Cryptone

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

CryptOne is a Delphi-based crypter malware, dating back to 2015, that has been frequently used by various malicious software families such as Gozi, Dridex, NetWalker, and WastedLocker. This crypter is reportedly offered as a Crypter-As-A-Service and it's capable of detecting and disabling a list of security software. While it was initially utilized by Qakbot, which had its own set of crypters including CryptOne, Quartz, and Quixotic, CryptOne has since been adopted by more malware families and variants, suggesting it may be a third-party service. In recent times, former ITG23 actors have also exploited CryptOne to crypt malware other than Qakbot, including an attack in the fall involving NetSupport and a Vidar infostealer incident from March 2023. The wide range of different malware families using CryptOne indicates its versatility and adaptability in the realm of cyber threats. It can infect systems through suspicious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The Indicators of Compromise (IoCs) related to CryptOne are specifically associated with its use by Evil Corp. A sample crypted by CryptOne, as used by WastedLocker, has been discovered. WastedLocker itself is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. Given the broad application of CryptOne across multiple malware families, it's imperative for cybersecurity measures to be updated and reinforced against this persistent threat.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
WastedLocker	2	WastedLocker is a type of malware developed by the Evil Corp Group, known for its malicious activities. This malware variant was first identified in 2020 and is part of an evolution of ransomware that began with Dridex, followed by DoppelPaymer developed in 2019, and then WastedLocker. The malware i

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Crypter

Infostealer

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Gozi	Unspecified	1	Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
QakBot	Unspecified	1	Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
Quixotic	Unspecified	1	Quixotic is a potent malware that has been used to crypt various ransomware samples, including BlackBasta and CobaltStrike. In May 2023, it was utilized to encrypt a BlackBasta ransomware sample, while in October 2022, it played a significant role in a CobaltStrike sample used in a BlackBasta attack
Netsupport	Unspecified	1	NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
Vidar	Unspecified	1	Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Evil Corp	Unspecified	1	Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
ITG23	Unspecified	1	ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Cryptone Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?