Blog

Threat Research

CrySome RAT: Multi-Layered Userland Evasion and Post-Exploitation Framework

CrySome RAT_ Multi-Layered Userland Evasion and Post-Exploitation Framework

Overview

CrySome RAT is a .NET-based remote access trojan designed for post-compromise control, credential harvesting, and covert system interaction. The malware prioritizes persistence, defense evasion, and operator control over initial access techniques.

The analyzed sample demonstrates multiple persistence mechanisms, including:

  • Registry-based execution (RunOnce)
  • Service-based persistence
  • Watchdog-based self-protection

Its evasion strategy focuses on disabling endpoint protections, interfering with security tooling execution, and degrading update mechanisms. Communication with its command-and-control (C2) infrastructure occurs over a custom TCP-based protocol, enabling modular remote operations such as file manipulation, surveillance, proxying, and credential access.

Unlike kernel-level threats, CrySome RAT operates primarily in userland, leveraging configuration abuse and native utilities to maintain stealth and control.

Threat Distribution & Ecosystem

CrySome RAT is actively marketed across underground forums using a subscription-based model, indicating commercialization and ongoing development.

Fig 1: A forum post promoting CrysomeRAT for sale.
Fig 1: A forum post promoting CrysomeRAT for sale.
Fig 2 : Selling price through subscription.
Fig 2 : Selling price through subscription.

Cracked versions are also circulating, increasing accessibility and lowering the barrier for adoption by less sophisticated actors.

Fig 3 : A forum post promoting a cracked version.

Additionally, the threat actor maintains a public-facing web portal, suggesting an organized distribution model and user onboarding flow.

Fig 4 : Publicly available web portal “Crysome[.]net”.
Fig 4 : Publicly available web portal “Crysome[.]net”.

Feature Set Overview

CrySome RAT provides a broad post-exploitation capability set:

  • Remote command execution (PowerShell)
  • File system manipulation
  • Process control
  • Proxy tunneling (SOCKS5 / reverse proxy)
  • Remote desktop (RDP & HVNC)
  • Audio/video surveillance
  • Credential harvesting
  • Keylogging

⚠️ Note: These features are modular and controlled via the C2 instruction framework.

Execution Flow & Initialization

Mutex-Based Execution Control

CrySome RAT ensures single-instance execution using a mutex:

  • CrysomeClient.InstanceMutex

If the mutex exists, execution terminates.

Fig 5: Mutex creation
Fig 5: Mutex creation

Execution Path Validation

Before establishing persistence, the malware verifies whether it is executing from a designated path. If not, it copies itself to a preferred location.

This behavior ensures:

  • Stable execution path
  • Reduced detection from temporary execution directories
Fig 6: Execution Path Validation
Fig 6: Execution Path Validation

This staged initialization ensures that persistence and environmental control mechanisms are established before exposing the host to operator-driven commands, reducing the risk of early disruption.

Persistence Mechanisms

Registry-Based Persistence

CrySome RAT establishes persistence via:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

It uses deceptive naming such as:

  • RuntimeBroker
Fig 7: Persistence achieved using RunOnce
Fig 7: Persistence achieved using RunOnce

Service-Based Persistence

A persistent service is installed:

  • Name: WindowsHealthMonitor

Characteristics:

  • Auto-start enabled
  • Recovery options configured
Fig 8: Persistence achieved using service
Fig 8: Persistence achieved using service

Survival Mechanism (Backup Execution)

The malware creates:

  • Randomized backup copies
  • Execution triggers for recovery

This redundancy mechanism ensures continued execution even if primary persistence artifacts are removed, indicating resilience against partial remediation.

Defense Evasion Strategy

CrySome RAT employs a multi-stage defense evasion model:

1. Endpoint Protection Disruption

  • Disables Microsoft Defender via:
    • PowerShell commands
    • Registry modification
  • Disables scheduled tasks to prevent recovery
Fig 9: Endpoint Protection Disruption
Fig 9: Endpoint Protection Disruption

2. IFEO Abuse (Execution Interference)

The malware modifies:

HKLM\…\Image File Execution Options\

It assigns a Debugger value to security tools, redirecting execution to:

cmd.exe /c echo

This prevents tools from launching.

