CrySome RAT is made to give you long-term access and full control over a system through a persistent TCP-based command-and-control channel. The malware makes copies of itself in the Windows recovery partition at C:\Recovery\OEM and changes the offline registry so that it runs after a system restore. The threat can spread even more thanks to its Hidden Virtual Network Computing module (HVNC).

This means that an attacker can open browsers, get to files, and move around the system without the user ever seeing anything happen on their screen. CrySome's AVKiller module also includes a set of aggressive defense evasion tools that stop antivirus processes, turn off security services, block attempts to install antivirus software, and use Image File Execution Options hijacking to keep security tools from ever starting.

Windows Defender, Kaspersky, CrowdStrike, ESET, Avast, and SentinelOne are all examples of major security products that are specifically targeted. Windows quietly sends a blocked tool to a command that does nothing whenever it tries to run. The security program seems to start up but never really does, so the victims have no way of knowing that their protection has stopped.

If you see any signs of CrySome RAT on a system, you should isolate it right away to stop lateral movement. To keep scripts or policy changes from turning off security tools, tamper protection should be turned on. All environments should have endpoint detection and response tools that can catch process injection, registry changes, and service abuse. To make sure you can fully recover when you need to, you should keep offline backups and verified system images.

The network should block the domain crysome[. ]net and anything else that goes with it. If you need private help, call the Samaritans at 08457 90 90 90, go to a local branch, or go to www.samaritans.org for more information.

If you're in the U.S., call the National Suicide Prevention Line at 1-800-273-8255.