July 13, 2024
Shedding mild on AceCryptor and its operation

ESET researchers reveal particulars a few prevalent cryptor, working as a cryptor-as-a-service utilized by tens of malware households

On this blogpost we study the operation of AceCryptor, initially documented by Avast. This cryptor has been round since 2016 and since – all through its existence – it has been used to pack tens of malware households, many technical elements of this malware have already been described. You may have already got examine this cryptor, which is variously often called the DJVU obfuscation, SmokeLoader’s stage 1, RedLine stealer’s stage 1, 2 and 3, simple and popular packer, and so forth… Many (however not all) of the revealed blogposts don’t even acknowledge this cryptor as a separate malware household, so allow us to join all of the dots for you, offering not solely a technical evaluation of its variants but additionally an summary of the malware households that may be discovered packed by it and the way prevalent AceCryptor is within the wild.

For malware authors, defending their creations in opposition to detection is a difficult job. Cryptors are the primary layer of protection for malware that will get distributed. Regardless that risk actors can create and preserve their very own customized cryptors, for crimeware risk actors it typically could also be a time-consuming or technically tough job to take care of their cryptor in a so-called FUD (totally undetectable) state. Demand for such safety has created a number of cryptor-asa-service (CaaS) choices that pack malware. These cryptors can embody a number of anti-VM, anti-debugging ,and anti-analysis strategies mixed to realize concealment of the payload.

Key factors of this blogpost:

  • AceCryptor gives packing providers to tens of very well-known malware households.
  • Samples of AceCryptor are very prevalent internationally as a result of a number of risk actors utilizing it actively unfold their packed malware in their very own campaigns.
  • AceCryptor is closely obfuscated and all through the years has included many strategies to keep away from detection.
  • AceCryptor has a number of variants which can be described on this blogpost.
  • Regardless that it’s potential to seek out technical analyses (largely the place this cryptor seems as a component/stage of different malware) performed by different researchers, ESET Analysis goals to supply not solely a complete overview of AceCryptor’s performance, but additionally its historical past and unfold.
  • Throughout 2021 and 2022, ESET protected greater than 80,000 clients who have been affected by malware packed by AceCryptor.

Statistics and packed households overview

For the reason that first identified appearances of AceCryptor again in 2016, many malware authors have used the providers of this cryptor, even the best-known crimeware like Emotet, again when it didn’t use its personal cryptor. Throughout 2021– 2022 ESET detected greater than 80,000 distinctive samples of AceCryptor. Due to the excessive variety of completely different malware households packed inside, we assume that AceCryptor is offered someplace as a CaaS. If we think about the variety of distinctive recordsdata detected: although we don’t know the precise pricing of this service, we assume that the positive aspects to the AceCryptor authors aren’t negligible.

Due to the excessive quantity of samples over previous years, the next stats are based mostly solely on samples detected throughout 2021 and 2022. As may be seen in Determine 1, detection hits have been distributed fairly evenly all through these two years, which is to be anticipated from malware utilized by a lot of risk actors who don’t synchronize their campaigns.

Determine 1. Variety of AceCryptor detections through the years 2021 and 2022 (7-day shifting common)

After trying on the malware packed by AceCryptor, we discovered over 200 ESET detection names. Now, after all one malware household might have a number of detection names throughout the person variants, due to updates or modifications in obfuscation – e.g., MSIL/Spy.RedLine.A and MSIL/Spy.RedLine.B are each detections for the RedLine Stealer malware. Detection names for another malware should not by household, however by class (e.g., ClipBanker or Agent), as a result of quite a lot of unpacked malware samples are generic clipboard stealers, trojans, and so forth that aren’t that widespread and/or are simply barely modified variants of different identified malware revealed in varied public repositories. After grouping, we are able to conclude that after unpacking, among the many malware households discovered are SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, STOP ransomware, Amadey, Fareit, Pitou, Tofsee, Taurus, Phobos, Formbook, Danabot, Warzone, and plenty of extra… Determine 2 exhibits an summary of the portions of samples belonging to a number of the well-known and prevalent malware households packed by  AceCryptor.

