GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries
Summary
The Recorded Future Insikt Group is tracking a sophisticated and adaptable threat actor named GrayBravo (formerly TAG-150) which appears to operate a Malware-as-a-Service (MaaS) model. They have identified four distinct activity clusters leveraging GrayBravo's CastleLoader malware, each with unique tactics, techniques, and victim profiles; some impersonate logistics firms and Booking.com to distribute malware via phishing and the ClickFix technique.
IFF Assessment
The report details the activities of an evolving and adaptable threat actor, GrayBravo, indicating increased risk for potential victims.
Severity
Defender Context
Defenders should block associated IPs and domains, monitor connections to unusual legitimate internet services, and deploy updated detection rules (YARA, Snort, Sigma). The use of MaaS models allows threat actors to scale their operations and target a wider range of victims, emphasizing the need for proactive threat intelligence and robust security controls, including email filtering and data exfiltration monitoring, to mitigate the risk of infection and data compromise.