Shedding mild on AceCryptor and its operation

ESET researchers reveal particulars a few prevalent cryptor, operating as a cryptor-as-a-service utilized by tens of malware families

On this blogpost we look at the operation of AceCryptor, originally documented by Avast. This cryptor has been round since 2016 and since – throughout its existence – it has been used to pack tens of malware households, many technical elements of this malware have already been described. You may have already got examine this cryptor, which is variously generally known as the DJVU obfuscation, SmokeLoader’s stage 1, RedLine stealer’s stage 1, 2 and three, easy and well-liked packer, and so forth… Many (however not all) of the revealed blogposts don’t even acknowledge this cryptor as a separate malware household, so let us join all the dots for you, providing not solely a technical analysis of its variants but in addition an summary of the malware families that can be discovered packed by it and the way prevalent AceCryptor is within the wild.

For malware authors, defending their creations towards detection is a difficult process. Cryptors are the first layer of protection for malware that gets distributed. Regardless that menace actors can create and keep their very own custom cryptors, for crimeware menace actors it typically may be a time-consuming or technically troublesome activity to take care of their cryptor in a so-referred to as FUD (absolutely undetectable) state. Demand for such safety has created multiple cryptor-asa-service (CaaS) options that pack malware. These cryptors can embrace a number of anti-VM, anti-debugging ,and anti-evaluation methods combined to realize concealment of the payload.

Key points of this blogpost:

  • AceCryptor supplies packing providers to tens of very nicely-recognized malware families.
  • Samples of AceCryptor are very prevalent the world over as a result of multiple menace actors utilizing it actively unfold their packed malware in their own campaigns.
  • AceCryptor is closely obfuscated and throughout the years has included many methods to keep away from detection.
  • AceCryptor has a number of variants which might be described in this blogpost.
  • Although it’s attainable to seek out technical analyses (principally where this cryptor appears as an element/stage of different malware) finished by different researchers, ESET Research goals to offer not only a complete overview of AceCryptor’s functionality, but in addition its history and unfold.
  • During 2021 and 2022, ESET protected greater than eighty,000 clients who have been affected by malware packed by AceCryptor.

Statistics and packed households overview

Because the first recognized appearances of AceCryptor again in 2016, many malware authors have used the providers of this cryptor, even one of the best-recognized crimeware like Emotet, again when it didn’t use its personal cryptor. Throughout 2021– 2022 ESET detected greater than 80,000 distinctive samples of AceCryptor. Because of the high number of totally different malware families packed inside, we assume that AceCryptor is bought someplace as a CaaS. If we take into accounts the variety of distinctive information detected: although we don’t know the exact pricing of this service, we assume that the good points to the AceCryptor authors aren’t negligible.

Due to the excessive quantity of samples over past years, the following stats are based mostly only on samples detected throughout 2021 and 2022. As might be seen in Figure 1, detection hits have been distributed fairly evenly all through these two years, which is to be expected from malware used by numerous menace actors who don’t synchronize their campaigns.

Determine 1. Number of AceCryptor detections in the course of the years 2021 and 2022 (7-day shifting common)

After wanting at the malware packed by AceCryptor, we discovered over 200 ESET detection names. Now, in fact one malware family might have several detection names across the person variants, because of updates or modifications in obfuscation – e.g., MSIL/Spy.RedLine.A and MSIL/Spy.RedLine.B are each detections for the RedLine Stealer malware. Detection names for another malware are usually not by household, but by class (e.g., ClipBanker or Agent), because a number of unpacked malware samples are generic clipboard stealers, trojans, and so forth that aren’t that widespread and/or are just slightly modified variants of different recognized malware revealed in numerous public repositories. After grouping, we will conclude that after unpacking, among the many malware families discovered are SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, STOP ransomware, Amadey, Fareit, Pitou, Tofsee, Taurus, Phobos, Formbook, Danabot, Warzone, and lots of more… Determine 2 exhibits an summary of the portions of samples belonging to a number of the properly-recognized and prevalent malware households packed by  AceCryptor.

Determine 2. Malware families packed inside AceCryptor throughout 2021 and 2022

Monitoring actions of CaaS providers comparable to AceCryptor is useful for monitoring of malware that makes use of their providers. For instance, think about a RedLine Stealer that was first seen in Q1 2022. As may be seen in Figure three, RedLine Stealer distributors used AceCryptor because the starting of RedLine Stealer’s existence and still proceed to do so. Thus, with the ability to reliably detect AceCryptor (and different CaaS) not only helps us with visibility of latest emerging threats, but in addition with monitoring the actions of menace actors.

Determine three. Incidents of RedLine Stealer in AceCryptor samples (7-day averages)

Victimology

As must be expected from the number of malware packed inside AceCryptor and the range of interests of different malware authors, AceCryptor is seen in all places on the planet. Throughout 2021 and 2022, ESET telemetry detected over 240,000 detection hits of this malware, which amounts to over 10,000 hits each month. In Figure four you possibly can see the nations with the very best numbers of detections during 2021 and 2022.

Determine four. Heatmap of countries affected by AceCryptor in accordance with ESET telemetry

Throughout 2021 and 2022, ESET merchandise detected and blocked malware variants packed by AceCryptor on more than eighty,000 clients’ computer systems. We additionally discovered over eighty,000 unique samples of AceCryptor. Now, in fact that any pattern could possibly be detected at a number of computers or one pc was protected multiple occasions by ESET software program, but the number of unique hashes simply exhibits how actively the authors of AceCryptor work on its obfuscation and detection evasion. We’ll dive deeper into the technical particulars of AceCryptor’s obfuscations within the Technical analysis a part of this blogpost.

What’s value mentioning here is that although the variety of unique samples of AceCryptor could be very high, the variety of unique samples packed inside is fewer than 7,000. This exhibits the diploma to which many malware authors rely on the providers of a cryptor and the way handy it is for them to pay for this type of service quite than make investments their time and assets to implement their very own cryptor answer.

Distribution

As a result of AceCryptor is used by multiple menace actors, malware packed by it’s also distributed in a number of alternative ways. Based on ESET telemetry, units have been uncovered to AceCryptor-packed malware primarily by way of trojanized installers of pirated software, or spam emails containing malicious attachments.

One other approach that somebody may be exposed to AceCryptor-packed malware is by way of different malware that downloaded new malware protected by AceCryptor. An example is the Amadey botnet, which we now have noticed downloading an AceCryptor-packed RedLine Stealer.

We’d like to note that this works each methods and a number of the malware families protected by AceCryptor also can download new, further malware.

Technical analysis

Presently AceCryptor makes use of a multistage, three-layer architecture. There are two recognized versions of the primary layer which might be presently in use – a model that makes use of TEA (Tiny Encryption Algorithm) to decrypt the second layer and a model that makes use of a linear congruential generator (LCG) from Microsoft Visual/Fast/C++ to decrypt the second layer. The second layer is shellcode that performs defensive tips, then decrypts and launches the third layer. Finally, the third layer is extra shellcode that also performs some anti-investigation tips, and its process is to launch the payload. There are two recognized variations of the third layer: one model performs course of hollowing, whereas the opposite makes use of a reflective loader and overwrites its own image with the PE of the ultimate payload.

Determine 5. Structure of AceCryptor

Layer 1

Despite the fact that there are two variations of Layer 1, they work very equally. Their fundamental duties could be summarized as follows:

  1. Load encrypted Layer 2 into allocated memory.
  2. Decrypt Layer 2.
  3. Call or leap to Layer 2.

An important part of this stage is the obfuscations. All through the years, new obfuscations have been added – to the purpose where virtually each a part of the binary is by some means randomized and obfuscated. It will cause massive issues for someone making an attempt to near up with YARA rules or static detections.

Loops

The authors leverage loops for multiple obfuscations. The primary and most simple method is to use loops with junk code simply to make evaluation harder. We’ve seen utilization of junk code since 2016 once we registered the primary samples of AceCryptor. These loops are full of many API calls that not solely slow down analysts who don’t know what is occurring, but in addition overwhelm the logs of sandboxes that hook API calls, thereby making them ineffective. The loops might include many MOV instructions and math operations, once more simply to confuse analysts and thereby lengthen the time of study.

Figure 6. AceCryptor’s obfuscations with loops and hiding necessary elements of code

The second usage of loops is to obtain delay. We have now observed that some versions of AceCryptor launch Layer 2 virtually instantly, but others include loops which might be so time demanding that it could decelerate the execution even for tens of minutes: delaying the execution of some elements of malware is a recognized method, however usage of API calls like Sleep might already increase some flags. Even when not, some sandboxes like Cuckoo Sandbox implement sleep-skipping methods to avoid the delay and proceed to the fascinating elements. Implementing delays by way of loops and execution of junk code can also be a complication during dynamic analysis, because the analyst has to determine which loops are junk loops and thus might be skipped.

A third obfuscation method using loops consists of hiding essential operations in them. Among the junk loops, there are some that await a certain iteration and just throughout that iteration something happens. Often, an API is loaded utilizing GetProcAddress, which is later used or some constant just like the offset of the encrypted knowledge is unmasked. If that exact iteration of a loop doesn’t happen, the sample will later crash. This, in combination with junk code, signifies that to dynamically analyze the malware, one first has to research which loops or iterations of loops might be skipped, and which can’t. Which means the analyst can either spend time analyzing junk code or ready until all of the junk code is executed. In Determine 6 you’ll be able to see two loops the place the first accommodates an operation essential for subsequent execution, and the other is simply filled with junk code. In fact, this is probably not (and it isn’t within the majority of the samples) that easily visible amongst all of the loops, particularly if the loops with the essential operations also include junk code.

Randomization – Thou shalt not YARA

Another essential a part of the primary layer is randomization. Junk code and the loops mentioned previously are randomized in every pattern, in such a approach that:

  • the number of iterations modifications,
  • API calls change,
  • the number of API calls change, and
  • junk arithmetic or MOV instructions change.

All this randomization also can fairly complicate identification of the decryption algorithm and keys. In Figure 7 and Figure 8 you’ll be able to see the unique, unobfuscated and the obfuscated model of the TEA algorithm. In the obfuscated model there usually are not only junk arithmetic instructions, but in addition some elements of the algorithm are outlined into subroutines and recognized constants (sum and delta in Determine 7) are masked, just to make right identification of the algorithm unlikely or definitely harder.

Determine 7. TEA decryption perform – not obfuscated

Determine 8. TEA decryption perform – obfuscated

Code is just not the one factor that is randomized. The encrypted Layer 2 and its decryption key are at present often saved in the .textual content or .knowledge section, however they are hidden using some offsets that change between the samples. Also, after successfully decrypting Layer 2: in some samples the code of Layer 2 is firstly of the decrypted knowledge, but there are samples where you find yourself with a block of random knowledge firstly and it’s essential to know the right offset to seek out the start of Layer 2’s code.

AceCryptor authors also randomize the next characteristics:

  • The PDB path all the time starts with C:, but the rest of the path is random.
  • Assets with random names and content, as could be seen in Determine 9. The authors of AceCryptor fill samples with randomly generated assets containing randomly generated knowledge. We assume that this is finished to make samples much less suspicious and make locating the actual encrypted knowledge harder. Assets can include:
    • String tables
    • Menus
    • Bitmaps
    • Binary knowledge
  • Strings used within the code.
  • Icons – despite the fact that icons which might be used in many samples look comparable, they are just slightly modified/randomized to be distinctive.
  • Random dummy part names.
  • Memory allocation features for Layer 2 knowledge – GlobalAlloc, LocalAlloc, and VirtualAlloc.
  • Usage of some APIs necessary to code execution – they could be statically imported or obtained by way of GetModuleHandleA and GetProcAddress.