Determine 2. Malware households packed inside AceCryptor throughout 2021 and 2022

Monitoring actions of CaaS suppliers corresponding to AceCryptor is useful for monitoring of malware that makes use of their providers. For instance, contemplate a RedLine Stealer that was first seen in Q1 2022. As may be seen in Determine 3, RedLine Stealer distributors used AceCryptor for the reason that starting of RedLine Stealer’s existence and nonetheless proceed to take action. Thus, having the ability to reliably detect AceCryptor (and different CaaS) not solely helps us with visibility of recent rising threats, but additionally with monitoring the actions of risk actors.

Determine 3. Incidents of RedLine Stealer in AceCryptor samples (7-day averages)

Victimology

As must be anticipated from the number of malware packed inside AceCryptor and the variety of pursuits of various malware authors, AceCryptor is seen in every single place on the earth. Throughout 2021 and 2022, ESET telemetry detected over 240,000 detection hits of this malware, which quantities to over 10,000 hits each month. In Determine 4 you may see the nations with the very best numbers of detections throughout 2021 and 2022.

Determine 4. Heatmap of nations affected by AceCryptor in keeping with ESET telemetry

Throughout 2021 and 2022, ESET merchandise detected and blocked malware variants packed by AceCryptor on greater than 80,000 clients’ computer systems. We additionally found over 80,000 distinctive samples of AceCryptor. Now, after all that any pattern could possibly be detected at a number of computer systems or one laptop was protected a number of instances by ESET software program, however the variety of distinctive hashes simply exhibits how actively the authors of AceCryptor work on its obfuscation and detection evasion. We’ll dive deeper into the technical particulars of AceCryptor’s obfuscations within the Technical evaluation a part of this blogpost.

What’s value mentioning right here is that although the variety of distinctive samples of AceCryptor may be very excessive, the variety of distinctive samples packed inside is fewer than 7,000. This exhibits the diploma to which many malware authors depend on the providers of a cryptor and the way handy it’s for them to pay for this sort of service relatively than make investments their time and assets to implement their very own cryptor resolution.

Distribution

As a result of AceCryptor is utilized by a number of risk actors, malware packed by it’s also distributed in a number of other ways. In keeping with ESET telemetry, units have been uncovered to AceCryptor-packed malware primarily through trojanized installers of pirated software program, or spam emails containing malicious attachments.

One other means that somebody could also be uncovered to AceCryptor-packed malware is through different malware that downloaded new malware protected by AceCryptor. An instance is the Amadey botnet, which now we have noticed downloading an AceCryptor-packed RedLine Stealer.

We’d like to notice that this works each methods and a number of the malware households protected by AceCryptor may also obtain new, extra malware.

Technical evaluation

At present AceCryptor makes use of a multistage, three-layer structure. There are two identified variations of the primary layer which can be at present in use – a model that makes use of TEA (Tiny Encryption Algorithm) to decrypt the second layer and a model that makes use of a linear congruential generator (LCG) from Microsoft Visible/Fast/C++ to decrypt the second layer. The second layer is shellcode that performs defensive methods, then decrypts and launches the third layer. Lastly, the third layer is extra shellcode that additionally performs some anti-investigation methods, and its job is to launch the payload. There are two identified variations of the third layer: one model performs course of hollowing, whereas the opposite makes use of a reflective loader and overwrites its personal picture with the PE of the ultimate payload.

Determine 5. Structure of AceCryptor

Layer 1

Regardless that there are two variations of Layer 1, they work very equally. Their major duties may be summarized as follows:

  1. Load encrypted Layer 2 into allotted reminiscence.
  2. Decrypt Layer 2.
  3. Name or bounce to Layer 2.

A very powerful a part of this stage is the obfuscations. All through the years, new obfuscations have been added – to the purpose the place nearly each a part of the binary is one way or the other randomized and obfuscated. This can trigger huge issues for somebody attempting to give you YARA guidelines or static detections.

Loops

The authors leverage loops for a number of obfuscations. The primary and most easy approach is to make use of loops with junk code simply to make evaluation harder. We’ve got seen utilization of junk code since 2016 after we registered the primary samples of AceCryptor. These loops are stuffed with many API calls that not solely decelerate analysts who don’t know what is going on, but additionally overwhelm the logs of sandboxes that hook API calls, thereby making them ineffective. The loops might comprise many MOV directions and math operations, once more simply to confuse analysts and thereby lengthen the time of research.

