Researchers have revealed details about a prevalent cryptor malware, AceCryptor, which operates as a cryptor-as-a-service used by tens of malware families.
This threat has been around since 2016, and has been distributed worldwide, with multiple threat actors actively using it to spread packed malware in their campaigns.
Here we have outlined some of the main talking points that have arisen as part of the research into this emerging malware:
- AceCryptor samples are very prevalent worldwide because multiple threat actors are actively using the cryptor malware to spread packed malware in their campaigns.
- During 2021 and 2022, more than 80,000 individuals were affected by such malware.
- Altogether, there have been 240,000 detections, including the same sample detected at multiple computers, and one computer being protected multiple times – This amounts to over 10,000 hits every month.
- Among the malware families found that used AceCryptor, one of the most prevalent was RedLine Stealer – malware used to steal credit card credentials and sensitive data, upload and download files, and even steal cryptocurrency.
- This Malware is heavily obfuscated and has multiple variants, and throughout the years, has incorporated many techniques to avoid detection.
Furthermore, It is likely sold on dark web or underground forums, and tens of different malware families have used the services of this malware. Many rely on this cryptor as their main protection against static detections.
For malware authors, protecting their creations against detection is challenging, as Cryptors are the first layer of defence for malware that gets distributed.
Even though threat actors can create and maintain their own custom cryptors, for crime-ware threat actors, it often may be time-consuming or technically difficult to maintain their cryptor in a fully undetectable state.
What do the experts say?
“Demand for such protection has created multiple cryptor-as-a-service options that pack malware,” says Researcher Jakub Kaloc who has analysed this malware.
RedLine Stealer was first seen in Q1 2022 & distributors have used AceCryptor since then, and continue to do so. “Thus, being able to reliably detect AceCryptor not only helps us with visibility into new emerging threats, but also with monitoring the activities of threat actors,” explains Kaloc.
“Even though we don’t know the exact pricing of this service, with this number of detections, we assume that the gains to the AceCryptor authors aren’t negligible,” theories Kaloc.
Have I been exposed to AceCryptor?
Because AceCryptor is used by multiple threat actors, malware packed by it is distributed in multiple ways. Devices were exposed to AceCryptor-packed malware mainly via trojanised installers of pirated software, or spam emails containing malicious attachments.
Another way someone may be exposed is via other malware that downloaded new malware protected by AceCryptor. An example is the Amadey botnet, which we have observed downloading an AceCryptor-packed RedLine Stealer.
Since many threat actors use the malware, anyone can be affected. Because of the diversity of packed malware, it is difficult to estimate how severe the consequences are for a compromised victim.
AceCryptor may have been dropped by other malware, already running on a victim’s machine, or, if the victim got directly afflicted by.
For example, opening a malicious email attachment, any malware inside might have downloaded additional malware; thus, many malware families may be present simultaneously.
AceCryptor has multiple variants and currently uses a multistage, three-layer architecture in an attempt to attack your systems.
Even though attribution of AceCryptor to a particular threat actor is not possible for now, research expects that it will continue to be widely used – closely monitoring will help prevent and discover new campaigns of malware families packed with this cryptor.