HomeCII/OTWhy Malware Crypting Services Should Be Subject to Greater Scrutiny - Krebs...

Why Malware Crypting Services Should Be Subject to Greater Scrutiny – Krebs on Security

Published on

spot_img

Cryptor[.]biz is a well-known crypting service in the cybercriminal underworld. Crypting, or disguising malware to appear benign, is a crucial process for cybercriminals who rely on disseminating malicious software. It involves altering the appearance and behavior of a malicious file to avoid detection by antivirus tools. While some cybercriminals handle crypting themselves, many outsource this task to trusted third parties like Cryptor[.]biz.

The demand for reliable crypting services has led to the emergence of numerous providers in the cybercrime industry. However, most of these services are short-lived and lack expertise. Cryptor[.]biz stands out as a reputable and trusted service provider. It is recommended by the creators of the RedLine and Vidar information stealer malware, which are widely used for data theft and ransomware attacks.

The identity of the person behind Cryptor[.]biz is shrouded in mystery. The registration records for the website are hidden, but clues found on the site suggest that potential customers can register by visiting the domain crypt[.]guru or by messaging “masscrypt@exploit.im” on Jabber. Passive DNS records for both cryptor[.]biz and crypt[.]guru indicate that these domains were forwarding incoming emails to the address “obelisk57@gmail.com.”

Investigations by cyber intelligence firm Intel 471 reveal that the email address “obelisk57@gmail.com” is associated with the user “Kerens.” This email address was used to register an account on the Blacksoftware forum. The Jabber address “masscrypt@exploit.im” has been linked to the user “Kerens” on the Russian hacking forum Exploit since 2011.

Further analysis of the login page for Cryptor[.]biz provides additional clues about the person running the service. In 2011, “Kerens” posted a negative review of a competing crypting service called VIP Crypt on the Exploit forum, criticizing its reliability. After this review, “Kerens” went silent on the forum for four years until suddenly advertising Cryptor[.]biz in October 2016. The email address “pepyak@gmail.com” was used by “Kerens” to register accounts on Russian language hacking forums Verified and Damagelab. The domain autodoska[.]biz, registered to “pepyak@gmail.com,” was associated with a person named Yuri Churnov from Sevastpol, Crimea.

“Kerens” also used the email address “unforgiven57@mail.ru,” which registered several domains, including antivirusxp09[.]com. Another email address, “spurtov@gmail.com,” was linked to domains like mobile-soft[.]su. A hacked customer record from CDEK, an express delivery company, revealed that “gumboldt@gmail.com” was associated with a customer named Sergey Yurievich Purtov.

Investigating the crypting space is crucial for cybersecurity researchers and law enforcement agencies, as top players in this field are typically experienced and connected malicious coders. Crypting services have direct contact with advanced malware authors, making them valuable sources of intelligence on new malware. Disrupting or infiltrating trusted crypting services can significantly impede the operations of cybercriminals.

The identity of the person behind Cryptor[.]biz remains unknown, and attempts to contact Sergey Yurievich Purtov, who is potentially tied to the service, have been unsuccessful. However, shedding light on these crypting services and their operators can aid in combating cybercrime and protecting individuals and organizations from malicious attacks.

Source link

Latest articles

Navigating Identity, Access, and Data Protection for AI Agents Webinar

Navigating the Complexities of AI Security: Insights from Okta and Zscaler In today's rapidly advancing...

Criminals Impersonate Interpol in Phishing Emails to Distribute Ransomware

Cybercriminals Masking as Law Enforcement Agencies Launch Phishing Campaign Targeting Businesses In a worrying development...

Argo CD Vulnerability Highlights the Need to Treat GitOps Infrastructure as Tier Zero

Evaluating Security Measures in GitOps Infrastructure: The Insights from Experts In the realm of modern...

The Shadow AI Issue Begins in the C-Suite

Executives Are More Likely to Use Unapproved AI Tools Than Their Teams A recent report...

More like this

Navigating Identity, Access, and Data Protection for AI Agents Webinar

Navigating the Complexities of AI Security: Insights from Okta and Zscaler In today's rapidly advancing...

Criminals Impersonate Interpol in Phishing Emails to Distribute Ransomware

Cybercriminals Masking as Law Enforcement Agencies Launch Phishing Campaign Targeting Businesses In a worrying development...

Argo CD Vulnerability Highlights the Need to Treat GitOps Infrastructure as Tier Zero

Evaluating Security Measures in GitOps Infrastructure: The Insights from Experts In the realm of modern...