A Closer Look at Cybercriminals’ Powerful Weapon: AceCryptor
Since 2016, the malicious AceCryptor (or crypter) malware has been widely employed to package and distribute various strains of harmful software.
According to telemetry collected by the Slovak cybersecurity company ESET in 2021 and 2022, the crypter was detected more than 240,000 times. More than 10,000 hits are received each month as a result.
SmokeLoader, RedLine Stealer, RanumBot, Racoon Stealer, Stop ransomware, and Amadey are a few of the well-known malware families that are included in AceCryptor, among others.
Peru, Egypt, Thailand, Indonesia, Turkey, Brazil, Mexico, South Africa, Poland, and India are the nations with the most detections.
Avast initially raised awareness of AceCryptor in August 2022, describing how the malware was used to spread RedLine Stealer and Stop ransomware on Discord in the form of 7-Zip files.
Similar to packers, Crypters are known to obscure the malware code with encryption in order to make detection and reverse engineering much more difficult.
They also reflect a pattern in which malware developers promote such abilities to other threat actors, whether more or less technically adept, who want to fortify their inventions.
Even though threat actors can create and maintain their own custom cryptors, for crimeware threat actors it often may be a time-consuming or technically difficult task to maintain their cryptor in a so-called FUD (fully undetectable) state.
Jakub Kaloč, ESET Researcher
Malware including AceCryptor is distributed by spam emails with harmful attachments, trojanized pirated software installers, and other malware that has already infected a host.
Given that numerous threat actors utilize it to spread a wide variety of malware families, it is also likely to be sold as a CaaS.
Our Readers ALSO READCriminals now prefer Telegram for managing stolen information.
The crypter uses a three-layer design to gradually decode and unpack each step before launching the payload. It also uses anti-VM, anti-debugging, and anti-analysis techniques to evade detection.
According to ESET, the second layer was launched as an additional layer of security in 2019.
The discoveries coincide with the use of another crypter service with the codename ScrubCrypt by crypto-jacking organizations like the 8220 Gang to forcibly mine cryptocurrency on compromised hosts.
In early January, Check Point also discovered a packer known as TrickGate that has been used for more than six years to distribute a variety of malware, including TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil.