CrownX Ransomware Embedded Inside Avalon Framework Targets Recovery and Backup Systems | #ransomware | #cybercrime


A previously undocumented multi-stage malware framework, tracked as Avalon, that embeds a ransomware component internally labeled CrownX and specifically targets recovery and backup systems.

By placing malicious content inside an ISO image rather than attaching an executable directly, the actor avoided email-layer scanning and social-engineered victims into mounting a seemingly legitimate “Secure Document” package.

A document‑themed shortcut (.lnk) inside the mounted ISO launched a staged MSBuild project (zfighv.tmp) which used CodeTaskFactory to compile inline C# and reconstruct an encrypted managed downloader entirely in memory, avoiding disk‑backed artifacts and conventional detection.

The managed downloader disabled telemetry and inspection pathways before fetching the next stage over HTTPS: it resolved ETW and AMSI entry points and prepared short return stubs to force success.

A permissive certificate validation callback, and sent requests with a browser‑like User‑Agent plus a custom X‑Edge‑Cache header to distinguish campaign traffic.

The response contained an encrypted PE plus a 32‑byte HMAC‑SHA256 tag; the loader validated and decrypted the payload using an offset‑based HMAC keystream, then manually mapped the PE into the MSBuild process memory.

Manual mapping reproduced relocation, import resolution, exception registration, and Control Flow Guard setup so the final native x64 implant executed without a separate file on disk.

The intrusion chain began with a spoofed legal-document email that directed recipients to a password‑protected archive hosted on Proton Drive.

Blackpoint’s Adversary Pursuit Group (APG) identified malware framework, now tracked as Avalon, delivered through a multi-stage phishing chain.

Staging archive hosted on Proton Drive (Source : Blackpoint).

The recovered implant self‑identified as Avalon and served as a central orchestration layer: credential harvesting, persistence, lateral movement, telemetry reduction, and final‑stage extortion were all integrated.

CrownX Ransomware Attack

Collection routines copied browser and wallet databases (Chromium/Firefox Login Data, Cookies; MetaMask, Ledger Live, Electrum, Coinbase paths), extracted DPAPI material via CryptUnprotectData, and harvested VPN, SSH, RDP, Wi‑Fi, and Windows Credential Manager artifacts.

Inside the archive was an ISO image named Secure_Document_CA-283505_pdf.iso. Mounting the image exposed a shortcut named Secure Document CA-283505.pdf.lnk.

Contents within the malicious ISO (Source : Blackpoint).
Contents within the malicious ISO (Source : Blackpoint).

A local credential validation module used LogonUserW and local SAM enumeration with built‑in password lists to convert weak credentials into usable access.

C2 communications used WinHTTP POSTs to /api/v2/tasking on helloxcherry[.]com, with form fields separating LSASS, SAM, and general exfiltration payloads.

Avalon prioritized high‑value targets for lateral propagation domain controllers, backup platforms, and virtualization infrastructure searching for strings associated with Veeam, Acronis, NetApp, Synology, vCenter, Hyper‑V and Exchange.

Simplified decryption routine (Source : Blackpoint).
Simplified decryption routine (Source : Blackpoint).

Remote staging used administrative shares and trusted Microsoft utilities (MSBuild.exe, csc.exe, InstallUtil.exe) to compile or load .NET components on remote hosts. Execution options included scheduled tasks, remote service launches, and PsExec‑style methods.

The ransomware module, CrownX, implemented robust cryptography and recovery disruption. CrownX used BCrypt APIs with AES‑GCM for authenticated encryption, file mapping for efficient processing, and transaction‑aware APIs for controlled file operations.

It targeted a broad set of formats including VM images, databases, source files, engineering CAD files, and creative projects while appending structured metadata (nonce, auth tag, segment info) to enable decryption if keys were supplied.

CrownX also attempted multiple methods to display ransom notes and included countdown timers to pressure payment.

Critically, Avalon attacked recovery mechanisms: it stopped VSS, deleted shadow copies via COM, modified registry recovery settings, and targeted WinRE images and restore configuration.

An anti‑forensic subsystem purged Prefetch, AmCache, SRUM, ShimCache, Jump Lists, PowerShell history, USN journal and other investigator artifacts.

The framework even contained a direct physical‑drive write capability capable of corrupting partition or boot structures, extending impact beyond encryption into potential disk‑level destruction.

Avalon demonstrates an operational consolidation credential theft, persistence, lateral movement and extortion unified in one recovered payload lowering defenders’ window for disruption.

Indicators of Compromise (IoCs) 

Type Indicator Context 
ISO image Secure_Document_CA-283505_pdf.iso Mounted image containing the fake PDF shortcut and MSBuild project. 
Shortcut Secure Document CA-283505.pdf.lnk Fake PDF shortcut launched cmd.exe and used a Microsoft Edge icon. 
MSBuild project Mimecast Secure File Logs\zfighv.tmp Malicious MSBuild XML project copied from the ISO. 
Decoy file Mimecast Secure File Logs\verification.txt Decoy text file in the ISO. 
Decoy file Mimecast Secure File Logs\manifest.xml Decoy XML file in the ISO. 
Temporary project path %TEMP%\ngen0cc9.dat Temporary copy of the MSBuild project executed by MSBuild.exe. 
Staging domain helloxcherry[.]com Remote staging domain contacted by the managed loader. 
Staging URL hxxps://helloxcherry[.]com/cdn/static/c3587edc48c37656b29bcd3da9458eea/update Encrypted remote object retrieved by the managed loader. URL was unavailable during later sandbox testing. 
HTTP header X-Edge-Cache: e3ec5926a167d6e3359f98cdfb7ac3b2cce97652843056505d02e6d2898573c6 Custom header sent by the managed loader during remote stage retrieval. 
User agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 User agent sent by the managed loader. 
Encrypted file extension .8hn2yc Extension associated with CrownX encrypted files. 
Cryptocurrency address bc1qq9tx6p99jpqcj9p6nr3mwc3f9q3sxmj45l4anz Bitcoin address embedded in the ransom note. 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google NewsLinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW