Hackers are attacking many companies across Europe with stealth malware. ESET researchers have noticed a dramatic increase in so-called AceCryptor attacks via remote access tool (RAT) Rescoms.
Between the first and second half of 2023, the number of detected attacks tripled: 42.000 ESET users worldwide were targeted by cyber criminals and were protected. Companies in Central Europe and Spain were particularly affected. What's new about these attacks: For the first time ever, hackers who used the Rescoms remote access tool (RAT) for attacks resorted to AceCryptor, a camouflage software for malicious programs. The campaigns targeted access data for email and browser accounts from companies in the respective countries, laying the foundation for future attacks.
Stealthy remote access tool attacks
“With this campaign, cybercriminals wanted to gain as much information as possible. To do this, they use 'classic' spam messages, which in many cases were extremely convincing and were even sent from hijacked email accounts,” says ESET researcher Jakub Kaloč, who discovered the latest attack campaign. “Opening attachments from such emails can have serious consequences for companies. We therefore advise you to be careful with emails with attachments and to use reliable security software.”
AceCryptor and Rescoms – Rats with cloaking technology
AceCryptor is a so-called Cryptor-as-a-Service (CaaS). This is software that is intended to protect its payload, usually various malware families, from being identified and combated by security solutions. Various techniques are used for this, e.g. B. Make debugging and analysis by antivirus software more difficult. Last year, ESET looked into AceCryptor and uncovered how the software works.
In the current case, hackers combined the two technologies and sent Rescoms software disguised by AceCryptor to a large number of users in multiple spam email campaigns. Victims who fell for the scam unknowingly installed the remote access software, which the hackers then used to obtain access data. It is unknown whether they collected this data for themselves or sold it to other cybercriminals. What is certain, however, is that a successful compromise opens the door to further attacks, especially ransomware attacks.
Spread via spam emails that look deceptively real
Spam campaigns targeting companies in Poland consisted of emails with very similar subject lines about B2B offers for the victim companies. In order to appear as credible as possible, the attackers researched existing Polish company names in advance as well as the names and contact information of employees and owners, which they provided in their emails. When victims searched for the sender's name online, they found legitimate websites and were more willing to open the malicious attachments.
In parallel to the campaigns in Poland, ESET registered ongoing campaigns in Slovakia, Bulgaria and Serbia. The spam emails here were also written in the local language. In addition, there has also been a wave of spam emails with Rescoms as a payload in Spain.
Hackers' target countries changed throughout 2023
In the first half of 2023, Peru, Mexico, Egypt and Turkey were most affected by malware disguised by AceCryptor. Peru recorded the most attacks with 4.700. The campaign in the second half of the year mainly affected European countries.
AceCryptor samples that ESET examined in the second half of 2023 often contained two malware families as payloads: Rescoms and SmokeLoader, a backdoor that allows cybercriminals to reload additional malware. SmokeLoader was frequently used in cyberattacks in Ukraine. However, in Poland, Slovakia, Bulgaria and Serbia, Rescom's most common payload was AceCryptor.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.