ESET Research reveals new analysis of AceCryptor: used by crimeware, it hits computers 10,000 times every month
Created: 2023-05-29 06:13:56
- ESET researchers publish details about a prevalent cryptor malware, AceCryptor, which operates as a cryptor-as-a-service used by tens of malware families.
- AceCryptor samples are very prevalent worldwide because multiple threat actors are actively using the cryptor malware to spread packed malware in their campaigns.
- During 2021 and 2022, ESET protected more than 80,000 customers affected by malware packed by AceCryptor.
- Altogether, there have been 240,000 detections, including the same sample detected at multiple computers, and one computer being protected multiple times by ESET software. This amounts to over 10,000 hits every month.
- Among the malware families found that used AceCryptor, one of the most prevalent was RedLine Stealer – malware used to steal credit card credentials and sensitive data, upload and download files, and even steal cryptocurrency.
- AceCryptor is heavily obfuscated and has multiple variants, and throughout the years, has incorporated many techniques to avoid detection.
BRATISLAVA — May 25, 2023 — ESET researchers revealed today details about a prevalent cryptor malware, AceCryptor, which operates as a cryptor-as-a-service used by tens of malware families. This threat has been around since 2016, and has been distributed worldwide, with multiple threat actors actively using it to spread packed malware in their campaigns. During 2021 and 2022, ESET telemetry detected over 240,000 detection hits of this malware, which amounts to over 10,000 hits every month. It is likely sold on dark web or underground forums, and tens of different malware families have used the services of this malware. Many rely on this cryptor as their main protection against static detections.
“For malware authors, protecting their creations against detection is challenging. Cryptors are the first layer of defense for malware that gets distributed. Even though threat actors can create and maintain their own custom cryptors, for crimeware threat actors, it often may be time-consuming or technically difficult to maintain their cryptor in a fully undetectable state. Demand for such protection has created multiple cryptor-as-a-service options that pack malware,” says ESET researcher Jakub Kaloč, who analyzed AceCryptor.
Among the malware families found that used AceCryptor, one of the most prevalent was RedLine Stealer – malware available for purchase on underground forums and used to steal credit card credentials and other sensitive data, upload and download files, and even steal cryptocurrency. RedLine Stealer was first seen in Q1 2022; distributors have used AceCryptor since then, and continue to do so. “Thus, being able to reliably detect AceCryptor not only helps us with visibility into new emerging threats, but also with monitoring the activities of threat actors,” explains Kaloč.
During 2021 and 2022, ESET protected more than 80,000 customers affected by malware packed by AceCryptor. Altogether, there have been 240,000 detections, including the same sample detected at multiple computers, and one computer being protected multiple times by ESET software. AceCryptor is heavily obfuscated and has incorporated many techniques to avoid detection throughout the years.
“Even though we don’t know the exact pricing of this service, with this number of detections, we assume that the gains to the AceCryptor authors aren’t negligible,” theorizes Kaloč.
Because AceCryptor is used by multiple threat actors, malware packed by it is distributed in multiple ways. According to ESET telemetry, devices were exposed to AceCryptor-packed malware mainly via trojanized installers of pirated software, or spam emails containing malicious attachments. Another way someone may be exposed is via other malware that downloaded new malware protected by AceCryptor. An example is the Amadey botnet, which we have observed downloading an AceCryptor-packed RedLine Stealer.
Since many threat actors use the malware, anyone can be affected. Because of the diversity of packed malware, it is difficult to estimate how severe the consequences are for a compromised victim. AceCryptor may have been dropped by other malware, already running on a victim’s machine, or, if the victim got directly afflicted by, for example, opening a malicious email attachment, any malware inside might have downloaded additional malware; thus, many malware families may be present simultaneously.
AceCryptor has multiple variants and currently uses a multistage, three-layer architecture.
Even though attribution of AceCryptor to a particular threat actor is not possible for now, ESET Research expects that AceCryptor will continue to be widely used. Closer monitoring will help prevent and discover new campaigns of malware families packed with this cryptor.
For more technical information about AceCryptor, check out the blogpost “Shedding light on AceCryptor and its operation” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
Heatmap of countries affected by AceCryptor according to
ESET telemetry
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.