April 24, 2024

Final 12 months ESET printed a blogpost about AceCryptor – one of the widespread and prevalent cryptors-as-a-service (CaaS) working since 2016. For H1 2023 we published statistics from our telemetry, in accordance with which developments from earlier intervals continued with out drastic adjustments.

Nevertheless, in H2 2023 we registered a big change in how AceCryptor is used. Not solely now we have seen and blocked over double the assaults in H2 2023 compared with H1 2023, however we additionally seen that Rescoms (also called Remcos) began utilizing AceCryptor, which was not the case beforehand.

The overwhelming majority of AceCryptor-packed Rescoms RAT samples had been used as an preliminary compromise vector in a number of spam campaigns focusing on European nations together with Poland, Slovakia, Bulgaria, and Serbia.

Key factors of this blogpost:

  • AceCryptor continued to supply packing companies to tens of very well-known malware households in H2 2023.
  • Though well-known by safety merchandise, AceCryptor’s prevalence is just not displaying indications of decline: quite the opposite, the variety of assaults considerably elevated as a result of Rescoms campaigns.
  • AceCryptor is a cryptor of selection of risk actors focusing on particular nations and targets (e.g., corporations in a selected nation).
  • In H2 2023, ESET detected a number of AceCryptor+Rescoms campaigns in European nations, primarily Poland, Bulgaria, Spain, and Serbia.
  • The risk actor behind these campaigns in some instances abused compromised accounts to ship spam emails so as to make them look as credible as attainable.
  • The aim of the spam campaigns was to acquire credentials saved in browsers or e-mail shoppers, which in case of a profitable compromise would open potentialities for additional assaults.

AceCryptor in H2 2023

Within the first half of 2023 ESET protected round 13,000 customers from AceCryptor-packed malware. Within the second half of the 12 months, there was an enormous improve of AceCryptor-packed malware spreading within the wild, with our detections tripling, leading to over 42,000 protected ESET customers worldwide. As could be noticed in Determine 1, we detected a number of sudden waves of malware spreading. These spikes present a number of spam campaigns focused at European nations the place AceCryptor packed a Rescoms RAT (mentioned extra within the Rescoms campaigns part).

Figure 1. Number of AceCryptor detections during the year 2023 (7-day moving average)
Determine 1. Variety of AceCryptor detections through the 12 months 2023 (7-day transferring common)

Moreover, after we evaluate the uncooked variety of samples: within the first half of 2023, ESET detected over 23,000 distinctive malicious samples of AceCryptor; within the second half of 2023, we noticed and detected “solely” over 17,000 distinctive samples. Though this could be surprising, after a more in-depth have a look at the info there’s a affordable rationalization. The Rescoms spam campaigns used the identical malicious file(s) in e-mail campaigns despatched to a larger variety of customers, thus growing the quantity of people that encountered the malware, however nonetheless conserving the variety of totally different information low. This didn’t occur in earlier intervals as Rescoms was nearly by no means utilized in mixture with AceCryptor. Another excuse for the decrement within the variety of distinctive samples is as a result of some widespread households apparently stopped (or nearly stopped) utilizing AceCryptor as their go-to CaaS. An instance is Danabot malware which stopped utilizing AceCryptor; additionally, the distinguished RedLine Stealer whose customers stopped utilizing AceCryptor as a lot, primarily based on a larger than 60% lower in AceCryptor samples containing that malware.

As seen in Determine 2, AceCryptor nonetheless distributes, other than Rescoms, samples from many alternative malware households, comparable to SmokeLoader, STOP ransomware, and Vidar stealer.

Figure 2. Malware families packed inside AceCryptor in H2 2023
Determine 2. Malware households packed inside AceCryptor in H2 2023

Within the first half of 2023, the nations most affected by malware packed by AceCryptor had been Peru, Mexico, Egypt, and Türkiye, the place Peru, at 4,700, had the best variety of assaults. Rescoms spam campaigns modified these statistics dramatically within the second half of the 12 months. As could be seen in Determine 3, AceCryptor-packed malware affected principally European nations. By far probably the most affected nation is Poland, the place ESET prevented over 26,000 assaults; that is adopted by Ukraine, Spain, and Serbia. And, it’s price mentioning that in every of these nations ESET merchandise prevented extra assaults than in probably the most affected nation in H1 2023, Peru.

Figure 3. Heatmap of countries affected by AceCryptor, according to ESET telemetry
Determine 3. Heatmap of nations affected by AceCryptor, in accordance with ESET telemetry

AceCryptor samples that we’ve noticed in H2 usually contained two malware households as their payload: Rescoms and SmokeLoader. A spike in Ukraine was attributable to SmokeLoader. This reality was already talked about by Ukraine’s NSDC. However, in Poland, Slovakia, Bulgaria, and Serbia the elevated exercise was attributable to AceCryptor containing Rescoms as a remaining payload.

Rescoms campaigns

Within the first half of 2023, we noticed in our telemetry fewer than 100 incidents of AceCryptor samples with Rescoms inside. In the course of the second half of the 12 months, Rescoms grew to become probably the most prevalent malware household packed by AceCryptor, with over 32,000 hits. Over half of those makes an attempt occurred in Poland, adopted by Serbia, Spain, Bulgaria, and Slovakia (Determine 4).

Figure 4. Heatmap of European countries affected by AceCryptor-packed Rescoms during H2 2023
Determine 4. Heatmap of European nations affected by AceCryptor-packed Rescoms throughout H2 2023, in accordance with ESET telemetry

Campaigns in Poland

Because of ESET telemetry we’ve been capable of observe eight vital spam campaigns focusing on Poland in H2 2023. As could be seen in Determine 5, the vast majority of them occurred in September, however there have been additionally campaigns in August and December.

Figure 5. Timeline of Rescoms campaigns in Poland
Determine 5. Timeline of Rescoms campaigns in Poland (day by day hits)

In complete, ESET registered over 26,000 of those assaults in Poland for this era. All spam campaigns focused companies in Poland and all emails had very comparable topic traces about B2B provides for the sufferer corporations. To look as plausible as attainable, the attackers included the next tips into the spam emails:

Attackers did their research and used existing Polish company names and even existing employee/owner names and contact information when signing those emails. This was done so that in the case where a victim tries to Google the sender’s name, the search would be successful, which might lead them to open the malicious attachment.

  • The content of spam emails was in some cases simpler but in many cases (like the example in Figure 6) quite elaborate. Especially these more elaborate versions should be considered dangerous as they deviate from the standard pattern of generic text, which is often riddled with grammatical mistakes.

The email shown in Figure 6 contains a message followed by information about the processing of personal information done by the alleged sender and the possibility to “access the content of your data and the right to rectify, delete, limit processing restrictions, right to data transfer, right to raise an objection, and the right to lodge a complaint with the supervisory authority”. The message itself can be translated thus:

Dear Sir,

I am Sylwester [redacted] from [redacted]. Your company was recommended to us by a business partner. Please quote the attached order list. Please also inform us about the payment terms.

We look forward to your response and further discussion.

Best Regards,

Figure 6. Example phishing email targeting Polish companies
Figure 6. Example phishing email targeting Polish companies, containing AceCryptor-packed Rescoms in the attachment

Attachments in all campaigns looked quite similar (Figure 7). Emails contained an attached archive or ISO file named offer/inquiry (of course in Polish), in some cases also accompanied with an order number. That file contained an AceCryptor executable that unpacked and launched Rescoms.

Figure 7. Compromise chain of Rescoms campaigns
Figure 7. Compromise chain of Rescoms campaigns

Based on the behavior of the malware, we assume that the goal of these campaigns was to obtain email and browser credentials, and thus gain initial access to the targeted companies. While it is unknown whether the credentials were gathered for the group that carried out these attacks or if those stolen credentials would be later sold to other threat actors, it is certain that successful compromise opens the possibility for further attacks, especially from, currently popular, ransomware attacks.

It is important to state that Rescoms RAT can be bought; thus many threat actors use it in their operations. These campaigns are not only connected by target similarity, attachment structure, email text, or tricks and techniques used to deceive potential victims, but also by some less obvious properties. In the malware itself, we were able to find artifacts (e.g., the license ID for Rescoms) that tie those campaigns together, revealing that many of these attacks were carried out by one threat actor.

Campaigns in Slovakia, Bulgaria, and Serbia

During the same time periods as the campaigns in Poland, ESET telemetry also registered ongoing campaigns in Slovakia, Bulgaria, and Serbia. These campaigns also mainly targeted local companies and we can even find artifacts in the malware itself tying these campaigns to the same threat actor that carried out the campaigns in Poland. The only significant thing that changed was, of course, the language used in the spam emails to be suitable for those specific countries.

Campaigns in Spain

Apart from previously mentioned campaigns, Spain also experienced a surge of spam emails with Rescoms as the final payload. Even though we can confirm that at least one of the campaigns was carried out by the same threat actor as in these previous cases, other campaigns followed a somewhat different pattern. Furthermore, even artifacts that were the same in previous cases differed in these and, because of that, we cannot conclude that the campaigns in Spain originated from the same place.

Conclusion

During the second half of 2023 we detected a shift in the usage of AceCryptor – a popular cryptor used by multiple threat actors to pack many malware families. Even though the prevalence of some malware families like RedLine Stealer dropped, other threat actors started using it or used it even more for their activities and AceCryptor is still going strong.In these campaigns AceCryptor was used to target multiple European countries, and to extract information or gain initial access to multiple companies. Malware in these attacks was distributed in spam emails, which were in some cases quite convincing; sometimes the spam was even sent from legitimate, but abused email accounts. Because opening attachments from such emails can have severe consequences for you or your company, we advise that you be aware about what you are opening and use reliable endpoint security software able to detect the malware.

For any inquiries about our research published on WeLiveSecurity, please contact us at [email protected].
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence web page.

IoCs

A complete listing of Indicators of Compromise (IoCs) could be present in our GitHub repository.