3. Service Disruption

  • Uses:
    • sc.exe
    • net.exe

To:

  • Stop AV services
  • Disable them on startup
Fig 10: List of Targeted AV Disruption & Update Blocking
Fig 10: List of Targeted AV Disruption & Update Blocking

The implementation relies on spawning system utilities (sc.exe , net.exe rather than direct Windows API calls, indicating a preference for living-off-the-land techniques to blend with legitimate administrative activity.

4. Update Blocking via Hosts File

  • Redirects AV update domains → 0.0.0.0
  • Prevents signature updates

5. Process Termination

  • Enumerates running processes
  • Matches against predefined AV list
  • Terminates in parallel execution
Fig 11: Targeted AV Process Termination
Fig 11: Targeted AV Process Termination
Fig 12: List of AV Process
Fig 12: List of AV Process

Process termination appears to be driven by a predefined list of AV-related process names, suggesting static targeting rather than dynamic discovery.

Self-Protection Mechanisms

  • File locking to prevent deletion
  • Hidden/system attributes applied
  • Watchdog process monitors main binary
  • Backup replication across locations
Fig 13: Self Protection(watchdog, self locking and Hide, Startup)
Fig 13: Self Protection(watchdog, self locking and Hide, Startup)

Command and Control (C2)

CrySome RAT communicates via persistent custom TCP connections.

The communication model is based on a persistent socket connection, where the client maintains an active session with the C2 server to receive tasking in real time. This differs from traditional beaconing malware and enables lower-latency command execution.

Upon connection:

  1. Client registers
  2. System profiling data is sent
  3. Command handlers are initialized
Fig 14: C2 Instruction Set Handlers
Fig 14: C2 Instruction Set Handlers

Command handling is initialized through a dispatcher mechanism (RegisterHandlers), mapping received instructions to specific functional modules.

Command Capabilities

Includes:

  • Remote execution (cmd)
  • File operations (filemgr)
  • Proxying (proxy)
  • Surveillance (audio, cam)
  • Remote desktop (rdp, hvnc)
  • Credential theft (cred)
  • Keylogging (keylog)

Function naming and modular structure indicate a builder-based architecture, where capabilities are selectively enabled during payload generation.

Credential Harvesting

CrySome RAT deploys a credential decryption module:

Deploys a credential decryption module (abe_decrypt.dll) to the local filesystem and executes it as a standalone component after terminating browser processes to bypass file locks.

The module processes browser storage artifacts and outputs structured credential data (e.g., passwords.json, cookies.json) for exfiltration.

Fig 15: Browser based Credential Harvesting
Fig 15: Browser based Credential Harvesting
Fig 16: Credential Harvesting using abe_decrypt.dll
Fig 16: Credential Harvesting using abe_decrypt.dll
Fig 17: Captured victim password(password.json)
Fig 17: Captured victim password(password.json)

Keylogging

Implements global keylogging using:

  • SetWindowsHookEx (WH_KEYBOARD_LL)

Execution model:

  • Continuous message loop:
    • PeekMessage
    • DispatchMessage
Fig 18: Keylogging using WH_KEYBOARD_LL Hook
Fig 18: Keylogging using WH_KEYBOARD_LL Hook
Fig 19: Attacker performing Unauthorized keylogging on victim system
Fig 19: Attacker performing Unauthorized keylogging on victim system

Remote Control Capabilities

HVNC (Hidden Virtual Desktop)

The HVNC module operates by creating an alternate desktop context, enabling attacker interaction within an isolated graphical session that is not visible to the active user environment.

Fig 20: HVNC Initialization and Handling
Fig 20: HVNC Initialization and Handling
Fig 21: Attacker performing HVNC on victim system
Fig 21: Attacker performing HVNC on victim system

RDP

  • Direct interaction with user desktop
  • Visible to victim
Fig 22: RDP Stream initialization and Thread launch
Fig 22: RDP Stream initialization and Thread launch

Network Communication & System Profiling

After connection, the malware collects:

  • Username
  • OS version
  • System uptime
  • Active window
  • GPU details
Fig 23: Network communication and Sending Client information
Fig 23: Network communication and Sending Client information
Fig 24: System profiling
Fig 24: System profiling

This profiling enables the operator to tailor post-exploitation actions based on host characteristics and user activity context.

