The malware known as Cryptoistic is a backdoor written in the Swift programming language that has been used by the Lazarus Group, a North Korean state-sponsored hacking group. Cryptoistic is designed to infect macOS computers and can send and receive files, gather data on users, delete files, and engage in encrypted communications with its Command and Control server.
Cryptoistic Malware Capabilities
Cryptoistic may use a number of tools and techniques to gain access to victim systems and networks, as well as to collect information and exfiltrate data. They may use protocols such as FTP to transfer files, and may employ encryption to conceal their communications. They may also enumerate files and directories, and may delete files to cover their tracks.
- The Cryptoistic malware may transfer tools or other files from an external system into a compromised environment in order to infect victim devices within the network. Additionally, Cryptoistic may attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system in order to shape follow-on behaviors. Lastly, Cryptoistic may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network.
- Cryptoistic is a malware that may search local system sources for sensitive data prior to exfiltrating it. The malware may use the information from file and directory discovery during automated discovery to shape follow-on behaviors. Cryptoistic may employ a known encryption algorithm to conceal command and control traffic.
- Cryptoistic may use a known encryption algorithm to keep their communication hidden from prying eyes. However, this protection may not be enough if the keys are easy to find. In that case, the malware may be vulnerable to reverse engineering.
Ways to Mitigate Cryptoistic Malware Attacks
- The Cryptoistic malware can be mitigated by monitoring for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.
- The above text discusses methods that can be used to detect and prevent cryptoistic malware. System and network discovery techniques can be used to identify potential malware activity, and SSL/TLS inspection can be used to detect and prevent command and control traffic within encrypted communication channels.
About Lazarus group Threat Group
Lazarus group is a North Korean state-sponsored cyber threat group that has been active since at least 2009.