Gracewire

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, and even hold data hostage for ransom. Two groups known as Sangria Tempest (also referred to as FIN7 or Carbon Spider) and Lace Tempest have been associated with the use of Gracewire in their cyber intrusions. Sangria Tempest has been exploiting application installers to infect endpoints with Carbanak, a backdoor and loader used by the group since 2014. This in turn installs the Gracewire spyware, capable of stealing passwords, banking information, and other sensitive data. The group has also utilized Google ads to lure users into downloading malicious MSIX packages, leading to the delivery of POWERTRASH, which subsequently loads NetSupport and Gracewire. Furthermore, Sangria Tempest has cooperated with Lace Tempest in past intrusions, indicating a level of coordination between these threat actors. Lace Tempest, on the other hand, exploited a vulnerability in the SysAid software to deliver a malware loader for Gracewire. After exploiting this vulnerability, the group issued commands via the SysAid software to deliver the malware loader. This activity is typically followed by human-operated actions such as lateral movement within the compromised network, data theft, and ransomware deployment. The continued activities of these groups underline the persistent threat posed by Gracewire and the importance of robust cybersecurity measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
FlawedGrace	2	FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebo

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Loader

Microsoft

Vulnerability

Sysaid

Trojan

Backdoor

Malware Loader

Exploit

Implant

Malware Impl...

Spyware

Rat

Antivirus

Payload

Web Shell

Ransomware

Webshell

PowerShell

Lateral Move...

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Carbanak	Unspecified	2	Carbanak is a sophisticated type of malware, short for malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Netsupport	Unspecified	1	NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
Darkgate	Unspecified	1	DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos
Eugenloader	Unspecified	1	EugenLoader, also known as FakeBat, is a form of malware that was detected by Microsoft in mid-November 2023. It was distributed by an initial access broker known as Storm-1113 through search advertisements mimicking the Zoom app, with the malware delivered via bogus MSIX installers masquerading as
Netsupport Rat	Unspecified	1	NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
svchost.exe	Unspecified	1	Svchost.exe is a malware that exploits and damages computer systems by injecting malicious code into various processes. This harmful program can infiltrate your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, di

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Sangria Tempest	Unspecified	2	Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In m
Lace Tempest	Unspecified	2	Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
Carbon Spider	Unspecified	1	CARBON SPIDER, also known as FIN7 and Sangria Tempest, is a threat actor that has been active in the eCrime space since approximately 2013. This criminally motivated group primarily targets the hospitality and retail sectors with the aim of obtaining payment card data. The group has been linked to s
FIN7	Unspecified	1	FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2023-47246	Unspecified	1	CVE-2023-47246 is a critical zero-day vulnerability discovered in the SysAid IT support and management software solution. The flaw, identified as a path traversal vulnerability, has been exploited by Lace Tempest, a ransomware affiliate known for deploying Cl0p ransomware. This vulnerability allows

Source Document References

Information about the Gracewire Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	7 months ago	Microsoft disables online Windows App Installer after attackers abuse it \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	7 months ago	Microsoft disables online Windows App Installer after attackers abuse it \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	7 months ago	Microsoft Disables App Installer After Feature is Abused for Malware
CERT-EU	7 months ago	Financially motivated threat actors misusing App Installer \| Microsoft Security Blog
BankInfoSecurity	7 months ago	Microsoft Disables Abused Application Installation Protocol
CERT-EU	7 months ago	Microsoft disables app installation protocol abused by hackers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	9 months ago	Microsoft and SysAid Find Clop Malware Vulnerability
Yori	9 months ago	Vulnerabilità su SysAid attivamente sfruttata in-the-wild - Yoroi
CERT-EU	8 months ago	Cyber Security Week In Review: November 17, 2023
CERT-EU	8 months ago	SysAid Zero-Day Vulnerability Exploited by Threat Actors
CERT-EU	9 months ago	Clop ransomware gang targets SysAid server bug
CERT-EU	9 months ago	SysAid zero-day exploited by Clop ransomware group
CERT-EU	9 months ago	CVE-2023-47246: SysAid Flaw Used in Clop Ransomware Attacks
InfoSecurity-magazine	9 months ago	MOVEit Gang Targets SysAid Customers With Zero-Day Attacks
BankInfoSecurity	9 months ago	MOVEit Hackers Turn to SysAid Zero-Day Bug
CERT-EU	9 months ago	MOVEit hackers leverage new zero-day bug to breach organizations (CVE-2023-47246) - Help Net Security
CERT-EU	9 months ago	MOVEit cybercriminals behind SysAid zero-day attack
CERT-EU	9 months ago	SysAid Zero-Day Vulnerability Exploited By Lace Tempest \| Rapid7 Blog
Malwarebytes	9 months ago	Update now! SysAid vulnerability is actively being exploited by ransomware affiliate \| Malwarebytes