Professional malware is successful when it uses clever obfuscation to evade detection by security solutions. However, the experts at security manufacturer ESET have now demystified the best-known cloak for malicious code – AceCryptor.
This Cryptor-as-a-Service has been actively used by threat actors worldwide since 2016 to protect dozens of malware families. In 2021 and 2022 alone, ESET telemetry made more than 240.000 detections of this malware. That equates to more than 10.000 detections per month. AceCryptor is likely to be sold on the Dark Web or underground forums and is extremely popular with cybercriminals.
Stealth helps malware evade detection
“Securing their creations from detection is a challenge for malware authors. Cryptographs are the first layer of defense for malware to be circulated. While threat actors could create and maintain their own custom kryptors, it is often time-consuming or technically difficult for them to keep their kryptor in a fully undetectable state. The demand for such protection has spawned multiple Cryptor-as-a-Service options that package malware,” says ESET researcher Jakub Kaloč, who analyzed AceCryptor. AceCryptor has added many new techniques over the years to avoid being detected.
Diverse distribution from pirated copies to spam
"Even though we don't know the exact price of this service, we assume that the profit for the authors of AceCryptor with this number of discoveries is significant," says Kaloč. Because AceCryptor is deployed by multiple threat actors, the routes of propagation are widespread. According to ESET Telemetry, devices with AceCryptor malware were mainly infected via Trojan installers for pirated software or spam emails with malicious attachments. Another possibility is that malware reloads additional malicious code protected by AceCryptor. An example of this is the Amadey botnet, which downloaded a RedLine stealer packaged with AceCryptor.
Invisibility cloak is still used
AceCryptor exists in several flavors and currently uses a multi-tier, three-tier architecture. Although it is currently not possible to attribute the malware to a specific threat actor, ESET Research believes that AceCryptor will continue to be widespread. Closer monitoring will help prevent and detect new campaigns from malware families using this Kryptor.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.