finos
Gif Whisperer
Divine
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 2
800 XP
The surge in activity of the C.A.S (Cyber Anarchy Squad) allowed Kaspersky Lab experts to refresh their knowledge of the cybergroup's techniques, tactics and tools, as well as to identify its connections with other hacktivists. According to the information security company, the C.A.S group has been carrying out attacks on the territory of Russia and Belarus since 2022.
Attacks aimed at causing maximum damage affect organizations of different verticals. Penetration into target networks usually occurs through an exploit of vulnerabilities in publicly available services — Jira, Confluence, Microsoft SQL Server. Sometimes the services of ready-made brokers are used for this purpose. Remote access Trojans obtained from open sources (currently the Revenge RAT and Spark RAT) help develop the attack. CMD, PowerShell, Meterpreter are also used, and XenAllPasswordPro, BrowserThief, and Mimikatz are used to collect accounts.
To protect malware from detection, its folders are added to the Microsoft Defender exclusion list. As an additional protection measure, Trojan executors disguise themselves as legitimate Windows processes: svxhost.exe, svrhost.exe, rpchost.exe, ssbyt.exe. Crackers can also gain full control over the information protection system due to incorrect settings, and such cases are not uncommon.
In one attack, C.A.S was able to disable an EPP agent that had been forgotten to be passworded using rm.ps1. New accounts (using net.exe) are created to pin systems, as well as new registry keys. Ransomware created with the help of LockBit and Babuk builders leaked to the Network are launched into the hacked network. Extensions added to the names of processed files are usually randomly generated.
Sometimes the number 3119, duplicated in the name of the Trojan file, is used in this capacity. As it turned out, these are the serial numbers of the letters of the Latin alphabet - C, A and S.
https://i.ibb.co/g34F8dB/image1-Cyber-Anarchy-Squad.pngTo cause even more harm, attackers can wipe data in some network segments or on certain servers. For this purpose, the df utility first collects information about the connected disks, and then dd is used.
C.A.S. members, like many other hacks, like to boast about their successes on Telegram.
https://i.ibb.co/wwXVGRQ/image2-Cyber-Anarchy-Squad.pngIn addition to the telegram channel, C.A.S has an open chat for discussions with subscribers. It is noteworthy that among its administrators there are also representatives of other hacktivist groups, including the Ukrainian Cyber Alliance.
In the infrastructure of one of the recent victims of the targeted attack, artifacts were found that indicate a connection between C.A.S and the DARKSTAR group, aka Shadow and Comet.
Attacks aimed at causing maximum damage affect organizations of different verticals. Penetration into target networks usually occurs through an exploit of vulnerabilities in publicly available services — Jira, Confluence, Microsoft SQL Server. Sometimes the services of ready-made brokers are used for this purpose. Remote access Trojans obtained from open sources (currently the Revenge RAT and Spark RAT) help develop the attack. CMD, PowerShell, Meterpreter are also used, and XenAllPasswordPro, BrowserThief, and Mimikatz are used to collect accounts.
To protect malware from detection, its folders are added to the Microsoft Defender exclusion list. As an additional protection measure, Trojan executors disguise themselves as legitimate Windows processes: svxhost.exe, svrhost.exe, rpchost.exe, ssbyt.exe. Crackers can also gain full control over the information protection system due to incorrect settings, and such cases are not uncommon.
In one attack, C.A.S was able to disable an EPP agent that had been forgotten to be passworded using rm.ps1. New accounts (using net.exe) are created to pin systems, as well as new registry keys. Ransomware created with the help of LockBit and Babuk builders leaked to the Network are launched into the hacked network. Extensions added to the names of processed files are usually randomly generated.
Sometimes the number 3119, duplicated in the name of the Trojan file, is used in this capacity. As it turned out, these are the serial numbers of the letters of the Latin alphabet - C, A and S.
https://i.ibb.co/g34F8dB/image1-Cyber-Anarchy-Squad.pngTo cause even more harm, attackers can wipe data in some network segments or on certain servers. For this purpose, the df utility first collects information about the connected disks, and then dd is used.
C.A.S. members, like many other hacks, like to boast about their successes on Telegram.
https://i.ibb.co/wwXVGRQ/image2-Cyber-Anarchy-Squad.pngIn addition to the telegram channel, C.A.S has an open chat for discussions with subscribers. It is noteworthy that among its administrators there are also representatives of other hacktivist groups, including the Ukrainian Cyber Alliance.
In the infrastructure of one of the recent victims of the targeted attack, artifacts were found that indicate a connection between C.A.S and the DARKSTAR group, aka Shadow and Comet.