Determine 6. AceCryptor’s obfuscations with loops and hiding necessary elements of code

The second utilization of loops is to achieve delay. We’ve got noticed that some variations of AceCryptor launch Layer 2 nearly instantly, however others comprise loops which can be so time demanding that it could actually decelerate the execution even for tens of minutes: delaying the execution of some elements of malware is a identified approach, however utilization of API calls like Sleep might already increase some flags. Even when not, some sandboxes like Cuckoo Sandbox implement sleep-skipping strategies to keep away from the delay and proceed to the fascinating elements. Implementing delays through loops and execution of junk code can also be a complication throughout dynamic evaluation, as a result of the analyst has to determine which loops are junk loops and thus may be skipped.

A 3rd obfuscation approach utilizing loops consists of hiding necessary operations in them. Among the many junk loops, there are some that look forward to a sure iteration and simply throughout that iteration one thing occurs. Normally, an API is loaded utilizing GetProcAddress, which is later used or some fixed just like the offset of the encrypted information is unmasked. If that specific iteration of a loop doesn’t occur, the pattern will later crash. This, together with junk code, implies that to dynamically analyze the malware, one first has to investigate which loops or iterations of loops may be skipped, and which can not. Because of this the analyst can both spend time analyzing junk code or ready till all of the junk code is executed. In Determine 6 you may see two loops the place the primary accommodates an operation necessary for subsequent execution, and the opposite is simply stuffed with junk code. After all, this will not be (and it isn’t within the majority of the samples) that simply seen amongst all of the loops, particularly if the loops with the necessary operations additionally comprise junk code.

Randomization – Thou shalt not YARA

One other necessary a part of the primary layer is randomization. Junk code and the loops talked about beforehand are randomized in every pattern, in such a means that:

  • the variety of iterations modifications,
  • API calls change,
  • the variety of API calls change, and
  • junk arithmetic or MOV directions change.

All this randomization may also fairly complicate identification of the decryption algorithm and keys. In Determine 7 and Determine 8 you may see the unique, unobfuscated and the obfuscated model of the TEA algorithm. Within the obfuscated model there should not solely junk arithmetic directions, but additionally some elements of the algorithm are outlined into subroutines and identified constants (sum and delta in Determine 7) are masked, simply to make right identification of the algorithm unlikely or actually harder.

Determine 7. TEA decryption perform – not obfuscated

Determine 8. TEA decryption perform – obfuscated

Code just isn’t the one factor that’s randomized. The encrypted Layer 2 and its decryption key are at present often saved within the .textual content or .information part, however they’re hidden utilizing some offsets that change between the samples. Additionally, after efficiently decrypting Layer 2: in some samples the code of Layer 2 is at first of the decrypted information, however there are samples the place you find yourself with a block of random information at first and it’s worthwhile to know the right offset to seek out the start of Layer 2’s code.

AceCryptor authors additionally randomize the next traits:

  • The PDB path at all times begins with C:, however the remainder of the trail is random.
  • Sources with random names and content material, as may be seen in Determine 9. The authors of AceCryptor fill samples with randomly generated assets containing randomly generated information. We assume that that is performed to make samples much less suspicious and make finding the precise encrypted information harder. Sources can comprise:
    • String tables
    • Menus
    • Bitmaps
    • Binary information
  • Strings used within the code.
  • Icons – although icons which can be utilized in many samples look comparable, they’re simply barely modified/randomized to be distinctive.
  • Random dummy part names.
  • Reminiscence allocation capabilities for Layer 2 information – GlobalAlloc, LocalAlloc, and VirtualAlloc.
  • Utilization of some APIs necessary to code execution – they could be statically imported or obtained through GetModuleHandleA and GetProcAddress.

Determine 9. AceCryptor’s assets are randomly generated with randomly generated contents to make samples much less suspicious

Determine 10. AceCryptor’s random strings in assets

Earlier variations

Over time, the authors of AceCryptor obtained more adept at growing malware and the cryptor modified and developed. Regardless that there have been many smaller modifications, updates, and enhancements, a number of the fascinating options of the older variations of Layer 1 included the next:

  • Throughout 2016 AceCryptor used a model of Layer 1 with XTEA encryption algorithm.
  • Throughout 2017–2018 AceCryptor used another Layer 1 model, the place the encryption algorithm used was RC4.
  • The primary (X)TEA and LCG variations of Layer 1 appeared in 2016. In contrast to the LCG model, the XTEA model rapidly fell into disuse and was changed with the TEA model.
  • In older variations, the encrypted Layer 2 was within the assets hidden in a BMP picture. This picture was randomly generated with random width and top, and the center of the picture was minimize out and changed with encrypted information. Knowledge needed to be discovered on the right offset.

Layer 2

Layer 2 of AceCryptor appeared in 2019. Till then, AceCryptor launched Layer 3 straight from Layer 1. This layer serves as extra encryption and safety of Layer 3 and, as Determine 11 illustrates, consists of three elements:

  • position-independent code,
  • a customized construction that we named L2_INFO_STRUCT, containing details about Layer 3, and
  • the information of Layer 3

Determine 11. AceCryptor’s Layer 2 construction

As step one, AceCryptor makes use of a standard approach to acquire some API perform addresses. It resolves the GetProcAddress and LoadLibraryA capabilities by utilizing the PEB_LDR_DATA to traverse by way of loaded modules, and by evaluating the hash values of their export names in opposition to hardcoded values. As a checksum perform, AceCryptor makes use of a shl1_add perform, already applied in hashDb, which may make identification of resolved APIs quicker.

Determine 12. shl1_add hash implemented in Python

Then AceCryptor obtains a deal with for kernel32.dll utilizing LoadLibraryA and makes use of that and GetProcAddress to resolve extra APIs.

For the subsequent steps, AceCryptor makes use of data from its customized construction L2_INFO_STRUCT (proven in Determine 13), which may be discovered proper on the finish of the position-independent code, as may be seen in Determine 11.

Determine 13. Overview of the L2_INFO_STRUCT from Layer 2

Within the subsequent steps, AceCryptor decrypts Layer 3, which is encrypted utilizing LCG from Microsoft Visible/QuickC/C++. Decryption occurs in place. If the compressionFlag is ready, AceCryptor allocates reminiscence with the VirtualAlloc API and decompresses the decrypted information with the LZO_1Z decompression algorithm. After this, execution jumps into the decrypted and optionally decompressed Layer 3.

Layer 3 – Course of hollowing

As step one, AceCryptor obtains the addresses of LoadLibraryA and GetProcAddress APIs the identical means as in ` 2 – traverse loaded modules, traverse exports, and use shl1_add checksums. Then AceCryptor obtains a number of API perform addresses and DLL handles.

Determine 14. Construction of AceCryptor’s Layer 3 – course of hollowing

Within the subsequent step, AceCryptor makes use of the API GetFileAttributesA and checks for file system attributes of a file known as apfHQ. Attributes are in comparison with a non-existing combination of flags 0x637ADF and if they’re equal, this system will find yourself in an infinite loop. As a result of that is used within the final layer, which is already nicely hidden, and since this isn’t the one trick right here, we assume that this isn’t one other obfuscation approach, however relatively an undocumented anti-sandbox/anti-emulator trick in opposition to an unknown however particular sandbox/emulator that returns this worth.

If this system continues efficiently, there’s yet one more anti-sandbox/anti-emulator verify. Now AceCryptor makes use of the API RegisterClassExA to register a category with the category title saodkfnosa9uin. Then it tries to create a window with the title mfoaskdfnoa utilizing the CreateWindowExA API. Within the final step of this verify, AceCryptor tries to make use of the APIs PostMessageA and GetMessageA to move a message. As a result of these APIs should not used that continuously, this verify helps to dodge sandboxes/emulators that haven’t applied these APIs or the place the emulated APIs don’t perform correctly.

Determine 15. Anti-VM/anti-emulator trick

After passing these checks efficiently, AceCryptor makes use of the process hollowing technique the place it creates a brand new occasion of the present course of (GetCommandLineA, CreateProcessA), maps the ultimate payload into the newly created course of, and launches it.

