Threat Research

Rescoms rides waves of AceCryptor spam

ESET-welivesecurity

AceCryptor-packed malware surged in H2 2023, with Rescoms (Remcos) becoming the dominant payload delivered via targeted spam campaigns across multiple European countries. Attackers distributed ISO/7z attachments containing AceCryptor-packed executables that unpacked and executed Rescoms to harvest browser and email credentials, often using typosquatted or compromised corporate email accounts to increase credibility. #AceCryptor #Rescoms

Keypoints

  • Detections of AceCryptor-packed malware tripled in H2 2023, driven largely by campaigns delivering Rescoms as the final payload.
  • Spam campaigns targeted businesses in Poland, Serbia, Spain, Bulgaria, and Slovakia using localized, business-oriented lures.
  • Emails carried ISO or 7z attachments (named like offer/inquiry/order) that contained AceCryptor-packed executables which unpacked and launched Rescoms.
  • Attackers used typosquatting and abused compromised legitimate email accounts to make phishing messages appear authentic.
  • The primary objective was credential theft from web browsers and email clients to enable further access and follow-on attacks.
  • Malware artifacts (for example, Rescoms license IDs) and provided IoCs tie many samples and campaigns to a single threat actor; a comprehensive IoC list is hosted on ESET’s GitHub.

MITRE Techniques

  • [T1589.002] Gather Victim Identity Information: Email Addresses – Used to collect target contact details for phishing campaigns (‘Email addresses and contact information (either bought or gathered from publicly available sources) were used in phishing campaigns to target companies across multiple countries.’)
  • [T1586.002] Compromise Accounts: Email Accounts – Compromised corporate email accounts were abused to send phishing messages and increase credibility (‘Attackers used compromised email accounts to send phishing emails in spam campaigns to increase spam email’s credibility.’)
  • [T1588.001] Obtain Capabilities: Malware – Actors purchased and deployed AceCryptor and Rescoms to facilitate the campaigns (‘Attackers bought and used AceCryptor and Rescoms for phishing campaigns.’)
  • [T1566] Phishing – Phishing messages with malicious attachments were the primary initial access vector (‘Attackers used phishing messages with malicious attachments to compromise computers and steal information from companies in multiple European countries.’)
  • [T1566.001] Phishing: Spearphishing Attachment – Spearphishing attachments (ISO/7z) were used to deliver the packed executables (‘Attackers used spearphishing messages to compromise computers and steal information from companies in multiple European countries.’)
  • [T1204.002] User Execution: Malicious File – The attack relied on victims opening and executing the delivered malicious files packed by AceCryptor (‘Attackers relied on users opening and launching malicious files with malware packed by AceCryptor.’)
  • [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Post-compromise activity targeted credential extraction from browsers and email clients (‘Attackers tried to steal credential information from browsers and email clients.’)

Indicators of Compromise

  • [SHA-1 hashes] Malicious attachment samples – 7D99E7AD21B54F07E857FC06E54425CD17DE3003, 7DB6780A1E09AEC6146ED176BD6B9DF27F85CFC1, and 15 more hashes
  • [Filenames] Spam attachment names used in campaigns – PR18213.iso, zapytanie.7z, and other similar offer/order-named archives
  • [Repository] IoC collection location – comprehensive list of IoCs published in ESET’s GitHub repository (see source link for original research)

AceCryptor was used as a packer to hide Rescoms RAT inside ISO/7z attachments delivered by targeted spam. Emails typically contained an attachment named as an offer/inquiry or order; that archive housed an AceCryptor-packed executable which, when extracted and executed by the user, unpacked and launched the Rescoms payload.

Distribution techniques included spearphishing with localized business lures, typosquatted sender domains, and emails sent from previously compromised legitimate accounts to bypass simple authenticity checks. The Rescoms samples observed were configured to harvest credentials from web browsers and email clients, providing initial access for lateral movement or sale to other actors.

Analysts found linking artifacts in the malware (for example, license IDs) that connected many samples to a single actor. For technical indicators and sample hashes used in detection and hunting, consult the authors’ IoC repository and the original report for full details and detections.

Read more: https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint