AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection.
A crypter is a kind of software that can encrypt, obfuscate, and alter malicious code to make detection by security tools more difficult.
“AttackCrypt is an open source “crypter” project that can be used to “protect” binaries and “prevent” detection by AV,” OALABS Research.
Additionally, it enables various features that may be added to existing malware to strengthen its harmful capabilities, including process injection, persistence mechanisms, scheduled tasks, startup programs, file obfuscation, .Net, and native injection methods etc.
Working of AttackCrypt
Researchers say this crypter is now in use in the wild and was recently used to “protect” VenomRAT.
According to the profile on GitHub, the profile behind this program looks to be Russian and has received 259 contributions and 284 followers since last year.
Based on its page’s description, the tool may “Evade Antivirus with Different Techniques,” and it is explicitly stated not to upload this tool to VirusTotal to maximize its lifetime.
The Attacker-Crypter is delivered in an RAR archive and includes other files necessary for its operation, such as a DLL and configuration files. These DLL and configuration files are essential components of the utility and help the main module (Attacker-Crypter) function properly.
The main module (Attacker-Crypter) is a 32-bit unsigned Windows executable with a GUI. Instead of requiring elevated or administrative access, it can function with the current user’s normal security settings.
The retrieved codes from the Attacker-Crypter tool support some of the functions claimed by the developer and the features that it can add to the existing malware, such as detection of the WoW64 environment, debugger detection, process termination, writing process memory and mapping and un-mapping of the sections, network communication, use of HTTP protocol, self-deletion of files after execution, etc.
- Malware encryption.
- AMSI (Windows Antimalware Scan Interface) bypass.
- Process injection into an existing process utilizing RunPE and.NET assembly loading.
- 32-bit and 64-bit process injection.
- Cloning a trustworthy process and adding it to the malware.
- Examining the analysis environment, including virtualization software and debuggers.
- After process injection, the executable should remove itself using the melt function.
- Increasing the infected file’s size and making it stand out from the original malware requires adding bytes.
- File obfuscation.
- Run a PowerShell command once a malware file has finished running.
- Notify the tool’s user if encrypted malware is run using the socket server configuration or Telegram chatbot.
This tool’s threat actor has a sizable internet presence, with adequate followers and contributions. This finding highlights the continued necessity for strong security measures to thwart threat actors’ shifting strategies in the digital sphere.
Source: https://cybersecuritynews.com/attackcrypt-payload-encrypter/