Figure 9. AceCryptor’s assets are randomly generated with randomly generated contents to make samples much less suspicious

Determine 10. AceCryptor’s random strings in assets

Earlier variations

Through the years, the authors of AceCryptor received more adept at creating malware and the cryptor modified and advanced. Regardless that there have been many smaller modifications, updates, and improvements, a number of the fascinating options of the older variations of Layer 1 included the next:

  • During 2016 AceCryptor used a model of Layer 1 with XTEA encryption algorithm.
  • Throughout 2017–2018 AceCryptor used yet one more Layer 1 model, the place the encryption algorithm used was RC4.
  • The primary (X)TEA and LCG variations of Layer 1 appeared in 2016. In contrast to the LCG model, the XTEA model shortly fell into disuse and was changed with the TEA model.
  • In older versions, the encrypted Layer 2 was within the assets hidden in a BMP picture. This picture was randomly generated with random width and peak, and the center of the picture was minimize out and changed with encrypted knowledge. Knowledge needed to be discovered at the right offset.

Layer 2

Layer 2 of AceCryptor appeared in 2019. Till then, AceCryptor launched Layer 3 instantly from Layer 1. This layer serves as further encryption and safety of Layer three and, as Figure 11 illustrates, consists of three elements:

  • position-unbiased code,
  • a customized construction that we named L2_INFO_STRUCT, containing information about Layer three, and
  • the info of Layer three

Figure eleven. AceCryptor’s Layer 2 structure

As the first step, AceCryptor makes use of a standard method to acquire some API perform addresses. It resolves the GetProcAddress and LoadLibraryA features through the use of the PEB_LDR_DATA to traverse via loaded modules, and by evaluating the hash values of their export names towards hardcoded values. As a checksum perform, AceCryptor uses a shl1_add perform, already carried out in hashDb, which may make identification of resolved APIs quicker.

Determine 12. shl1_add hash carried out in Python

Then AceCryptor obtains a deal with for kernel32.dll using LoadLibraryA and uses that and GetProcAddress to resolve more APIs.

For the subsequent steps, AceCryptor makes use of info from its customized construction L2_INFO_STRUCT (proven in Figure 13), which might be found right at the end of the place-unbiased code, as could be seen in Figure eleven.

Determine thirteen. Overview of the L2_INFO_STRUCT from Layer 2

Within the next steps, AceCryptor decrypts Layer three, which is encrypted utilizing LCG from Microsoft Visible/QuickC/C++. Decryption happens in place. If the compressionFlag is about, AceCryptor allocates memory with the VirtualAlloc API and decompresses the decrypted knowledge with the LZO_1Z decompression algorithm. After this, execution jumps into the decrypted and optionally decompressed Layer 3.

Layer three – Process hollowing

As the first step, AceCryptor obtains the addresses of LoadLibraryA and GetProcAddress APIs the same means as in ` 2 – traverse loaded modules, traverse exports, and use shl1_add checksums. Then AceCryptor obtains a number of API perform addresses and DLL handles.

Determine 14. Structure of AceCryptor’s Layer 3 – course of hollowing

In the next step, AceCryptor makes use of the API GetFileAttributesA and checks for file system attributes of a file referred to as apfHQ. Attributes are in comparison with a non-present mixture of flags 0x637ADF and if they are equal, the program will end up in an infinite loop. As a result of this is used in the final layer, which is already nicely hidden, and because this is not the one trick here, we assume that this isn’t another obfuscation method, however relatively an undocumented anti-sandbox/anti-emulator trick towards an unknown however particular sandbox/emulator that returns this value.

If the program continues successfully, there’s yet one more anti-sandbox/anti-emulator verify. Now AceCryptor uses the API RegisterClassExA to register a class with the category identify saodkfnosa9uin. Then it tries to create a window with the identify mfoaskdfnoa utilizing the CreateWindowExA API. In the final step of this verify, AceCryptor tries to use the APIs PostMessageA and GetMessageA to move a message. As a result of these APIs will not be used that incessantly, this verify helps to dodge sandboxes/emulators that have not carried out these APIs or where the emulated APIs don’t perform correctly.

Figure 15. Anti-VM/anti-emulator trick

After passing these checks successfully, AceCryptor uses the process hollowing method the place it creates a new instance of the current process (GetCommandLineA, CreateProcessA), maps the ultimate payload into the newly created course of, and launches it.