Earlier variations

Anti-investigation trick utilizing RegisterClassExA, CreateWindowExA, PostMessageA, GetMessageA was in earlier variations (e.g., SHA-1: 01906C1B73ECFFD72F98E729D8EDEDD8A716B7E3) seen used at Layer 1 and later (when it was examined out and the structure of the cryptor developed) it was moved to Layer 3.

Layer 3 – Reflective loader

The primary stephis layer, just like Layer 2 and Layer 3 – Course of hollowing, obtains addresses of the GetProcAddress and LoadLibraryA API capabilities. The distinction is that this time, for some purpose, the authors didn’t use the shl1_add checksum perform, however they get hold of first the GetProcAddress through traversing loaded modules, traversing exports, and evaluating strings. Then utilizing GetProcAddress they get hold of the LoadLibraryA perform. Utilizing these two APIs, AceCryptor hundreds addresses of some extra API capabilities and a deal with to kernel32.dll.

Determine 16. Construction of the Layer 3 reflective loader

Within the code, there’s a trick (proven in Determine 17) the place AceCryptor mixes code with information. AceCryptor controls a worth that’s on return handle after one name. This worth is by default set to zero and later AceCryptor writes there an handle of the entry level of the ultimate payload. If this system will get patched and the worth is ready to a non-zero worth, this system will bounce to the handle pointed to by that worth and crash.

Determine 17. Mixing code with information

Within the subsequent step, AceCryptor performs a identified anti-VM check aimed in opposition to Cuckoo sandbox, IDA Professional+Bochs, and Norman SandBox. In Determine 19 may be seen that flag SEM_NOALIGNMENTFAULTEXCEPT with the worth 0x04 at all times will get set by the Cuckoo sandbox, and due to that, the second name of SetErrorMode within the code from Determine 18 received’t return the identical worth because the one which was set by the earlier name.

Determine 18. Anti-VM trick

Determine 19. code from Cuckoo Sandbox

Within the final steps, AceCryptor first checks if the ultimate payload has been compressed (once more) and if that’s the case, it makes use of LZO_1Z decompression. Just like Layer 2, the Layer 3 reflective loader makes use of a customized construction, which we named ENCRYPTED_DATA_INFO_STRUCT (Determine 16), that may be discovered proper between the position-independent code and ultimate payload, containing data like compression flag, variety of sections of payload, (de)compressed measurement of payload, entry level handle, addresses of some directories, picture relocation desk handle, and so forth. AceCryptor makes use of this data (in contrast to Layer 3 – Course of hollowing, which parses the PE of the ultimate payload) to do a reflective code loading approach the place it remaps (map sections, rebase picture, …) its personal picture with the picture of the ultimate payload and launches the payload by calling its entry level.

Conclusion

AceCryptor is a long-lasting and prevalent cryptor-malware, distributed all all over the world. We count on that it’s offered someplace on darkish internet/underground boards as a CaaS. Providers of this malware have been utilized by tens of various malware households and plenty of of them depend on this cryptor as their major safety in opposition to static detections.

For the reason that malware is utilized by many risk actors, anybody may be affected. Due to the variety of packed malware, it’s tough to estimate how extreme the results are for a compromised sufferer. AceCryptor might have been dropped by different malware, already working on a sufferer’s machine, or if sufferer obtained straight troubled by, for instance, opening a malicious e-mail attachment, any malware inside may need downloaded extra malware; thus it might be very tough to wash the compromised machine.

Regardless that for now an attribution of AceCryptor to a selected risk actor just isn’t potential and we count on that AceCryptor will proceed to be broadly used, nearer monitoring will assist with prevention and discovery of recent campaigns of malware households full of this cryptor.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at [email protected].

ESET Analysis provides non-public APT intelligence stories and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.

IOCs

Information

Observe: Listed recordsdata are an inexpensive choice of samples all through time, overlaying completely different variations of AceCryptor or packing completely different malware.

