2026-07-08 · view entry permalink →
CrySome RAT freight-phishing chain: AMSI bypass, ICMLuaUtil UAC bypass and an open-source Defender-disruption tool
LevelBlue SpiderLabs documented a multi-stage infection chain delivering CrySome RAT — a modular .NET remote-access trojan the lab notes has been covered in prior public reporting — through spear-phishing emails impersonating freight-rate confirmations (LevelBlue SpiderLabs, 2026-07-06). Victims reach a fake portal hosting a batch-file downloader that launches PowerShell with an AMSI bypass (T1059.001, T1562.001) to fetch a stage-1 binary, which performs a UAC bypass via the ICMLuaUtil COM interface (T1548.002). Stage 2 adds Microsoft Defender exclusions and drops WinDefCtl — an open-source Defender-disruption utility masquerading as svchost.exe from %TEMP% — to disable real-time protection before launching the RAT. Persistence is a scheduled task ("CrysomeLoader") re-firing every five minutes (T1053.005); the RAT provides hidden VNC, arbitrary command execution and Chromium-browser credential theft, defeating Chrome's App-Bound Encryption via a decryptor DLL (T1555.003). Defender takeaway: the operators combine almost entirely open-source/off-the-shelf components rather than custom development, so — as LevelBlue notes — detecting the individual behavioural stages (AMSI-bypass PowerShell, ICMLuaUtil COM abuse, Defender-exclusion registry writes under Software\Microsoft\Windows Defender\Exclusions, svchost.exe from a non-System32 path) gives multiple disruption points before the RAT establishes; freight/logistics lures make transport-sector helpdesks a natural target, but the chain is theme-agnostic and transferable.
By combining an AMSI bypass, an open-source Defender tampering utility, and the modular CrySome RAT client, the operators minimize custom development while still achieving privilege escalation, defense evasion, persistence, credential theft, and remote access.
The actor then targeted host defenses by executing WinDefCtl, an open-source Defender disruption utility, masquerading as svchost.exe from %TEMP%.