Previous variations

Anti-investigation trick using RegisterClassExA, CreateWindowExA, PostMessageA, GetMessageA was in previous variations (e.g., SHA-1: 01906C1B73ECFFD72F98E729D8EDEDD8A716B7E3) seen used at Layer 1 and later (when it was examined out and the architecture of the cryptor advanced) it was moved to Layer three.

Layer three – Reflective loader

The first stephis layer, just like Layer 2 and Layer three – Process hollowing, obtains addresses of the GetProcAddress and LoadLibraryA API features. The difference is that this time, for some purpose, the authors didn’t use the shl1_add checksum perform, however they get hold of first the GetProcAddress by way of traversing loaded modules, traversing exports, and comparing strings. Then utilizing GetProcAddress they get hold of the LoadLibraryA perform. Using these two APIs, AceCryptor masses addresses of some extra API features and a handle to kernel32.dll.

Determine 16. Structure of the Layer three reflective loader

Within the code, there’s a trick (proven in Figure 17) where AceCryptor mixes code with knowledge. AceCryptor controls a worth that is on return handle after one name. This worth is by default set to zero and later AceCryptor writes there an tackle of the entry point of the final payload. If the program gets patched and the value is about to a non-zero value, the program will bounce to the handle pointed to by that value and crash.

Figure 17. Mixing code with knowledge

Within the next step, AceCryptor performs a recognized anti-VM examine aimed towards Cuckoo sandbox, IDA Pro+Bochs, and Norman SandBox. In Figure 19 could be seen that flag SEM_NOALIGNMENTFAULTEXCEPT with the worth 0x04 all the time will get set by the Cuckoo sandbox, and because of that, the second name of SetErrorMode in the code from Determine 18 gained’t return the same value because the one that was set by the previous name.

Figure 18. Anti-VM trick

Determine 19. code from Cuckoo Sandbox

Within the final steps, AceCryptor first checks if the final payload has been compressed (once more) and in that case, it makes use of LZO_1Z decompression. Just like Layer 2, the Layer three reflective loader uses a customized construction, which we named ENCRYPTED_DATA_INFO_STRUCT (Figure sixteen), that can be discovered proper between the position-unbiased code and remaining payload, containing info like compression flag, number of sections of payload, (de)compressed measurement of payload, entry level handle, addresses of some directories, image relocation desk handle, and so on. AceCryptor makes use of this info (in contrast to Layer 3 – Course of hollowing, which parses the PE of the final payload) to do a reflective code loading method the place it remaps (map sections, rebase image, …) its personal picture with the picture of the final payload and launches the payload by calling its entry level.

Conclusion

AceCryptor is an extended-lasting and prevalent cryptor-malware, distributed all all over the world. We anticipate that it is bought somewhere on darkish net/underground forums as a CaaS. Providers of this malware have been used by tens of various malware households and lots of of them rely on this cryptor as their foremost protection towards static detections.

Because the malware is utilized by many menace actors, anyone may be affected. Due to the range of packed malware, it is troublesome to estimate how severe the results are for a compromised victim. AceCryptor might have been dropped by other malware, already operating on a sufferer’s machine, or if victim received immediately stricken by, for example, opening a malicious e-mail attachment, any malware inside may need downloaded further malware; thus it might be very troublesome to wash the compromised machine.

Although for now an attribution of AceCryptor to a specific menace actor shouldn’t be attainable and we anticipate that AceCryptor will proceed to be extensively used, nearer monitoring will assist with prevention and discovery of latest campaigns of malware households full of this cryptor.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.

ESET Analysis provides personal APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Menace Intelligence page.

IOCs

Information

Word: Listed information are an inexpensive choice of samples throughout time, masking totally different versions of AceCryptor or packing totally different malware.

