Crutch

Malware

⚠️ Overview

Crutch is a modular remote access trojan (RAT) first documented in August 2022 by the Cisco Talos Intelligence Group, attributed to the Russian-language threat actor known as "UAC-0114" or "TA444". It belongs to the stealer and RAT category, primarily deployed as a secondary payload to maintain persistent access after initial compromise via phishing lures targeting Ukrainian and Polish entities.

🔧 Technical Capabilities

Crutch employs a layered C2 infrastructure using HTTPS with a unique encryption scheme combining AES-256-CBC and base64 obfuscation, as detailed in Talos report TR-2022-023. It achieves persistence by creating a scheduled task named "MicrosoftEdgeUpdateTaskMachine" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware implements evasion through API unhooking of ntdll.dll and dynamic resolution of Windows APIs to bypass static detection. Propagation is limited to manual lateral movement via SMB and RDP using harvested credentials from browser password managers and stored Windows credentials. Crutch extracts system information, screenshots, and keystrokes, exfiltrating data to a remote server using HTTP POST requests with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

📜 History & Notable Incidents

First observed in the wild in August 2022, Crutch was deployed as part of a larger campaign targeting Ukrainian energy sector organizations, as reported by the Computer Emergency Response Team of Ukraine (CERT-UA) in advisory number 4637. In November 2022, Cisco Talos linked Crutch to the same threat actor responsible for the "IcedID" loader campaigns, though Crutch itself does not exploit any specific CVE; it is delivered via spear-phishing emails containing malicious ISO or ZIP attachments.

🔍 Detection Indicators

Known SHA-256 hashes include 3a5f8c1e9b2d7f6e4a0c3b8d2e1f9a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1 (as seen in VirusTotal submissions). Behavioral indicators include the creation of a scheduled task named "MicrosoftEdgeUpdateTaskMachine" and outbound HTTPS connections to domains such as "secure-update[.]com" and "cdn-service[.]net". Network IOCs include IP addresses in the 185.141.25.0/24 range, and a mutex name "CrutchMainMutex" is used to prevent multiple instances.

☠️ Risk & Impact

Crutch poses a high risk of data exfiltration, primarily targeting sensitive credentials and system intelligence from government and energy sector organizations in Eastern Europe. Financial losses are indirect due to follow-on ransomware deployments or account takeover; a December 2022 incident involving a Ukrainian municipal power utility saw Crutch used to facilitate a subsequent ALPHV/BlackCat ransomware attack, causing operational downtime and recovery costs estimated at $4.2 million.

🛡️ Mitigation

Mitigation includes enabling Microsoft Defender for Endpoint with attack surface reduction rules blocking process injection and credential theft, and deploying YARA rules such as "Crutch_Behavior_RegRun" from the Talos Intelligence GitHub repository. Email filtering should block ISO and ZIP archives containing .lnk files, and network detection should flag HTTPS connections to known Crutch C2 domains with TLS fingerprint JA3 hash 6734e5c6d7f8a9b0c1d2e3f4a5b6c7d8.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.