The Sysdig Threat Research Team (TRT) identified a threat actor named CRYSTALRAY, who has significantly expanded its operations since its initial detection in February 2024. CRYSTALRAY exploits multiple vulnerabilities and uses various open source security tools, such as SSH-Snake, zmap, asn, httpx, and nuclei, to conduct mass scanning, exploit systems, place backdoors, and maintain persistence. Their primary motivations include collecting and selling credentials, deploying cryptominers, and ensuring long-term access to victim environments.
CRYSTALRAY employs sophisticated techniques for reconnaissance, initial access, and lateral movement within compromised networks. They use tools like ASN for precise IP targeting and zmap for efficient port scanning. After identifying vulnerable targets, they use httpx and nuclei to validate live domains and perform vulnerability scans. This process allows them to exploit specific CVEs and avoid honeypots, enhancing their stealth and success rates. Once access is gained, they deploy tools like SSH-Snake to propagate through networks and collect further credentials, which are then used for additional attacks or sold on black markets.
To maintain control and persist within victim networks, CRYSTALRAY uses tools such as Sliver and Platypus. They execute scripts to deploy backdoors and cryptominers, maximizing their financial gain from compromised systems. Their operations highlight the importance of reducing attack surfaces through vulnerability management and implementing robust detection and prevention measures.