New analysis by ESET Research: AceCryptor strikes 10,000 times per month

ESET researchers have offered particulars about AceCryptor, a standard cryptor malware that operates as a “cryptor-as-a-service” and is utilized by dozens of malware households.

This risk has been round since 2016 and has unfold globally, with a number of risk actors actively utilizing it to proliferate packaged malware by means of their campaigns. In 2021 and 2022, ESET telemetry has detected greater than 240,000 hits of this malware, which equates to greater than 10,000 hits per thirty days. It’s more likely to be offered on the darkish net or underground boards and dozens of various malware households have used the companies of this malware. Many depend on this cryptor as their primary safety towards static detections.

“For malware authors, defending their creations from detection is a problem. Cryptors are the primary layer of protection towards malware. Whereas risk actors can create and preserve their very own customized cryptors, it could actually typically be time consuming or technically troublesome for criminals to maintain their cryptor fully undetectable. The demand for such safety has led to a number of ‘cryptors-as-a-service’ choices that pack malware,” stated Jakub Kaloč, the ESET researcher who analyzed AceCryptor.

Among the many malware households that used AceCryptor, RedLine Stealer was some of the frequent malware on the market on underground boards and used to steal bank card and different delicate information, add and obtain information, and even steal cryptocurrency. RedLine Stealer was first seen in Q1 2022; distributors have been utilizing AceCryptor ever since and proceed to take action. “AceCryptor’s detection thus helps us not solely by having visibility into new rising threats, but additionally by monitoring the actions of risk actors,” Kaloč explains.

In 2021 and 2022, ESET protected greater than 80,000 clients affected by AceCryptor packaged malware. In complete, there have been 240,000 detections, together with the identical pattern detected on a number of computer systems, and one pc protected by ESET software program a number of occasions. AceCryptor has in-built many strategies over time to keep away from detection. “Though we do not know the precise value of this ‘service’, with this variety of detections, we assume that the advantages for the AceCryptor authors are definitely not negligible,” Kaloč clarifies.

Since AceCryptor is utilized by a number of risk actors, the malware packaged in it’s distributed in a number of methods. Based on ESET telemetry, gadgets had been uncovered to AceCryptor packaged malware, primarily through trojanized installers of pirated software program or spam emails with malicious attachments. One other approach one will be uncovered is thru different malware that has downloaded new malware protected by AceCryptor. An instance is the Amadey botnet, which was noticed downloading an AceCryptor packaged RedLine Stealer.

Since many risk actors use the malware, anybody will be affected. Because of the variety of packaged malware, it’s troublesome to estimate how critical the results are for a compromised sufferer. AceCryptor could have been dropped by different malware already working on a sufferer’s pc, or, if the sufferer was affected by, say, opening a malicious e mail attachment, the malware current could have downloaded further malware. So many malware households will be current concurrently.

AceCryptor has a number of variants and now makes use of a multi-stage, three-layer structure.

Whereas linking AceCryptor to a specific risk is at present not attainable, ESET Analysis expects AceCryptor to proceed to be extensively used. Nearer monitoring helps forestall and uncover new campaigns from malware households utilizing this cryptor.

For extra technical data on AceCryptor, learn the weblog publish “Shedding mild on AceCryptor and its operation” at Comply with ESET Analysis op Twitter for the newest information from ESET Analysis.

This text is a industrial contribution from ESET. Our editors are usually not answerable for the content material.