Multiple industry sources recently reported on KrustyLoader, a Rust-based backdoor with both Windows and Linux variants.
Key Takeaways
What is KrustyLoader?
Multiple industry sources recently reported on KrustyLoader, a Rust-based backdoor. Both Linux and Windows variants of KrustyLoader have been observed.
Linux Variant
The threat actors leveraged Rust payloads, which downloaded and executed KrustyLoader. KrustyLoader, in turn, downloaded the post-exploitation toolkit Sliver. While the named vulnerabilities have since been patched, unpatched systems are still susceptible to the vulnerabilities.
Windows Variant
WithSecure described the Windows variant infection chain, noting the threat actor drops a batch file called r.bat on the victim machine in two different directories and then launches the script. The script removes previous copies of dropped artifacts and randomly selects a predefined AWS S3 URL, which hosts the KrustyLoader payload. It then creates a file named C:\Windows\temp\0 and attempts to download the payload as C:\Windows\Temp\1.exe. Finally, the KrustyLoader payload is launched.
Who is UNC5221?
UNC5221, also known as UTA0178, is a threat actor group thought to be of China nexus. The group appears to be focused on espionage and tends to target strategically instead of opportunistically. Little is known about UNC5221 at this time. However, the group has been observed using other distinct malware including CHAINLINE backdoor, FRAMESTING webshell, WIREFIRE webshell, LIGHTWIRE webshell, BUSHWALK webshell, WARPWIRE stealer, and ZIPLINE backdoor.
IOCs
PolySwarm has multiple samples associated with KrustyLoader.
e1c31f503da20c8326b566ec042db1f0d3b56fe3579ae37398ff3f6fa5bc54d2
415a70897761c65c3ff59b686d2b1c69a56df06cbf9fbff5dec03751b51d53db
c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28
47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04
95ffea9b7c5c2e18f7fc801290d4bb2777c05e468e5b3e513a597c41ec9b36fc
c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026
41aa6b45277445d34060d8cd00a528b08636b86605bbafe643357f2614b66887
e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2
ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815
030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0
f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201
49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea
816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17
bc7c7280855c384e5a970a2895363bd5c8db9088977d129b180d3acb1ec9148a
You can use the following CLI command to search for all KrustyLoader samples in our portal:
$ polyswarm link list -f KrustyLoader
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.