In the world of cybersecurity, new threats and malicious techniques are constantly emerging. One such threat is a crypter malware known as AceCryptor, which has been in use since 2016. This malware is designed to pack multiple strains of malware, making detection and reverse engineering more challenging.
According to Slovak cybersecurity firm ESET, AceCryptor has been responsible for over 240,000 detections in their telemetry data from 2021 to 2022. This equates to more than 10,000 hits per month, highlighting the widespread use of this crypter. Some of the notable malware families found within AceCryptor include SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, Stop ransomware, and Amadey, among others.
The countries with the highest number of detections include Peru, Egypt, Thailand, Indonesia, Turkey, Brazil, Mexico, South Africa, Poland, and India. This indicates that the impact of AceCryptor is felt globally, affecting users and organizations in various regions.
AceCryptor first came into the spotlight in August 2022 when Avast detailed its use in distributing Stop ransomware and RedLine Stealer via Discord, disguised as 7-Zip files. Crypters are similar to packers, but instead of using compression, they employ encryption to obfuscate the malware’s code, making it harder to detect and analyze.
These crypters serve as a solution for threat actors who want to protect their creations from detection and analysis. While some threat actors develop their own custom crypters, it can be a time-consuming and technically challenging task to maintain them in a fully undetectable state. As a result, the demand for protection has led to the emergence of crypter-as-a-service (CaaS) options that pack malware for these threat actors.
AceCryptor-packed malware is delivered through trojanized installers of pirated software, spam emails with malicious attachments, or other previously compromised malware. It is suspected that AceCryptor is also sold as a CaaS, as it is used by multiple threat actors to propagate a wide range of malware families.
To evade detection and analysis, AceCryptor utilizes heavy obfuscation techniques and a three-layer architecture. Each layer progressively decrypts and unpacks the subsequent stage, ultimately launching the payload. Additionally, the malware employs anti-VM, anti-debugging, and anti-analysis techniques to avoid detection.
In recent months, another crypter service named ScrubCrypt has been leveraged by cryptojacking groups, such as the 8220 Gang, to mine cryptocurrency illicitly on infected hosts. Similarly, Check Point discovered a packer called TrickGate earlier this year, which has been responsible for deploying various malware strains, including TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil, over a span of six years.
The continuous evolution and use of crypter malware like AceCryptor highlight the importance of robust cybersecurity measures and staying vigilant against emerging threats. It is crucial for individuals and organizations to keep their systems up to date, employ reliable security solutions, and exercise caution when interacting with suspicious emails or files. By staying informed and proactive, users can minimize the risk of falling victim to these sophisticated malware attacks.