ESET, a European company specializing in cybersecurity solutions, recently revealed details about a cryptor – a camouflage method employed by cybercriminals to conceal malware code and escape detection.
Known as AceCryptor, this disguise, in circulation since 2016, has helped spread malicious campaigns on a global scale.
During 2021 and 2022 alone, ESET's advanced telemetry identified more than 240 cases of malicious code camouflaged with AceCryptor. This number corresponds to more than 10 monthly detections, suggesting that this cryptor is possibly marketed on the dark web or in secret forums. Today, numerous families of malicious code, including those designed to steal credit card credentials and sensitive data, rely on AceCryptor as their main barrier against detection.
Challenges in protecting against malware detection
For malware creators, safeguarding their attack tools is a constant challenge. Jakub Kaloč, researcher at ESET, explained that “cryptors represent the first line of defense for distributed malware. While threat actors can create and maintain their own custom cryptors, it is often costly or technically complex to maintain a cryptor in a state of complete undetectability. This need for camouflage has given rise to a variety of cryptor-as-a-service options that include malware.”
RedLine Stealer, one of the most recurrent malware to use AceCryptor, is malicious software sold on clandestine forums with the purpose of stealing credit card credentials, sensitive data, and even cryptocurrencies. This malicious attack was first detected in early 2022 and since then its distributors have turned to AceCryptor.
Given the multitude of malicious actors using AceCryptor, malware is distributed in a variety of ways. According to ESET's telemetry, devices were mostly exposed to malware with AceCryptor through fraudulent installers of pirated software or spam emails with malicious attachments.
AceCryptor Implications and Protection Measures
The extensive use of AceCryptor means that any user can be affected. Due to the variety of malicious codes associated with AceCryptor, it is difficult to determine the severity of consequences for a compromised user. ESET anticipates that AceCryptor will continue to be widely used. Careful monitoring can help to prevent and identify new malware campaigns with this cryptor. Throughout 2021 and 2022, ESET protected over 80 customers affected by malware coded with AceCryptor.