SHA-1 Filename ESET detection identify Description
0BE8F44F5351A6CBEF1A54A6DE7674E1219D65B6 N/A Win32/Kryptik.HPKJ TEA version of Layer 1, with SmokeLoader packed inside.
0BE56A8C0D0DE11E0E97B563CAE6D1EE164F3317 N/A Win32/Kryptik.GOFF LCG version of Layer 1, with SmokeLoader packed inside, anti-investigation trick on Layer 2.
1E3D4230655411CB5F7C6885D7F947072B8F9F0F N/A Win32/Emotet.AW RC4 version of Layer 1, with Emotet packed inside.
2FDD49A3F7D06FFFD32B40D35ABD69DEC851EB77 N/A Win32/Smokeloader.F TEA model of Layer 1, with SmokeLoader packed inside.
3AC205BE62806A90072524C193B731A1423D5DFD N/A Win32/Kryptik.GPCG TEA version of Layer 1, with SmokeLoader packed inside.
6ABF731B90C11FFBD3406AA6B89261CC9596FEFD N/A Win32/Kryptik.HRHP TEA model of Layer 1, with RedLine stealer packed inside.
8E99A5EC8C173033941F5E00A3FC38B7DEA9DCB3 N/A Win32/Kryptik.FKYH TEA model of Layer 1, with Filecoder.Q packed inside, subsequent layer in BMP image.
15ADFFDA49C07946D4BD41AB44846EB673C22B2B N/A WinGo/RanumBot.B TEA model of Layer 1, with RanumBot packed inside, obfuscation – random PDB path.
47DB52AB94B9A303E85ED1AA1DD949605157417E N/A Win32/Smokeloader.A TEA model of Layer 1, with SmokeLoader packed inside, anti-emulator trick on Layer 1.
70BC8C2DC62CF894E765950DE60EC5BD2128D55B N/A Win32/Smokeloader.F TEA model of Layer 1, with SmokeLoader packed inside.
88B125DDA928462FDB00C459131B232A3CD21887 N/A Win32/Kryptik.GDTA TEA model of Layer 1, with Hermes packed inside, obfuscation – masking values.
90A443787B464877AD9EB57536F51556B5BA8117 N/A Win32/Kovter.C XTEA version of Layer 1, with Kovter packed inside.
249BED77C1349BE7EC1FC182AFCCB1234ADFACDF N/A Win32/Smokeloader.F TEA model of Layer 1, with SmokeLoader packed inside.
3101B17D73031384F555AE3ACD7139BBBAB3F525 N/A Win32/TrojanDownloader.Amadey.A TEA version of Layer 1, with Amadey packed inside.
8946E40255B57E95BAB041687A2F0F0E15F5FFCE N/A Win32/Kryptik.GKIN LCG version of Layer 1, with GandCrab packed inside, obfuscation – named sections.
946082F225C76F2FFBE92235F0FAF9FB9E33B784 N/A Win32/Filecoder.Locky.C LCG version of Layer 1, with Locky packed inside.
A8ACF307EA747B24D7C405DEEF70B50B2B3F2186 N/A MSIL/Spy.RedLine.B LCG version of Layer 1, with RedLine Stealer packed inside.
F8039D04FF310CEF9CA47AC03025BD38A3587D10 N/A Win32/Smokeloader.F TEA version of Layer 1, with SmokeLoader packed inside.

Named objects

Object Sort Object identify
Class saodkfnosa9uin
Window mfoaskdfnoa

MITRE ATT&CK methods

This table was constructed utilizing model 12 of the MITRE ATT&CK enterprise methods.

Tactic ID Identify Description
Execution T1106 Native API AceCryptor is able to launch a process using the CreateProcessA API.
Defense Evasion T1497.003 Virtualization/Sandbox Evasion: Time Based mostly Evasion AceCryptor makes use of loops with arbitrary code to delay the execution of core performance.
T1497.001 Virtualization/Sandbox Evasion: System Checks AceCryptor makes use of a number of methods to detect sandboxes and emulators.
T1140 Deobfuscate/Decode Information or Info AceCryptor uses TEA, LCG, XTEA, or RC4 encryption and LZO_1Z compression to extract place-unbiased code and payloads.
T1027 Obfuscated Information or Info AceCryptor masks values like length of payload, recognized constants of decryption algorithms, or decryption key.
T1055.012 Process Injection: Process Hollowing AceCryptor can create a new process in a suspended state to unmap its memory and substitute it with the hidden payload.
T1620 Reflective Code Loading AceCryptor can use a reflective loader to rewrite its image and exchange it with a hidden payload (Home windows PE).

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »