CRYSTALRAY, a newly discovered threat actor, utilizes multiple open-source software (OSS) to grow its credential stealing and cryptomining operations. Researchers first identified this threat actor in February by tracking their use of the OSS SSH-Snake penetration testing tool to exploit vulnerabilities in the Atlassian Confluence platform. CRYSTALRAY has since expanded its arsenal using OSS tools such as ASN, ZMap, Httpx, Nuclei, and Platypus. CRYSTALRAY has targeted over 1,800 IPs, which will likely continue to grow.

CRYSTALRAY takes advantage of a mix of legitimate and malicious OSS tools during its attack chain. Many of these tools are sourced from ProjectDiscovery, a security platform that produces tools used by defenders. They begin their attack with ASN to receive a complete account of open ports, known vulnerabilities, and a listing of both software and hardware utilized by the system. ASN’s other benefit is that it can discover this information without sending packets that could potentially alert a target to an upcoming attack. This activity is followed by the use of ZMap, which scans specified ports for vulnerable services. Httpx is used to verify if a domain is live, followed by Nuceli to identify exploitable weaknesses in the attack surface.

Once an exploit is discovered, CRYSTALRAY uses a public proof-of-concept exploit to drop its malicious payload. The payload is often Sliver, a red team framework that allows CRYSTALRAY to connect to a command and control (C2) network, or Platypus , a web-based manager that can handle up to 400 reverse shell sessions on a breached system. The threat actors use SSH-Snake to discover SSH keys and credentials, which are used for
lateral movement. The stolen credentials, especially those associated with cloud platforms and software-as-a-service email platforms, are often sold in underground marketplaces for a profit. Additionally, CRYSTALRAY typically loads cryptominers into a victim’s system using the stolen resources for further profit.

Recommendations

• Keep systems up to date and apply patches after appropriate testing.
• Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
• Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).
• Establish a continuous monitoring and audit process to monitor existing SSH keys.
• Maintain robust and up-to-date endpoint detection tools on every endpoint.
• Consider leveraging behavior-based detection tools rather than signature-based tools.
• Report ransomware and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.