{"id":7406,"date":"2024-02-24T10:10:00","date_gmt":"2024-02-24T10:10:00","guid":{"rendered":"https:\/\/www.withsecure.com\/?post_type=lab_item&p=7406"},"modified":"2026-05-22T12:51:53","modified_gmt":"2026-05-22T11:51:53","slug":"krustyloader-windows-variant-dropped-via-screenconnect-exploit","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/krustyloader-windows-variant-dropped-via-screenconnect-exploit\/","title":{"rendered":"KrustyLoader Windows variant dropped via ScreenConnect exploit"},"content":{"rendered":"\n
\n
\n

\n KrustyLoader Windows variant dropped via ScreenConnect exploit<\/span><\/h1>
\n
\n \n \n Software Protection <\/span>\n \n Threat intelligence <\/span>\n <\/span>\n \n 24 February, 2024 <\/span>\n <\/div>\n <\/div>\n <\/div>\n
\n
\n

\n Share this <\/p>\n

\n \n \n
\n
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n
\n

\n Authors <\/p>\n \n

\n
\n
\n \"\" <\/div>\n
\n

Mohammad Kazem Hassan Nejad<\/h3>\n \n

\n Senior Threat Intelligence Researcher, WithSecure <\/p>\n \n <\/div>\n\n<\/div>\n\n <\/div>\n\n <\/div>\n\n

\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n

Latest in a 6-month mass exploitation campaign<\/span><\/h2>\n
\n

Executive Summary<\/h2>\n<\/div>\n
\n

Since proof-of-concept code was released for two vulnerabilities in ConnectWise ScreenConnect, en-mass exploitation has started from multiple threat actors. Researchers in the security industry have reported on attack chains they have observed which include using ScreenConnect to deploy password stealers, other remote management software, and commercial post-exploitation frameworks. Some intrusions have even ended up with Ransomware deployments.<\/p>\n

Internet scanners, such as the\u00a0ShadowServer foundation<\/a>\u00a0report that as of 21st<\/sup>\u00a0February, 2024 over 8,000 vulnerable instances of ScreenConnect were exposed to the internet. While this seems relatively low when comparing to recent vulnerabilities in VPN services, it is worth noting that ScreenConnect is a remote administration tool, used by managed services providers and IT service providers to manage multiple client organizations, and each ScreenConnect server can manage up to 150,000 clients. Considering this, the threat surface posed by this vulnerability is almost certainly significantly higher than the number of ScreenConnect server instances exposed to the internet.<\/p>\n

In such attacks, WithSecure\u2122 detected a threat actor exploiting ScreenConnect and deploying a new Windows variant of the malware dubbed KrustyLoader. KrustyLoader was first named by\u00a0Synacktiv<\/a>\u00a0in January 2024 when analysing implants dropped as part of a widespread campaign targeting the critical vulnerabilities in Ivanti ConnectSecure.\u00a0NB<\/i><\/b>: everybody who has the words \u2018connect\u2019 or \u2018secure\u2019 (\u2026we know) in your product name, PLEASE do a secure code review.<\/i><\/p>\n

The new version of KrustyLoader operates in a very similar way to that described by Synacktiv, however the variant observed by WithSecure is a Windows executable.<\/p>\n

As well as the Ivanti campaigns, WithSecure are also aware of implants showcasing similar behaviour in documented campaigns exploiting critical vulnerabilities in JetBrains TeamCity and ApacheMQ services. For this reason, we assess that the intrusion set behind this activity has been continually exploiting edge vulnerabilities for some time, possibly acting as an initial access broker, although we do not have insight into actions on objectives after a Sliver post-exploitation framework is deployed at the time of writing \u2013 an attack step common across the campaigns noted.<\/p>\n<\/div>\n

\n

Windows KrustyLoader Analysis<\/h2>\n<\/div>\n
\n

Initial infection chain<\/h3>\n<\/div>\n
\n

The threat actor drops a batch file called \u201cr.bat\u201d into the victim\u2019s system under two separate directories varying by victim, including:<\/p>\n