ctipilot.ch
← Back to the live brief
NOTABLEthreatNATOB2

CrySome RAT freight-phishing chain: AMSI bypass, ICMLuaUtil UAC bypass and an open-source Defender-disruption tool

discovered 2026-07-08 20:35 UTCrun 2026-07-08T2009Z-intel1 sourcesingle-source

LevelBlue SpiderLabs documented a multi-stage infection chain delivering CrySome RAT — a modular .NET remote-access trojan the lab notes has been covered in prior public reporting — through spear-phishing emails impersonating freight-rate confirmations (LevelBlue SpiderLabs, 2026-07-06). Victims reach a fake portal hosting a batch-file downloader that launches PowerShell with an AMSI bypass (T1059.001, T1562.001) to fetch a stage-1 binary, which performs a UAC bypass via the ICMLuaUtil COM interface (T1548.002). Stage 2 adds Microsoft Defender exclusions and drops WinDefCtl — an open-source Defender-disruption utility masquerading as svchost.exe from %TEMP% — to disable real-time protection before launching the RAT. Persistence is a scheduled task ("CrysomeLoader") re-firing every five minutes (T1053.005); the RAT provides hidden VNC, arbitrary command execution and Chromium-browser credential theft, defeating Chrome's App-Bound Encryption via a decryptor DLL (T1555.003). Defender takeaway: the operators combine almost entirely open-source/off-the-shelf components rather than custom development, so — as LevelBlue notes — detecting the individual behavioural stages (AMSI-bypass PowerShell, ICMLuaUtil COM abuse, Defender-exclusion registry writes under Software\Microsoft\Windows Defender\Exclusions, svchost.exe from a non-System32 path) gives multiple disruption points before the RAT establishes; freight/logistics lures make transport-sector helpdesks a natural target, but the chain is theme-agnostic and transferable.

By combining an AMSI bypass, an open-source Defender tampering utility, and the modular CrySome RAT client, the operators minimize custom development while still achieving privilege escalation, defense evasion, persistence, credential theft, and remote access.

The actor then targeted host defenses by executing WinDefCtl, an open-source Defender disruption utility, masquerading as svchost.exe from %TEMP%.

LevelBlue (Trustwave) SpiderLabs 2026-07-06

Defender actions

  • Enforce Microsoft Defender tamper protection via policy so exclusion paths cannot be added by a standard admin token; alert on ICMLuaUtil/CMSTPLUA COM instantiation outside expected system processes.
  • Hunt for scheduled tasks named 'CrysomeLoader' on a 5-minute trigger, svchost.exe running from %TEMP%, and batch→PowerShell chains carrying AMSI-bypass indicators (Sysmon EID 1).
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.