GrayBravo MaaS Fuels Cybercrime with CastleLoader Malware

Executive Summary

Research from Recorded Future's Insikt Group has shed light on a prolific Malware-as-a-Service (MaaS) operation tracked as GrayBravo. This operation is responsible for the development and distribution of a malware loader named CastleLoader. The service is being utilized by at least four distinct threat activity clusters, enabling them to deploy a wide range of secondary payloads, including information stealers and remote access trojans (RATs). The campaigns demonstrate the specialization within the cybercrime economy, with different GrayBravo 'customers' targeting specific industries like logistics and hospitality using tailored lures. The rise of MaaS providers like GrayBravo lowers the barrier to entry for cybercrime, allowing less sophisticated actors to leverage advanced tools and infrastructure to conduct damaging attacks.

Threat Overview

GrayBravo operates as a wholesale supplier of malware, providing the initial access and loading capabilities that other criminal groups then use for their own ends. This specialization allows for greater efficiency and scale in the cybercrime ecosystem.

The Service (MaaS): GrayBravo provides CastleLoader, a malware designed to be the first stage of an infection, which then downloads and executes other malicious software.
The Customers: At least four separate threat clusters (e.g., TAG-160, TAG-161) are using CastleLoader.
The Payloads: The final payloads delivered by CastleLoader include well-known malware families such as RedLine Stealer, StealC Stealer, NetSupport RAT, and SectopRAT.
The Campaigns: The customer groups exhibit different TTPs and targeting:
- TAG-160: Targets the logistics and transportation sectors using phishing and the "ClickFix" social engineering technique.
- TAG-161: Uses phishing emails themed around Booking.com to drop CastleLoader and Matanbuchus 3.0.
- Other clusters use malvertising and fake software update prompts for IT tools like Zabbix and RVTools.

Technical Analysis

CastleLoader serves as the initial foothold and delivery mechanism. The attack chains vary depending on the customer, but they share CastleLoader as a common component.

Example Attack Chain (TAG-160 - Logistics Sector)

Initial Access (Phishing): An employee in a logistics company receives a phishing email impersonating a legitimate freight-matching platform. The email contains a link or attachment that leads to the "ClickFix" social engineering lure (T1566 - Phishing).
User Execution: The user is tricked into pasting a command into their Run dialog, which uses curl or a similar tool to download and execute a script.
CastleLoader Execution: The script downloads and runs CastleLoader. The loader establishes persistence on the machine and communicates with its C2 server to receive instructions (T1105 - Ingress Tool Transfer).
Payload Deployment: The C2 server instructs CastleLoader to download and execute a secondary payload, such as RedLine Stealer.
Action on Objectives: RedLine Stealer then harvests credentials from browsers, VPN clients, and other applications, exfiltrating the data to a separate C2 server controlled by TAG-160 (T1555 - Credentials from Password Stores).

This model allows GrayBravo to focus on developing and maintaining the loader and its infrastructure, while its customers focus on social engineering and monetizing the stolen data.

MITRE ATT&CK Mapping

Tactic

Initial Access

Technique ID

T1566

Name

Phishing

Description

Various phishing techniques are used by GrayBravo's customers to deliver the initial lure.

Tactic

Execution

Technique ID

T1204.002

Name

User Execution: Malicious File

Description

The 'ClickFix' method relies on the user executing a malicious command.

Tactic

Defense Evasion

Technique ID

T1140

Name

Deobfuscate/Decode Files or Information

Description

Loaders like CastleLoader often use obfuscation to hide their C2 and payloads.

Tactic

Command and Control

Technique ID

T1105

Name

Ingress Tool Transfer

Description

CastleLoader's primary function is to download further payloads from the C2.

Tactic

Credential Access

Technique ID

T1555

Name

Credentials from Password Stores

Description

A common objective of the final payloads, like RedLine Stealer.

Impact Assessment

The MaaS model exemplified by GrayBravo has a multiplying effect on the threat landscape:

Democratization of Cybercrime: It enables actors with limited technical skills to launch sophisticated, multi-stage attacks.
Increased Attack Volume: By abstracting away the complexity of malware development, MaaS providers allow for a higher tempo of attacks across various sectors.
Diversified Targeting: As seen with the different customer clusters, MaaS allows for simultaneous campaigns against different industries (logistics, hospitality) using the same core malware.
Attribution Challenges: The use of a shared loader complicates attribution, as multiple distinct groups will leave similar initial indicators of compromise.

Cyber Observables for Detection

Type

malware_family

Value

CastleLoader

Description

Signatures or behavioral rules specific to CastleLoader.

Context

Antivirus, EDR.

Confidence

high

Type

domain

Value

booking-pro[.]com

Description

Example of a malicious domain used in Booking.com-themed phishing lures.

Context

DNS logs, proxy logs.

Confidence

high

Type

url_pattern

Value

/update/zabbix.exe

Description

Fake software update URLs used in malvertising campaigns to drop the loader.

Context

Web proxy logs, NIDS.

Confidence

high

Type

process_name

Value

regsvr32.exe

Description

Loaders often use legitimate Windows binaries like regsvr32.exe to execute malicious code. Monitor for unusual parent processes or network activity.

Context

EDR, Sysmon.

Confidence

medium

Detection & Response

Threat Intelligence: Subscribe to threat intelligence feeds that track MaaS providers like GrayBravo and their IOCs. This allows for proactive blocking of their infrastructure.
Layered Security: Since the initial vectors vary, a layered defense is crucial. This includes email security to block phishing, web filtering to block malvertising, and EDR to detect the loader's execution.
Behavioral Analysis: Focus on detecting core loader behavior, such as a process making a network connection, downloading a file, and then spawning a new, suspicious process. This pattern is common to most malware loaders.

Mitigation

User Training: Since many of the campaigns rely on social engineering (phishing, fake updates), continuous user awareness training is a critical first line of defense.
Email Security Gateway: Use an advanced email security solution to detect and block phishing emails with malicious links or attachments.
Application Control (D3-EAL: Executable Allowlisting): Implement application allowlisting to prevent unauthorized executables, including loaders like CastleLoader, from running in your environment.
Web Filtering: Use a web filtering solution to block access to known malicious domains and categories associated with malvertising.

To combat the varied delivery methods used by GrayBravo's customers, such as Booking.com lures and fake Zabbix updates, organizations need robust URL analysis at the network edge. This involves using a secure web gateway or DNS filtering service that can inspect URLs in real-time. The service should categorize and block access to newly registered domains, known malicious domains, and sites associated with malvertising. For the Booking.com-themed attacks, the system should be able to identify typosquatted domains and block them. For the fake software updates, it should block downloads from non-official domains. This automated filtering of web traffic is a critical defense layer that can prevent the initial download of CastleLoader, regardless of whether the entry vector is a phishing email or a malicious ad.

Malware-as-a-Service Operation 'GrayBravo' Supplies CastleLoader to Four Distinct Threat Clusters