Recordsdata

SHA-1

Filename

Detection

Description

7D99E7AD21B54F07E857
FC06E54425CD17DE3003

PR18213.iso

Win32/Kryptik.HVOB

Malicious attachment from spam marketing campaign carried out in Serbia throughout December 2023.

7DB6780A1E09AEC6146E
D176BD6B9DF27F85CFC1

zapytanie.7z

Win32/Kryptik.HUNX

Malicious attachment from spam marketing campaign carried out in Poland throughout September 2023.

7ED3EFDA8FC446182792
339AA14BC7A83A272F85

20230904104100858.7z

Win32/Kryptik.HUMX

Malicious attachment from spam marketing campaign carried out in Poland and Bulgaria throughout September 2023.

9A6C731E96572399B236
DA9641BE904D142F1556

20230904114635180.iso

Win32/Kryptik.HUMX

Malicious attachment from spam marketing campaign carried out in Serbia throughout September 2023.

57E4EB244F3450854E5B
740B95D00D18A535D119

SA092300102.iso

Win32/Kryptik.HUPK

Malicious attachment from spam marketing campaign carried out in Bulgaria throughout September 2023.

178C054C5370E0DC9DF8
250CA6EFBCDED995CF09

zamowienie_135200.7z

Win32/Kryptik.HUMI

Malicious attachment from spam marketing campaign carried out in Poland throughout August 2023.

394CFA4150E7D47BBDA1
450BC487FC4B970EDB35

PRV23_8401.iso

Win32/Kryptik.HUMF

Malicious attachment from spam marketing campaign carried out in Serbia throughout August 2023.

3734BC2D9C321604FEA1
1BF550491B5FDA804F70

BP_50C55_20230
309_094643.7z

Win32/Kryptik.HUMF

Malicious attachment from spam marketing campaign carried out in Bulgaria throughout August 2023.

71076BD712C2E3BC8CA5
5B789031BE222CFDEEA7

20_J402_MRO_EMS

Win32/Rescoms.B

Malicious attachment from spam marketing campaign carried out in Slovakia throughout August 2023.

667133FEBA54801B0881
705FF287A24A874A400B

7360_37763.iso

Win32/Rescoms.B

Malicious attachment from spam marketing campaign carried out in Bulgaria throughout December 2023.

AF021E767E68F6CE1D20
B28AA1B36B6288AFFFA5

zapytanie ofertowe.7z

Win32/Kryptik.HUQF

Malicious attachment from spam marketing campaign carried out in Poland throughout September 2023.

BB6A9FB0C5DA4972EFAB
14A629ADBA5F92A50EAC

129550.7z

Win32/Kryptik.HUNC

Malicious attachment from spam marketing campaign carried out in Poland throughout September 2023.

D2FF84892F3A4E4436BE
DC221102ADBCAC3E23DC

Zamowienie_ andre.7z

Win32/Kryptik.HUOZ

Malicious attachment from spam marketing campaign carried out in Poland throughout September 2023.

DB87AA88F358D9517EEB
69D6FAEE7078E603F23C

20030703_S1002.iso

Win32/Kryptik.HUNI

Malicious attachment from spam marketing campaign carried out in Serbia throughout September 2023.

EF2106A0A40BB5C1A74A
00B1D5A6716489667B4C

Zamowienie_830.iso

Win32/Kryptik.HVOB

Malicious attachment from spam marketing campaign carried out in Poland throughout December 2023.

FAD97EC6447A699179B0
D2509360FFB3DD0B06BF

lista zamówień i szczegółowe zdjęcia.arj

Win32/Kryptik.HUPK

Malicious attachment from spam marketing campaign carried out in Poland throughout September 2023.

FB8F64D2FEC152D2D135
BBE9F6945066B540FDE5

Pedido.iso

Win32/Kryptik.HUMF

Malicious attachment from spam marketing campaign carried out in Spain throughout August 2023.

MITRE ATT&CK strategies

This desk was constructed utilizing version 14 of the MITRE ATT&CK framework.

Tactic

ID

Title

Description

Reconnaissance

T1589.002

Collect Sufferer Id Data: E mail Addresses

E mail addresses and speak to data (both purchased or gathered from publicly out there sources) had been utilized in phishing campaigns to focus on corporations throughout a number of nations.

Useful resource Improvement

T1586.002

Compromise Accounts: E mail Accounts

Attackers used compromised e-mail accounts to ship phishing emails in spam campaigns to extend spam e-mail’s credibility.

T1588.001

Get hold of Capabilities: Malware

Attackers purchased and used AceCryptor and Rescoms for phishing campaigns.

Preliminary Entry

T1566

Phishing

Attackers used phishing messages with malicious attachments to compromise computer systems and steal data from corporations in a number of European nations.

T1566.001

Phishing: Spearphishing Attachment

Attackers used spearphishing messages to compromise computer systems and steal data from corporations in a number of European nations.

Execution

T1204.002

Person Execution: Malicious File

Attackers relied on customers opening and launching malicious information with malware packed by AceCryptor.

Credential Entry

T1555.003

Credentials from Password Shops: Credentials from Net Browsers

Attackers tried to steal credential data from browsers and e-mail shoppers.