Gracewire

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, and even hold data hostage for ransom. Two groups known as Sangria Tempest (also referred to as FIN7 or Carbon Spider) and Lace Tempest have been associated with the use of Gracewire in their cyber intrusions. Sangria Tempest has been exploiting application installers to infect endpoints with Carbanak, a backdoor and loader used by the group since 2014. This in turn installs the Gracewire spyware, capable of stealing passwords, banking information, and other sensitive data. The group has also utilized Google ads to lure users into downloading malicious MSIX packages, leading to the delivery of POWERTRASH, which subsequently loads NetSupport and Gracewire. Furthermore, Sangria Tempest has cooperated with Lace Tempest in past intrusions, indicating a level of coordination between these threat actors. Lace Tempest, on the other hand, exploited a vulnerability in the SysAid software to deliver a malware loader for Gracewire. After exploiting this vulnerability, the group issued commands via the SysAid software to deliver the malware loader. This activity is typically followed by human-operated actions such as lateral movement within the compromised network, data theft, and ransomware deployment. The continued activities of these groups underline the persistent threat posed by Gracewire and the importance of robust cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
FlawedGrace
2
FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebo
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Loader
Microsoft
Sysaid
Vulnerability
Exploit
Trojan
Malware Loader
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CarbanakUnspecified
2
Carbanak is a potent form of malware, short for malicious software, which infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Carbanak can steal personal information, disrupt operations, or even hold data hostage for ransom. The
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lace TempestUnspecified
2
Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
Sangria TempestUnspecified
2
Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In m
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gracewire Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Coverage Advisory for CVE-2023-47246 SysAid Zero-Day Vulnerability | Zscaler
Malwarebytes
6 months ago
Update now! SysAid vulnerability is actively being exploited by ransomware affiliate | Malwarebytes
Yori
6 months ago
Vulnerabilità su SysAid attivamente sfruttata in-the-wild  - Yoroi
CERT-EU
6 months ago
SysAid zero-day exploited by Clop ransomware group
CERT-EU
5 months ago
Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
MOVEit cybercriminals behind SysAid zero-day attack
CERT-EU
5 months ago
Financially motivated threat actors misusing App Installer | Microsoft Security Blog
CERT-EU
6 months ago
Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability
CERT-EU
6 months ago
MOVEit hackers leverage new zero-day bug to breach organizations (CVE-2023-47246) - Help Net Security
InfoSecurity-magazine
6 months ago
MOVEit Gang Targets SysAid Customers With Zero-Day Attacks
BankInfoSecurity
6 months ago
MOVEit Hackers Turn to SysAid Zero-Day Bug
CERT-EU
6 months ago
SysAid Zero-Day Vulnerability Exploited by Threat Actors
CERT-EU
6 months ago
Clop ransomware gang targets SysAid server bug
CERT-EU
6 months ago
SysAid Zero-Day Vulnerability Exploited By Lace Tempest | Rapid7 Blog
CERT-EU
5 months ago
Microsoft Disables App Installer After Feature is Abused for Malware
CERT-EU
6 months ago
Microsoft and SysAid Find Clop Malware Vulnerability
CERT-EU
6 months ago
Cyber Security Week In Review: November 17, 2023
CERT-EU
5 months ago
Microsoft disables app installation protocol abused by hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
BankInfoSecurity
5 months ago
Microsoft Disables Abused Application Installation Protocol
CERT-EU
4 months ago
Microsoft disables online Windows App Installer after attackers abuse it | #ransomware | #cybercrime | National Cyber Security Consulting