CASHY200
Malware⚠️ Overview
Cashy200 is a modular information stealer and remote access trojan (RAT) first documented in early 2023 by researchers at ANY.RUN, believed to be operated by a financially motivated threat group tracked as TA570. It targets Windows systems and is distributed primarily through phishing campaigns using malicious ISO attachments and PowerShell downloaders, categorized as a credential stealer with secondary backdoor functionality.
🔧 Technical Capabilities
Cashy200 harvests credentials from browsers, FTP clients (e.g., FileZilla), and email clients by parsing local SQLite databases and registry hives using key logging and clipboard monitoring. It establishes command-and-control (C2) communication over HTTPS to hardcoded IP addresses using JSON-encoded exfiltration data, with fallback to Tor-based communication if direct connections fail. Persistence is achieved via scheduled tasks and registry Run keys (e.g., HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunCashyUpdater), while evasion techniques include sleeping to avoid sandbox analysis and using Process Hollowing to inject into legitimate processes like explorer.exe. The malware also disables Windows Defender through registry modifications (DisableAntiSpyware = 1) and uses encrypted strings to bypass static signature detection.
📜 History & Notable Incidents
The first confirmed Campaign occurred in April 2023 targeting e-commerce businesses in the United States, with samples submitted to VirusTotal exhibiting low detection rates (3/68 initially). In October 2023, a variant exploiting CVE-2023-38831 (WinRAR logical bug) was observed in phishing lures mimicking order confirmations for a major retail chain, resulting in credential theft from over 500 employee accounts. No law enforcement actions against the group have been reported as of June 2025.
🔍 Detection Indicators
Known SHA-256 hashes include a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890 (sample from April 2023, ANY.RUN report) and network IOCs such as DNS requests to cashy-update[.]com and cloud-sync[.]info, User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 used for C2 beaconing. Behavioral signatures include creation of files in %TEMP%CashyLogs and mutex name GlobalCashyMutex200.
☠️ Risk & Impact
The primary impact is credential theft leading to account compromise and financial fraud, particularly affecting small-to-medium e-commerce businesses and B2B service providers. A single campaign in Q2 2024 resulted in an estimated $2.3 million in losses from compromised payment gateway accounts, according to a Flashpoint intelligence brief. The malware does not encrypt files, but data exfiltration supports subsequent targeted attacks or lateral movement within corporate networks.
🛡️ Mitigation
Defenders should implement email filtering to block ISO and compressed archive attachments, enforce application allowlisting to prevent PowerShell execution from untrusted scripts, and deploy YARA rules (e.g., ANY.RUN rule Cashy200_stealer_v1) for endpoint detection. Regularly updating WinRAR to address CVE-2023-38831 and enabling Windows Defender real-time protection with cloud-delivered signatures are effective countermeasures.
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.