: The CRYSTALRAY Attack

Written by KN Cyber Editor | Jul 22, 2024 5:49:02 AM

A threat actor, known as CRYSTALRAY, which was observed to use an open-source network mapping tool ‘SSH-Snake’ has now been found to successfully exploit 1500 machines. 


Overview of CRYSTALRAY Attack Method [Source: Sysdig]

A Sysdig researcher Miguel Hernández reported SSH-Snake to be a self-modifying worm which spreads throughout networks by using SSH credentials from infected servers. It is more effective, adaptable, and stealthy than standard SSH worms since it searches known credential locations & shell history directories while avoiding recognizable attack patterns.

Three main objectives were identified:
•    Stealing and selling credentials, which involved set of services like cloud service providers and SaaS email providers, from the victim machines
•    Deploying crypto miners
•    Maintaining persistence in the victim environment 

Initially, in February 2024, it was revealed by Sysdig Threat Research Team (TRT) that CRYSTALRAY was involved in using SSH-Snake to exploit Atlassian confluence vulnerabilities. Later on, the threat actor advanced its attack operations by performing “mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple Open-Source Software (OSS) security tools.” reads Sysdig’s report.

CRYSTALRAY was found to conduct targeted IP scans for specific countries and achieved higher precision than a botnet. Over 50% of the targets were identified to belong to China and the US. Other identified countries include, Singapore, Korea, India, Japan, France, Russia, etc.

Besides SSH-Snake, zmap, asn, httpx, nuclei, and platypus are some other OSS tools that have been found to be used by the threat actor. 
●    Zmap and asn were used for port scanning. 
●    Httpx checked whether the domain was live or not.
●    Nuclei reported CVEs, the victim got affected by. 
●    Reverse shell sessions and clients were managed by web-based manager, platypus.

For financial gains, CRYSTALRAY employed two crypto miners. One was an older and less concealed version while the other was more sophisticated one that got connected to a mining pool hosted on the same C2 server.


 Script for Adding to Crontab and Executing Old Crypto Miner [Source: Sysdig]


“The found wallet is connected to a nanopool and some of the workers who match the scripts are connected. Approximately, they are mining around $200/month.” reads Sysdig’s report.
Mining done by CRYSTALRAY [Source: Sysdig]

For attacks launched in April and May, CRYSTALRAY utilized a handcrafted configuration script with pools hosted on the same server used for Command and Control (C&C). This prevented TRT from estimating current revenue generated by the threat actor.

Additionally, to maximize their control over victim machines, CRYSTALRAY played smartly by utilizing a script to remove existing crypto miners from compromised systems. This ensured exclusive access to victim resources.  

Mitigation measures against such attacks include adopting effective vulnerability, identity and secret management practices. Timely patching of vulnerabilities in public facing applications and continuous monitoring ensures to promptly respond to attacks and enable timely forensic analysis to find the root cause.