AceCryptor – Analysis of Malware 2023

Researchers have revealed details about a prevalent cryptor malware, AceCryptor, which operates as a cryptor-as-a-service used by tens of malware families.

Radius-IT-Telcoms_cloud_security_ Cybersecurity 1

This threat has been around since 2016, and has been distributed worldwide, with multiple threat actors actively using it to spread packed malware in their campaigns.

Here we have outlined some of the main talking points that have arisen as part of the research into this emerging malware:

  • AceCryptor samples are very prevalent worldwide because multiple threat actors are actively using the cryptor malware to spread packed malware in their campaigns.
  • During 2021 and 2022, more than 80,000 individuals were affected by such malware.
  • Altogether, there have been 240,000 detections, including the same sample detected at multiple computers, and one computer being protected multiple times – This amounts to over 10,000 hits every month.
  • Among the malware families found that used AceCryptor, one of the most prevalent was RedLine Stealer – malware used to steal credit card credentials and sensitive data, upload and download files, and even steal cryptocurrency.
  • This Malware  is heavily obfuscated and has multiple variants, and throughout the years, has incorporated many techniques to avoid detection.

Furthermore, It is likely sold on dark web or underground forums, and tens of different malware families have used the services of this malware. Many rely on this cryptor as their main protection against static detections.

For malware authors, protecting their creations against detection is challenging, as Cryptors are the first layer of defence for malware that gets distributed.

Even though threat actors can create and maintain their own custom cryptors, for crime-ware threat actors, it often may be time-consuming or technically difficult to maintain their cryptor in a fully undetectable state.


What do the experts say?

Radius-IT-Telcoms_cloud_security_ Cybersecurity 3

“Demand for such protection has created multiple cryptor-as-a-service options that pack malware,” says Researcher Jakub Kaloc who has analysed this malware.

RedLine Stealer was first seen in Q1 2022 & distributors have used AceCryptor since then, and continue to do so. “Thus, being able to reliably detect AceCryptor not only helps us with visibility into new emerging threats, but also with monitoring the activities of threat actors,” explains Kaloc.

“Even though we don’t know the exact pricing of this service, with this number of detections, we assume that the gains to the AceCryptor authors aren’t negligible,” theories Kaloc.


Have I been exposed to AceCryptor?

Radius-IT-Telcoms_cloud_security_ Cybersecurity 2

Because AceCryptor is used by multiple threat actors, malware packed by it is distributed in multiple ways. Devices were exposed to AceCryptor-packed malware mainly via trojanised installers of pirated software, or spam emails containing malicious attachments.

Another way someone may be exposed is via other malware that downloaded new malware protected by AceCryptor. An example is the Amadey botnet, which we have observed downloading an AceCryptor-packed RedLine Stealer.

Since many threat actors use the malware, anyone can be affected. Because of the diversity of packed malware, it is difficult to estimate how severe the consequences are for a compromised victim.

AceCryptor may have been dropped by other malware, already running on a victim’s machine, or, if the victim got directly afflicted by.

For example, opening a malicious email attachment, any malware inside might have downloaded additional malware; thus, many malware families may be present simultaneously.

AceCryptor has multiple variants and currently uses a multistage, three-layer architecture in an attempt to attack your systems.

Even though attribution of AceCryptor to a particular threat actor is not possible for now, research expects that it will continue to be widely used – closely monitoring will help prevent and discover new campaigns of malware families packed with this cryptor.

You can also follow Radius on Instagram, Facebook or LinkedIn for more security updates.

Source: ESET

Call our sales team now on LoCall 0818 592500.

Alternatively, please send us a message via the form below and we’ll call you back.

Get in Touch

Certified Excellence

Radius maintain both ISO quality and Information Security certification. With GDPR regulations now in force, it’s critical that your IT partner handles your organisation’s sensitive data with the highest of standards.

ISO Quality and Information Security certification requires rigorous processes to be embedded at the heart of everything we do. Radius is proud to maintain this standard, awarded to only the very top tier of IT service providers.

Industry leading partnerships

Radius is a gold Microsoft partner for Datacenter and Cloud Solutions, a preferred HP and Cisco partner and a Retail Excellence Ireland gold partner. These partnerships give us unrivalled access to the best technology to support our clients’ IT and Telecoms needs.