AceCryptor is a long-running cryptor that packs tens of malware families and uses extensive obfuscation and anti-analysis techniques to hide its payload. ESET researchers describe its three-layer architecture, diverse distribution, and the scale of its impact in 2021–2022, including thousands of detections across many actors. #AceCryptor #RedLineStealer
Keypoints
- AceCryptor provides packing services to tens of very well-known malware families.
- Samples of AceCryptor are widespread globally due to multiple threat actors using it in their campaigns.
- AceCryptor is heavily obfuscated and has incorporated many techniques to avoid detection.
- The cryptor has multiple variants described in this blogpost and is used as a CaaS (cryptor-as-a-service).
- ESET observed over 80,000 customers affected and over 80,000 unique AceCryptor samples in 2021–2022.
- Malware packed by AceCryptor is distributed via trojanized installers, spam emails with malicious attachments, and through other malware that downloads AceCryptor-packed payloads.
- Technical analysis describes a three-layer architecture (Layer 1 obfuscation and decryption, Layer 2 decryption and optional decompression, Layer 3 payload execution via process hollowing or reflective loading) and multiple anti-analysis techniques.
MITRE Techniques
- [T1106] Native API – AceCryptor is able to launch a process using the CreateProcessA API. [ ‘AceCryptor is able to launch a process using the CreateProcessA API.’ ]
- [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion – AceCryptor uses loops with arbitrary code to delay the execution of core functionality. [ ‘loops with arbitrary code to delay the execution of core functionality.’ ]
- [T1497.001] Virtualization/Sandbox Evasion: System Checks – AceCryptor uses multiple techniques to detect sandboxes and emulators. [ ‘multiple techniques to detect sandboxes and emulators.’ ]
- [T1140] Deobfuscate/Decode Files or Information – TEA, LCG, XTEA, or RC4 encryption and LZO_1Z compression to extract position-independent code and payloads. [ ‘TEA, LCG, XTEA, or RC4 encryption and LZO_1Z compression to extract position-independent code and payloads.’ ]
- [T1027] Obfuscated Files or Information – AceCryptor masks values like length of payload, known constants of decryption algorithms, or decryption key. [ ‘masks values like length of payload, known constants of decryption algorithms, or decryption key.’ ]
- [T1055.012] Process Injection: Process Hollowing – AceCryptor can create a new process in a suspended state to unmap its memory and replace it with the hidden payload. [ ‘AceCryptor can create a new process in a suspended state to unmap its memory and replace it with the hidden payload.’ ]
- [T1620] Reflective Code Loading – AceCryptor can use a reflective loader to rewrite its image and replace it with a hidden payload (Windows PE). [ ‘use a reflective loader to rewrite its image and replace it with a hidden payload (Windows PE).’ ]
Indicators of Compromise
- [File Hash] AceCryptor-related samples – 0BE8F44F5351A6CBEF1A54A6DE7674E1219D65B6, 0BE56A8C0D0DE11E0E97B563CAE6D1EE164F3317, and 18 more hashes
Read more: https://www.welivesecurity.com/2023/05/25/shedding-light-acecryptor-operation/