Full Report
EncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams, including our own (Outpost24’s KrakenLabs). While other reports have begun to shed light on this actor’s operations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure, tooling, and behavioral patterns. Through a series of operational security […] The post Unveiling EncryptHub: Analysis of a multi-stage malware campaign appeared first on Outpost24.
Analysis Summary
# Threat Actor: EncryptHub (Rising Cybercriminal Entity)
## Attribution & Identity
The entity is referred to as **EncryptHub**. The analysis was conducted by Outpost24’s KrakenLabs Intelligence Team. Attribution is partial, based on operational security (OPSEC) missteps, including exposed Telegram bot configurations and directory listings on infrastructure. Files were signed using a certificate issued to **HOA SEN HA NAM ONE MEMBER LIMITED LIABILITIES COMPANY**.
## Activity Summary
EncryptHub is involved in a multi-stage malware campaign focusing on information stealing and potential future Remote Access Tool (RAT) distribution.
* **Campaign Focus:** Multi-stage attack chains utilizing PowerShell scripts for system data gathering, evasion, payload injection (often Base64 embedded), and deployment of further information stealers.
* **Distribution Methods:** Spreading trojanized versions of popular legitimate applications (QQ Talk, WeChat, DingTalk, VooV Meeting, Google Meet, VS 2022, Palo Alto GlobalProtect) between November 25th, 2024, and January 1st, 2025. They also utilize third-party Pay-Per-Install (PPI) services like **LabInstalls**.
* **Future Development:** The actor is developing a Remote Access Tool named **EncryptRAT**, complete with a C2 panel, which they plan to sell or distribute soon.
* **Vulnerability Awareness:** They pay attention to the cybersecurity landscape and actively incorporate popular vulnerabilities into their ongoing campaigns.
## Tactics, Techniques & Procedures
EncryptHub employs a complex, multi-stage attack chain involving several PowerShell scripts (`payload.ps1`, `runner.ps1`).
- **Initial Access:** Trojanized applications, Third-party distribution via PPI services (MITRE ID: T1608.004 - Drive-by Target, potential T1210 - Exploitation of Remote Services based on generalized capability list).
- **Execution:** Command and Scripting Interpreter: PowerShell (T1059.001).
- **Defense Evasion:** Obfuscated Files or Information (T1027); Impair Defenses (T1562.001).
- **Credential Access:** Credentials from Password Stores (T1555.003); Data from Information Repositories (T1213).
- **Discovery:** System Information Discovery (T1082).
- **Collection:** Data from Local System (T1005).
- **Exfiltration:** Exfiltration Over Web Service (T1567.002); Exfiltration Over Command and Control Channel (T1041).
- **Command and Control:** Application Layer Protocol: Web Protocol (T1071.001); Remote Access Tools (T1219).
## Targeting
- **Sectors:** Prioritize targets based on specific high-value attributes: **cryptocurrency ownership, corporate network affiliation, and the presence of VPN software.** This suggests targeting high-net-worth individuals, finance, and corporate remote workers.
- **Geography:** Not explicitly detailed, but the use of applications like QQ Talk/WeChat suggests a strong presence or initial focus on East Asian markets, alongside general corporate targets via VPN/VS2022 lures.
- **Victims:** Specific organizations were not named, but the targeting vectors imply focus on corporate networks and crypto users.
## Tools & Infrastructure
- **Malware Families used:** Multi-stage PowerShell scripts, an unclassified **HTML Loader**, and the planned **EncryptRAT**. Mentions of integration with or deployment of **Fickle Stealer** (based on external reference).
- **Infrastructure (C2, domains, IPs):**
* Observed phishing domain: `paloaltonworks[.]com` (used for trojanized Palo Alto GlobalProtect installer).
* Infrastructure OPSEC failures revealed Telegram bot configurations used for exfiltration tracking.
* Various file hashes associated with dropped executables (`connect.exe`, `reCAPCHA.exe`, `buzztalk_weaponised.exe`, `google-meets.exe`).
## Implications
EncryptHub represents a rapidly evolving criminal entity focused on sophisticated multi-stage delivery and strong collection capabilities targeting financial and corporate credentials. Their transition from selling stolen data to potentially selling or deploying their own commercial-grade RAT (**EncryptRAT**) signals increased operational maturity and potential future risk diversification. Their incorporation of OPSEC failures into actionable intelligence provides deep insight into their current lifecycle management.
## Mitigations
- **Application Integrity:** Exercise extreme caution with software installations, especially third-party/PPI service downloads. Verify application signatures, particularly for widely used corporate tools (e.g., GlobalProtect, VS 2022).
- **Code Signing Validation:** Monitor for files signed by the identified certificate holder, **HOA SEN HA NAM ONE MEMBER LIMITED LIABILITIES COMPANY**, and ensure immediate breakdown/revocation trust if encountered.
- **Credential Hygiene:** Implement strong multi-factor authentication (MFA) everywhere, especially for cryptocurrency accounts and corporate network access (VPN).
- **Network Monitoring:** Monitor outbound connections for signs of C2 communication associated with Remote Access Tools (T1219) and suspicious PowerShell execution patterns (T1059.001).