SHA-1 Filename ESET detection title Description
0BE8F44F5351A6CBEF1A54A6DE7674E1219D65B6 N/A Win32/Kryptik.HPKJ TEA model of Layer 1, with SmokeLoader packed inside.
0BE56A8C0D0DE11E0E97B563CAE6D1EE164F3317 N/A Win32/Kryptik.GOFF LCG model of Layer 1, with SmokeLoader packed inside, anti-investigation trick on Layer 2.
1E3D4230655411CB5F7C6885D7F947072B8F9F0F N/A Win32/Emotet.AW RC4 model of Layer 1, with Emotet packed inside.
2FDD49A3F7D06FFFD32B40D35ABD69DEC851EB77 N/A Win32/Smokeloader.F TEA model of Layer 1, with SmokeLoader packed inside.
3AC205BE62806A90072524C193B731A1423D5DFD N/A Win32/Kryptik.GPCG TEA model of Layer 1, with SmokeLoader packed inside.
6ABF731B90C11FFBD3406AA6B89261CC9596FEFD N/A Win32/Kryptik.HRHP TEA model of Layer 1, with RedLine stealer packed inside.
8E99A5EC8C173033941F5E00A3FC38B7DEA9DCB3 N/A Win32/Kryptik.FKYH TEA model of Layer 1, with Filecoder.Q packed inside, subsequent layer in BMP picture.
15ADFFDA49C07946D4BD41AB44846EB673C22B2B N/A WinGo/RanumBot.B TEA model of Layer 1, with RanumBot packed inside, obfuscation – random PDB path.
47DB52AB94B9A303E85ED1AA1DD949605157417E N/A Win32/Smokeloader.A TEA model of Layer 1, with SmokeLoader packed inside, anti-emulator trick on Layer 1.
70BC8C2DC62CF894E765950DE60EC5BD2128D55B N/A Win32/Smokeloader.F TEA model of Layer 1, with SmokeLoader packed inside.
88B125DDA928462FDB00C459131B232A3CD21887 N/A Win32/Kryptik.GDTA TEA model of Layer 1, with Hermes packed inside, obfuscation – masking values.
90A443787B464877AD9EB57536F51556B5BA8117 N/A Win32/Kovter.C XTEA model of Layer 1, with Kovter packed inside.
249BED77C1349BE7EC1FC182AFCCB1234ADFACDF N/A Win32/Smokeloader.F TEA model of Layer 1, with SmokeLoader packed inside.
3101B17D73031384F555AE3ACD7139BBBAB3F525 N/A Win32/TrojanDownloader.Amadey.A TEA model of Layer 1, with Amadey packed inside.
8946E40255B57E95BAB041687A2F0F0E15F5FFCE N/A Win32/Kryptik.GKIN LCG model of Layer 1, with GandCrab packed inside, obfuscation – named sections.
946082F225C76F2FFBE92235F0FAF9FB9E33B784 N/A Win32/Filecoder.Locky.C LCG model of Layer 1, with Locky packed inside.
A8ACF307EA747B24D7C405DEEF70B50B2B3F2186 N/A MSIL/Spy.RedLine.B LCG model of Layer 1, with RedLine Stealer packed inside.
F8039D04FF310CEF9CA47AC03025BD38A3587D10 N/A Win32/Smokeloader.F TEA model of Layer 1, with SmokeLoader packed inside.

Named objects

Object Kind Object title
Class saodkfnosa9uin
Window mfoaskdfnoa

MITRE ATT&CK strategies

This desk was constructed utilizing version 12 of the MITRE ATT&CK enterprise strategies.

Tactic ID Identify Description
Execution T1106 Native API AceCryptor is ready to launch a course of utilizing the CreateProcessA API.
Protection Evasion T1497.003 Virtualization/Sandbox Evasion: Time Based mostly Evasion AceCryptor makes use of loops with arbitrary code to delay the execution of core performance.
T1497.001 Virtualization/Sandbox Evasion: System Checks AceCryptor makes use of a number of strategies to detect sandboxes and emulators.
T1140 Deobfuscate/Decode Information or Data AceCryptor makes use of TEA, LCG, XTEA, or RC4 encryption and LZO_1Z compression to extract position-independent code and payloads.
T1027 Obfuscated Information or Data AceCryptor masks values like size of payload, identified constants of decryption algorithms, or decryption key.
T1055.012 Course of Injection: Course of Hollowing AceCryptor can create a brand new course of in a suspended state to unmap its reminiscence and change it with the hidden payload.
T1620 Reflective Code Loading AceCryptor can use a reflective loader to rewrite its picture and change it with a hidden payload (Home windows PE).