Gracewire

Malware updated 5 months ago (2024-05-04T23:17:45.308Z)

Download STIX

Preview STIX

Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, and even hold data hostage for ransom. Two groups known as Sangria Tempest (also referred to as FIN7 or Carbon Spider) and Lace Tempest have been associated with the use of Gracewire in their cyber intrusions. Sangria Tempest has been exploiting application installers to infect endpoints with Carbanak, a backdoor and loader used by the group since 2014. This in turn installs the Gracewire spyware, capable of stealing passwords, banking information, and other sensitive data. The group has also utilized Google ads to lure users into downloading malicious MSIX packages, leading to the delivery of POWERTRASH, which subsequently loads NetSupport and Gracewire. Furthermore, Sangria Tempest has cooperated with Lace Tempest in past intrusions, indicating a level of coordination between these threat actors. Lace Tempest, on the other hand, exploited a vulnerability in the SysAid software to deliver a malware loader for Gracewire. After exploiting this vulnerability, the group issued commands via the SysAid software to deliver the malware loader. This activity is typically followed by human-operated actions such as lateral movement within the compromised network, data theft, and ransomware deployment. The continued activities of these groups underline the persistent threat posed by Gracewire and the importance of robust cybersecurity measures.

Description last updated: 2024-05-04T22:30:15.045Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
FlawedGrace is a possible alias for Gracewire. FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebo	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Loader

Microsoft

Sysaid

Vulnerability

Exploit

Trojan

Malware Loader

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Carbanak Malware is associated with Gracewire. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lace Tempest Threat Actor is associated with Gracewire. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi	Unspecified	2
The Sangria Tempest Threat Actor is associated with Gracewire. Sangria Tempest, also known as Carbon Spider, Elbrus, and FIN7, is a threat actor that has been active since 2013. In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations. The group frequently targets the restaura	Unspecified	2

Source Document References

Information about the Gracewire Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Microsoft disables online Windows App Installer after attackers abuse it \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	9 months ago	Microsoft disables online Windows App Installer after attackers abuse it \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	Microsoft Disables App Installer After Feature is Abused for Malware
CERT-EU	10 months ago	Financially motivated threat actors misusing App Installer \| Microsoft Security Blog
BankInfoSecurity	10 months ago	Microsoft Disables Abused Application Installation Protocol
CERT-EU	10 months ago	Microsoft disables app installation protocol abused by hackers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Microsoft and SysAid Find Clop Malware Vulnerability
Yori	a year ago	Vulnerabilità su SysAid attivamente sfruttata in-the-wild - Yoroi
CERT-EU	a year ago	Cyber Security Week In Review: November 17, 2023
CERT-EU	a year ago	SysAid Zero-Day Vulnerability Exploited by Threat Actors
CERT-EU	a year ago	Clop ransomware gang targets SysAid server bug
CERT-EU	a year ago	SysAid zero-day exploited by Clop ransomware group
CERT-EU	a year ago	CVE-2023-47246: SysAid Flaw Used in Clop Ransomware Attacks
InfoSecurity-magazine	a year ago	MOVEit Gang Targets SysAid Customers With Zero-Day Attacks
BankInfoSecurity	a year ago	MOVEit Hackers Turn to SysAid Zero-Day Bug
CERT-EU	a year ago	MOVEit hackers leverage new zero-day bug to breach organizations (CVE-2023-47246) - Help Net Security
CERT-EU	a year ago	MOVEit cybercriminals behind SysAid zero-day attack
CERT-EU	a year ago	SysAid Zero-Day Vulnerability Exploited By Lace Tempest \| Rapid7 Blog
Malwarebytes	a year ago	Update now! SysAid vulnerability is actively being exploited by ransomware affiliate \| Malwarebytes