MITRE ATT&CK Mapping :

Tactic Technique ID Technique Name Observed Activity
Execution T1059.001 PowerShell Executes PowerShell commands to disable Defender and run payloads
Execution T1106 Native API Uses Windows APIs for process creation, injection, and system interaction
Persistence T1547.001 Registry Run Keys / Startup Folder Adds entry in RunOnce (RuntimeBroker) for execution at logon
Persistence T1543.003 Windows Service Creates persistent service (WindowsHealthMonitor) with auto-restart
Persistence T1053.005 Scheduled Task Task creation observed via [artifact: schtasks.exe / TaskCache registry / XML definition]
Persistence T1542.003 Boot/Logon Autostart (Recovery) Observed interaction with recovery-related execution paths or offline persistence locations (details omitted for brevity)
Defense Evasion T1562.001 Impair Defenses Disables Microsoft Defender and security protections
Defense Evasion T1546.012 IFEO Injection Uses IFEO Debugger to block execution of security tools
Defense Evasion T1562.004 Disable or Modify System Firewall Firewall or network filtering configuration changes observed via system utilities or registry modifications
Defense Evasion T1036 Masquerading Uses deceptive names like RuntimeBroker to appear legitimate
Defense Evasion T1222.001 File and Directory Permissions Modification Hides files and directories using attributes
Defense Evasion T1564.001 Hidden Files and Directories Sets hidden/system attributes for stealth
Credential Access T1555.003 Credentials from Web Browsers Extracts browser credentials via execution of a local decryption module (abe_decrypt.dll)
Credential Access T1056.001 Keylogging Uses SetWindowsHookEx for keystroke logging
Discovery T1082 System Information Discovery Collects OS, username, uptime, GPU, etc.
Discovery T1057 Process Discovery Enumerates running processes
Discovery T1010 Application Window Discovery Captures active window title
Collection T1113 Screen Capture Captures screenshots
Collection T1125 Video Capture Captures webcam data
Collection T1123 Audio Capture Records microphone input
Command and Control T1071 Application Layer Protocol Communicates with C2 over TCP
Command and Control T1090 Proxy Implements SOCKS proxy and reverse tunneling
Exfiltration T1041 Exfiltration Over C2 Channel Sends collected data (credentials, system info) to C2
Lateral Movement T1021.001 Remote Desktop Protocol Supports RDP sessions
Lateral Movement T1563.002 Remote Service Session Hijacking (HVNC) Uses hidden virtual desktop (HVNC) for control

Detection Logic & Correlation

High-Confidence Detection Chain:

  • IFEO Debugger registry modification
  • Followed by:
    • Execution of sc.exe or net.exe
    • AND PowerShell-based Defender tampering

Medium-Confidence Indicators:

  • Creation of abe_decrypt.dll in temporary directories
  • Followed by browser process termination

Low-Confidence Indicators (Contextual):

  • Hidden/system file attributes applied
  • Persistent outbound custom TCP sessions

Indicators of Compromise (IOCs)

File Hashes (SHA-256)

IOC Filename
f30f32937999abe4fa6e90234773e0528a4b2bd1d6de5323d59ac96cdb58f25d Crysome.Client.exe
fa896cc8ce13c69f6306eff2a8698998b48b422784053df6bb078c17fe3f04c3 Crysome.Server.dll
c8836a733b3df2b4bfd861b81e3452a0bc169ffe707f483a06f7ad89a4cc2965 abe_decrypt.dll

 

Domain : 

Indicator Value
Crysome[.]net Domain

 

Conclusion

CrySome RAT represents a modular, userland-focused post-exploitation framework emphasizing persistence, evasion, and operator control. While it does not exhibit kernel-level sophistication, its combination of defense evasion techniques and surveillance capabilities makes it effective against poorly monitored environments.

Its commercialization and availability in cracked forms significantly increase its threat surface, particularly among lower-tier threat actors.

Contributors:

 

Abhishek Samdole

Abhishek Samdole

Pandurang Terkar

Pandurang Terkar

Rudra Pratap

Rudra Pratap

Advanced cyber security analytics platform visualizing real-time threat intelligence, network vulnerabilities, and data breach prevention metrics on an interactive dashboard for proactive risk management and incident response