For about seven years, attackers have been hiding their malicious software using a universal tool.
The Slovak company ESET said in a recent report that a cryptor called AceCryptor has been used by attackers of various stripes since 2016. This tool allows hackers to hide their malware from detection by specialized software and analysis by specialists.
Cryptors (ransomware) are a type of malware that encrypts and obfuscates the code of other malware to make it harder to detect and reverse engineer them.
According to ESET, in 2021 and 2022 alone, more than 240,000 cases of AceCryptor use were discovered. That's over 10,000 uses per month. At the same time, more than 80 thousand unique samples of this cryptor were discovered over the same period of time, with 7 thousand unique variants of the internal layout.
Among the malware packaged with AceCryptor are such popular ones as SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, Stop, and Amadey.
The largest number of infections with such encrypted malware was recorded in Peru, Egypt, Thailand, Indonesia, Turkey, Brazil, Mexico, South Africa, Poland and India.
AceCryptor was first mentioned by Avast in August 2022. Back then, the tool was used to spread the Stop ransomware and the RedLine infostealer.
AceCryptor-packaged malware is usually delivered to victims' computers using fake pirate software installers, spam emails with malicious attachments, or other malware that has already compromised the target system.
AceCryptor is also believed to be provided as a service (CaaS) to cybercriminals, as the tool is being used by various hacker groups to distribute various malware families.
The cryptor itself is usually heavily obfuscated and includes a three-layer architecture for the gradual decryption and decompression of each stage of infection. And also includes methods of protection against virtual machines, debugging and analysis.
Ultimately, the cryptor launches the necessary payload on the victim’s device in an extremely secretive and imperceptible way, which is why it is so popular with attackers.
In March, we mentioned another cryptor called ScrubCrypt, which was used by several cryptojacking groups at once to illegally mine cryptocurrency on infected hosts. And at the beginning of the year, Check Point discovered a packer called TrickGate that had been used to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil for more than six years.