Four Threat Clusters Using Castleloader As Graybravo Expands Its...
Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.
The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future's Insikt Group, which was previously tracking it as TAG-150.
GrayBravo is "characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure," the Mastercard-owned company said in an analysis published today.
Some of the notable tools in the threat actor's toolset include a remote access trojan called CastleRAT and a malware framework referred to as CastleBot, which comprises three components: a shellcode stager/downloader, a loader, and a core backdoor.
Recorded Future's latest analysis has uncovered four clusters of activity, each operating with distinct tactics -
The attacks mounted by TAG-160 are also notable for using fraudulent or compromised accounts created on freight-matching platforms like DAT Freight & Analytics and Loadlink Technologies to enhance the credibility of its phishing campaigns. The activity, Recorded Future added, illustrates a deep understanding of industry operations, impersonating legitimate logistics firms, exploiting freight-matching platforms, and mirroring authentic communications to enhance its deception and impact.
It's been assessed with low confidence that the activity could be related to another unattributed cluster that targeted transportation and logistics companies in North America last year to distribute various malware families.
"GrayBravo has significantly expanded its user base, evidenced by the growing number of threat actors and operational clusters leveraging its CastleLoader malware," Recorded Future said. "This trend highlights how technically advanced and adaptive tooling, particularly from a threat actor with GrayBravo's reputation, can rapidly proliferate within the cybercriminal ecosystem once proven effective."
Source: The Hacker News
