Cybercriminals Use AceCryptor to bypass detection and reverse engineering

Cybercriminals use AceCryptor
Written by William Reddy

The Slovak company ESET said in a recent report that cybercriminals used a ransomware called AceCryptor since 2016.

This tool allows hackers to hide their malware from detection by specialized software and analysis by specialists.

Let me remind you that we also wrote that PureCrypter Malware Attacks Government Organizations in Asia and North America, and also that Hackers Used the CovalentStealer Malware to Infiltrate the Network of a Defense Enterprise in the United States.

Cryptors are a type of malware that encrypts and obfuscates the code of other malware to make it harder to detect and reverse engineer them.

According to ESET, in 2021 and 2022 alone, more than 240,000 cases of AceCryptor use were discovered. That’s over 10,000 uses per month. At the same time, more than 80 thousand unique samples of this cryptor were discovered over the same period of time, with 7 thousand unique variants of the internal layout.

Among the malware packaged with AceCryptor are such popular ones as SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, Stop, and Amadey.

Cybercriminals use AceCryptor
ESET statistics on the use of AceCryptor in various malware campaigns.

The largest number of infections with such encrypted malware was recorded in Peru, Egypt, Thailand, Indonesia, Turkey, Brazil, Mexico, South Africa, Poland and India.

AceCryptor was first mentioned by Avast in August 2022. Back then, the tool was used to spread the Stop ransomware and the RedLine infostealer.

AceCryptor-packaged malware is usually delivered to victims’ computers using fake pirate software installers, spam emails with malicious attachments, or other malware that has already compromised the target system.

AceCryptor is also believed to be provided as a service (CaaS) to cybercriminals, as the tool is being used by various hacker groups to distribute various malware families.

The cryptor itself is usually heavily obfuscated and includes a three-layer architecture for the gradual decryption and decompression of each stage of infection, and also includes methods of protection against virtual machines, debugging and analysis.

Ultimately, the cryptor launches the necessary payload on the victim’s device in an extremely secretive and imperceptible way, which is why it is so popular with attackers.

Early in the year, Check Point discovered a packager called TrickGate that had been used to deploy a wide variety of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil for over six years.

And also the media wrote that FonixCrypter ransomware stopped working and published a key to decrypt data.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment