cryptcat
Cryptcat is a modified use of the open-source Cryptcat utility observed in TEMP.Veles / TRITON activity. The content states that TEMP.Veles used cryptcat binaries to encrypt attacker traffic during the Triton Safety Instrumented System Attack, and that multiple cryptcat-based files tested in 2014 were continually modified to decrease antivirus detection rates. FireEye reported that one tested cryptcat file was deployed in a TEMP.Veles target network, and that a build with the fewest detections was re-tested in 2017 and deployed less than a week later during TEMP.Veles activity. The malware/tooling is described as customized, including a variant with a default password indicator of "metallica" referenced in detection content. One described execution pattern creates processes using the format string "cryptsvc.exe -e cmd %S 443", where %S is replaced with a resolved IP address. High-confidence associations in the content tie these cryptcat binaries to TEMP.Veles, the TRITON intrusion set, and the broader intrusion against industrial control systems at a critical infrastructure facility.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Four files tested in 2014 are based on the open-source project, cryptcat... continually modified them to decrease AV detection rates. One of these files was deployed in a TEMP.Veles target’s network."
Customized Cryptcat with default password, seen used heavily by TRITON actor
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Command and Control
1 technique“APT29 has used multiple layers of encryption within malware to protect C2 communication… BITTER has encrypted their C2 communications… MacMa has used TLS encryption to initialize a custom protocol for C2 communications… TEMP.Veles used cryptcat binaries to encrypt their traffic.”
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Open-source netcat variant used as a communications/backdoor utility; here, customized and repeatedly modified to reduce AV detections and deployed in a TEMP.Veles target network.
Open-source netcat variant used as a remote shell/backdoor; here, repeatedly modified and recompiled to reduce AV detections and then deployed during TEMP.Veles operations.
Open-source netcat variant with encryption; referenced as being modified to reduce AV detection.
Utility used to encrypt network traffic (used here to protect communications).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.