Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Smokeloader. Show all posts

What is AceCryptor Malware? A Quick Insight


AceCryptor first appeared in the year 2016. Since, this cryptor has been used to pack tens of malware to date, many of its technical components have already been discussed and detailed. We may already be familiar with this cryptor, sometimes referred to as the DJVU obfuscation, SmokeLoader's stage 1, RedLine stealer's stage 1, 2, and 3, easy and popular packer, etc. Let us connect the dots for you by offering not only a technical analysis of its variants but also an overview of the malware families that can be found packed by it and how common AceCryptor is in the wild. Many (but not all) of the published blog posts fail to even recognize this cryptor as a separate malware family.

For malware programmers, protecting their malwares from being detected is a challenge. The first line of protection against malware from getting distributed is cryptors. Threat actors are capable of designing and maintaining their own unique cryptors, however, for crimeware threat actors, keeping their cryptor in a condition known as FUD (fully undetectable) is frequently a time-consuming or technically challenging task. Numerous malware-packed cryptor-as-a-service (CaaS) alternatives have emerged in response to the demand for this protection. These cryptors can combine several anti-VM, anti-debugging, and anti-analysis approaches to achieve payload hiding.

Since its establishment, AceCryptor has been used by several malware programmers. Its services were even used by crimeware like Emotet, which did not have its own cryptor at that time. During 2021-22, software company ESET found more than 80,000 different AceCryptor samples. It is believed that AceCryptor is offered somewhere as a CaaS due to the significant variety of malware families that are crammed inside. Even if we are not aware of the exact cost of this service, if we take into account the number of unique files found, we may conclude that the benefits to the AceCryptor creators are indeed not insignificant.

Taking into account that AceCryptor is used by a wide range of threat actors, malware packed by it is also distributed in a variety of ways. Based on ESET telemetry, devices were primarily exposed to AceCryptor-packed malware through spam emails with dangerous attachments or trojanized installers of piracy software.

Additionally, other malware that downloads new malware protected by AceCryptor may as well expose a user to AceCryptor-packed malware. The Amadey botnet, which we have seen downloading an AceCryptor-packed RedLine Stealer, serves as an example.

Currently, AceCryptor works as a significantly long-lasting cryptor-malware. It is anticipated that it is offered as a CaaS on some dark web or underground forums. Tens of different malware families have utilized the services of this virus, and many of them rely on this cryptor as their primary defense against static detections.

Since this malware is used by several threat actors, it is capable of affecting anyone. Considering the diversity of packed malware, it is challenging to predict how severe the repercussions are for a victim. AceCryptor may have been downloaded by additional malware or may have been dropped by other malware that was already active on the victim's computer. If the victim was directly affected, such as by opening a malicious email attachment, it may be very challenging to clean the compromised system.

New Golang Botnet Drains Windows Users’ Cryptocurrency Wallets

 

A new Golang-based botnet has been ensnaring hundreds of Windows PCs, each time its operators launch a new command and control (C2) server. This previously undiscovered botnet, dubbed Kraken by ZeroFox researchers in October 2021, utilizes the SmokeLoader backdoor and malware downloader to proliferate to new Windows systems. 

The botnet adds a new Registry key after compromising a new Windows device in order to accomplish persistence across system restarts. It also includes a Microsoft Defender exclusion to assure that its installation directory is never examined, and use the hidden attribute to hide its binary in Window Explorer. 

Kraken has a basic feature set that allows attackers to download and run additional malicious payloads on infected devices, such as the RedLine Stealer malware. RedLine is the most extensively used data thief, capable of gathering victims' passwords, browser cookies, credit card information, and cryptocurrency wallet information. 

ZeroFox stated, "Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had focused entirely on pushing information stealers – specifically RedLine Stealer. It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet." 

The botnet, however, has built-in data-stealing skills and can steal cryptocurrency wallets before dropping other data thieves and cryptocurrency miners. Kraken can steal information from Zcash, Armory, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Atomic, and Jaxx Liberty crypto wallets, according to ZeroFox. This botnet appears to be adding almost USD 3,000 to its masters' wallets every month, according to data obtained from the Ethermine cryptocurrency mining pool. 

The researchers added, "While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on multiple occasions, only for another to appear a short time later using either a new port or a completely new IP."

Regardless, "by using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes the C2."

Pay to Play PrivateLoader Disseminates Smokeloader, Redline &Vidar malware

 

An investigation at a pay-per-install loader has revealed its role in the distribution of famous malware variants including Smokeloader and Vidar. 

Intel 471 issued a report on PrivateLoader on Tuesday, analyzing cyberattacks that have used the loader since May 2021. The pay-per-install (PPI) malware service has been around for a time, but it's unclear who is responsible for its creation. Additional payloads are deployed on a target machine using loaders. 

PrivateLoader is a variation that is supplied to criminal customers on an installation basis, with payment based on the number of victims captured. PrivateLoader is managed by a collection of command-and-control (C2) servers and an AdminLTE 3-based administrator panel. 

Adding new users, configuring the loader to install a payload, picking target regions and nations, setting up payload download links, encryption, and selecting browser extensions for infecting target devices are all available through the front-end panel. 

The loader is mainly distributed through websites that sell pirated software. Cracked copies of popular software, which are occasionally included with key generators, are illegal versions of software that have been modified to avoid licencing or payment. On websites, download buttons for cracked software are included with JavaScript, which releases the payload in a.ZIP archive. 

The package contained a malicious executable, according to the cybersecurity firm's findings. A false GCleaner load reseller, PrivateLoader, and Redline are among the malware that is triggered by .exe file. 

Since at least May 2021, the PrivateLoader module has been used to run Smokeloader, Redline, and Vidar. Smokeloader is the most well-known of these malware families. Smokeloader is a distinct loader that can also be utilized for data theft and reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware that can steal data from a variety of data types, including passwords, documents, and digital wallet details. 

A distribution link for Smokeloader also signals a possible connection to the Qbot banking Trojan. The Kronos banking Trojan and the Dridex botnet have both been disseminated using PrivateLoader bots. 

Although PrivateLoader isn't particularly linked to the distribution of ransomware, a loader associated with it, known as Discoloader, has been used in assaults aimed at spreading the malware. 

The researchers stated, "PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them with a wide array of options to easily achieve their goals. By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader."