Executive Summary

Research from Recorded Future's Insikt Group has shed light on a prolific Malware-as-a-Service (MaaS) operation tracked as GrayBravo. This operation is responsible for the development and distribution of a malware loader named CastleLoader. The service is being utilized by at least four distinct threat activity clusters, enabling them to deploy a wide range of secondary payloads, including information stealers and remote access trojans (RATs). The campaigns demonstrate the specialization within the cybercrime economy, with different GrayBravo 'customers' targeting specific industries like logistics and hospitality using tailored lures. The rise of MaaS providers like GrayBravo lowers the barrier to entry for cybercrime, allowing less sophisticated actors to leverage advanced tools and infrastructure to conduct damaging attacks.

---

Threat Overview

GrayBravo operates as a wholesale supplier of malware, providing the initial access and loading capabilities that other criminal groups then use for their own ends. This specialization allows for greater efficiency and scale in the cybercrime ecosystem.

• The Service (MaaS): GrayBravo provides CastleLoader, a malware designed to be the first stage of an infection, which then downloads and executes other malicious software.
• The Customers: At least four separate threat clusters (e.g., TAG-160, TAG-161) are using CastleLoader.
• The Payloads: The final payloads delivered by CastleLoader include well-known malware families such as RedLine Stealer, StealC Stealer, NetSupport RAT, and SectopRAT.
• The Campaigns: The customer groups exhibit different TTPs and targeting:
  • TAG-160: Targets the logistics and transportation sectors using phishing and the "ClickFix" social engineering technique.
  • TAG-161: Uses phishing emails themed around Booking.com to drop CastleLoader and Matanbuchus 3.0.
  • Other clusters use malvertising and fake software update prompts for IT tools like Zabbix and RVTools.

---

Technical Analysis

CastleLoader serves as the initial foothold and delivery mechanism. The attack chains vary depending on the customer, but they share CastleLoader as a common component.

Example Attack Chain (TAG-160 - Logistics Sector)

1. Initial Access (Phishing): An employee in a logistics company receives a phishing email impersonating a legitimate freight-matching platform. The email contains a link or attachment that leads to the "ClickFix" social engineering lure (T1566 - Phishing).
2. User Execution: The user is tricked into pasting a command into their Run dialog, which uses curl or a similar tool to download and execute a script.
3. CastleLoader Execution: The script downloads and runs CastleLoader. The loader establishes persistence on the machine and communicates with its C2 server to receive instructions (T1105 - Ingress Tool Transfer).
4. Payload Deployment: The C2 server instructs CastleLoader to download and execute a secondary payload, such as RedLine Stealer.
5. Action on Objectives: RedLine Stealer then harvests credentials from browsers, VPN clients, and other applications, exfiltrating the data to a separate C2 server controlled by TAG-160 (T1555 - Credentials from Password Stores).

This model allows GrayBravo to focus on developing and maintaining the loader and its infrastructure, while its customers focus on social engineering and monetizing the stolen data.

MITRE ATT&CK Mapping

Tactic	Technique ID	Name	Description
Initial Access	T1566	Phishing	Various phishing techniques are used by GrayBravo's customers to deliver the initial lure.
Execution	T1204.002	User Execution: Malicious File	The 'ClickFix' method relies on the user executing a malicious command.
Defense Evasion	T1140	Deobfuscate/Decode Files or Information	Loaders like CastleLoader often use obfuscation to hide their C2 and payloads.
Command and Control	T1105	Ingress Tool Transfer	CastleLoader's primary function is to download further payloads from the C2.
Credential Access	T1555	Credentials from Password Stores	A common objective of the final payloads, like RedLine Stealer.

---

Impact Assessment

The MaaS model exemplified by GrayBravo has a multiplying effect on the threat landscape:

• Democratization of Cybercrime: It enables actors with limited technical skills to launch sophisticated, multi-stage attacks.
• Increased Attack Volume: By abstracting away the complexity of malware development, MaaS providers allow for a higher tempo of attacks across various sectors.
• Diversified Targeting: As seen with the different customer clusters, MaaS allows for simultaneous campaigns against different industries (logistics, hospitality) using the same core malware.
• Attribution Challenges: The use of a shared loader complicates attribution, as multiple distinct groups will leave similar initial indicators of compromise.

---

Cyber Observables for Detection

Type	Value	Description	Context	Confidence
malware_family	CastleLoader	Signatures or behavioral rules specific to CastleLoader.	Antivirus, EDR.	high
domain	booking-pro[.]com	Example of a malicious domain used in Booking.com-themed phishing lures.	DNS logs, proxy logs.	high
url_pattern	/update/zabbix.exe	Fake software update URLs used in malvertising campaigns to drop the loader.	Web proxy logs, NIDS.	high
process_name	regsvr32.exe	Loaders often use legitimate Windows binaries like regsvr32.exe to execute malicious code. Monitor for unusual parent processes or network activity.	EDR, Sysmon.	medium

---

Detection & Response

• Threat Intelligence: Subscribe to threat intelligence feeds that track MaaS providers like GrayBravo and their IOCs. This allows for proactive blocking of their infrastructure.
• Layered Security: Since the initial vectors vary, a layered defense is crucial. This includes email security to block phishing, web filtering to block malvertising, and EDR to detect the loader's execution.
• Behavioral Analysis: Focus on detecting core loader behavior, such as a process making a network connection, downloading a file, and then spawning a new, suspicious process. This pattern is common to most malware loaders.

---

Mitigation

1. User Training: Since many of the campaigns rely on social engineering (phishing, fake updates), continuous user awareness training is a critical first line of defense.
2. Email Security Gateway: Use an advanced email security solution to detect and block phishing emails with malicious links or attachments.
3. Application Control (D3-EAL: Executable Allowlisting): Implement application allowlisting to prevent unauthorized executables, including loaders like CastleLoader, from running in your environment.
4. Web Filtering: Use a web filtering solution to block access to known malicious domains and categories associated with malvertising.