Since 2016, crimeware development has leveraged ready-made encryption-cum-obfuscation malware for faster and more evasive distribution, reveals one cybersecurity firm

Since 2016, the hackers behind dozens of malware families have been relying on a software encryptor (also called a cryptor)  to protect their malicious code from antivirus solutions using static signatures.

Between 2021 and 2022, analysts from ESET had detected over 240,000 instances (roughly amounting to over 10,000 hits every month ) of this malware, called AceCryptor. Altogether, there were 240,000 detections, involving many of the cryptor’s obfuscation techniques to avoid detection.

Recently, the firm released further details about how AceCryptor operates. Because the malware is marketed as a Cryptor-as-a-Service, it is used by multiple threat actors to packed malicious code for distribution in multiple ways. This includes trojanized installers of pirated software, or spam emails containing malicious attachments.

Another way a victim may be exposed is via malware that downloads further malware that is protected by AceCryptor. One example is the Amadey botnet, which can download an AceCryptor-packed RedLine Stealer, which is sold on underground forums for stealing credit card credentials, cryptocurrency and other sensitive data.

According to ESET researcher Jakub Kaloč, who has been tracking AceCryptor: “Even though threat actors can create and maintain their own custom cryptors, it may be time-consuming or technically difficult to maintain their cryptor in a fully undetectable state. Demand for such protection has created multiple Cryptor-as-a-Service options that pack malware.”

Kaloč revealed that AceCryptor has multiple variants and currently uses a multistage, three-layer architecture. Because of the diversity of packed malware, it is difficult to estimate how severe the consequences are for a compromised victim. However, since encrypted malware can download additional malware, the fact that many families of malicious code may be present simultaneously on a compromised machine implies greater risk of damage.

Even though attribution of AceCryptor to a particular threat actor is not possible for now, ESET expects to discover more about it through analyzing future malware campaigns that deploy its functions.