ESET researchers have revealed details about a cryptor-as-a-service (CaaS) known as AceCryptor, which has been in operation since 2016. This cryptor has been found to be used by tens of malware families and is heavily obfuscated, which is why criminals use it to protect their creations from detection. While threat actors can create and maintain their own custom cryptors, it can be time-consuming or technically challenging to maintain their cryptor in a fully undetectable (FUD) state. This is why the demand for CaaS options has increased, allowing cybercriminals to include multiple anti-VM, anti-debugging, and anti-analysis techniques combined to achieve a high level of concealment of the payload.
According to the researchers, AceCryptor provides packing services to tens of well-known malware families, making it prevalent globally. Based on the number of unique files detected between 2021 and 2022, the researchers estimate that AceCryptor is sold somewhere as a CaaS. The researchers found over 200 ESET detection names for malware families that had been packed inside AceCryptor, including SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, STOP ransomware, Amadey, Fareit, Pitou, Tofsee, Taurus, Phobos, Formbook, Danabot, and Warzone. Even though the number of unique samples of AceCryptor is very high, the number of unique samples packed inside is fewer than 7,000. This shows that many malware authors rely on the services of a cryptor and find it more convenient to pay for this kind of service rather than invest their time and resources to implement their own cryptor solution.
ESET researchers estimated that 80,000 customers were affected by malware packed by AceCryptor in 2021 and 2022. While these figures may vary since any sample could be detected at multiple computers or one computer was protected multiple times by ESET software, the high number of unique hashes shows how actively the authors of AceCryptor work on its obfuscation and detection evasion. The researchers also found that victims were exposed to AceCryptor-packed malware mainly via trojanized installers of pirated software and spam emails containing malicious attachments.
AceCryptor uses a multistage, three-layer architecture. The first layer uses either a version that uses Tiny Encryption Algorithm (TEA) or a linear congruential generator (LCG) from Microsoft Visual/Quick/C++ to decrypt the second layer. The second layer is shellcode that performs defensive tricks, then decrypts and launches the third layer. Finally, the third layer is more shellcode that also performs some anti-investigation tricks, and its task is to launch the payload. There are two known versions of the third layer: one version performs process hollowing, while the other uses a reflective loader and overwrites its own image with the Portable Executable (PE) of the final payload.
The most significant part of AceCryptor is the obfuscations. Throughout the years, new obfuscations have been added, and almost every part of the binary is obfuscated to the point of causing significant problems. The researchers found that AceCryptor is used by multiple threat actors, and malware packed by it is also distributed in different ways, including via other malware that downloaded new malware protected by AceCryptor.
In conclusion, uncovering the details of AceCryptor shows the extent that cybercriminals will go to protect their malware from detection. The researchers’ investigation offers insights into the prevalence of the cryptor and highlights how criminals rely on CaaS options to conceal their payloads successfully. The high number of unique hashes also indicates that the AceCryptor authors work actively to obfuscate and evade detection. Understanding the tactics and techniques used by cryptors like AceCryptor is essential for identifying and mitigating cyber attacks.