Last year ESET published a blogpost about AceCryptor – one of the most popular and prevalent cryptors-as-a-service (CaaS) operating since 2016. For H1 2023 we published statistics from our telemetry, according to which trends from previous periods continued without drastic changes.

However, in H2 2023 we registered a significant change in how AceCryptor is used. Not only we have seen and blocked over double the attacks in H2 2023 in comparison with H1 2023, but we also noticed that Rescoms (also known as Remcos) started using AceCryptor, which was not the case beforehand.

The vast majority of AceCryptor-packed Rescoms RAT samples were used as an initial compromise vector in multiple spam campaigns targeting European countries including Poland, Slovakia, Bulgaria, and Serbia.

Key points of this blogpost:
  • AceCryptor continued to provide packing services to tens of very well-known malware families in H2 2023.
  • Even though well known by security products, AceCryptor’s prevalence is not showing indications of decline: on the contrary, the number of attacks significantly increased due to the Rescoms campaigns.
  • AceCryptor is a cryptor of choice of threat actors targeting specific countries and targets (e.g., companies in a particular country).
  • In H2 2023, ESET detected multiple AceCryptor+Rescoms campaigns in European countries, mainly Poland, Bulgaria, Spain, and Serbia.
  • The threat actor behind those campaigns in some cases abused compromised accounts to send spam emails in order to make them look as credible as possible.
  • The goal of the spam campaigns was to obtain credentials stored in browsers or email clients, which in case of a successful compromise would open possibilities for further attacks.

AceCryptor in H2 2023

In the first half of 2023 ESET protected around 13,000 users from AceCryptor-packed malware. In the second half of the year, there was a massive increase of AceCryptor-packed malware spreading in the wild, with our detections tripling, resulting in over 42,000 protected ESET users worldwide. As can be observed in Figure 1, we detected multiple sudden waves of malware spreading. These spikes show multiple spam campaigns targeted at European countries where AceCryptor packed a Rescoms RAT (discussed more in the Rescoms campaigns section).

Figure 1. Number of AceCryptor detections during the year 2023 (7-day moving average)
Figure 1. Number of AceCryptor detections during the year 2023 (7-day moving average)

Furthermore, when we compare the raw number of samples: in the first half of 2023, ESET detected over 23,000 unique malicious samples of AceCryptor; in the second half of 2023, we saw and detected “only” over 17,000 unique samples. Even though this might be unexpected, after a closer look at the data there is a reasonable explanation. The Rescoms spam campaigns used the same malicious file(s) in email campaigns sent to a greater number of users, thus increasing the number of people who encountered the malware, but still keeping the number of different files low. This did not happen in previous periods as Rescoms was almost never used in combination with AceCryptor. Another reason for the decrement in the number of unique samples is because some popular families apparently stopped (or almost stopped) using AceCryptor as their go-to CaaS. An example is Danabot malware which stopped using AceCryptor; also, the prominent RedLine Stealer whose users stopped using AceCryptor as much, based on a greater than 60% decrease in AceCryptor samples containing that malware.

As seen in Figure 2, AceCryptor still distributes, apart from Rescoms, samples from many different malware families, such as SmokeLoader, STOP ransomware, and Vidar stealer.

Figure 2. Malware families packed inside AceCryptor in H2 2023
Figure 2. Malware families packed inside AceCryptor in H2 2023

In the first half of 2023, the countries most affected by malware packed by AceCryptor were Peru, Mexico, Egypt, and Türkiye, where Peru, at 4,700, had the greatest number of attacks. Rescoms spam campaigns changed these statistics dramatically in the second half of the year. As can be seen in Figure 3, AceCryptor-packed malware affected mostly European countries. By far the most affected country is Poland, where ESET prevented over 26,000 attacks; this is followed by Ukraine, Spain, and Serbia. And, it’s worth mentioning that in each of those countries ESET products prevented more attacks than in the most affected country in H1 2023, Peru.

Figure 3. Heatmap of countries affected by AceCryptor, according to ESET telemetry
Figure 3. Heatmap of countries affected by AceCryptor, according to ESET telemetry

AceCryptor samples that we’ve observed in H2 often contained two malware families as their payload: Rescoms and SmokeLoader. A spike in Ukraine was caused by SmokeLoader. This fact was already mentioned by Ukraine’s NSDC. On the other hand, in Poland, Slovakia, Bulgaria, and Serbia the increased activity was caused by AceCryptor containing Rescoms as a final payload.

Rescoms campaigns

In the first half of 2023, we saw in our telemetry fewer than a hundred incidents of AceCryptor samples with Rescoms inside. During the second half of the year, Rescoms became the most prevalent malware family packed by AceCryptor, with over 32,000 hits. Over half of these attempts happened in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia (Figure 4).

Figure 4. Heatmap of European countries affected by AceCryptor-packed Rescoms during H2 2023
Figure 4. Heatmap of European countries affected by AceCryptor-packed Rescoms during H2 2023, according to ESET telemetry

Campaigns in Poland

Thanks to ESET telemetry we’ve been able to observe eight significant spam campaigns targeting Poland in H2 2023. As can be seen in Figure 5, the majority of them happened in September, but there were also campaigns in August and December.

Figure 5. Timeline of Rescoms campaigns in Poland
Figure 5. Timeline of Rescoms campaigns in Poland (daily hits)

In total, ESET registered over 26,000 of these attacks in Poland for this period. All spam campaigns targeted businesses in Poland and all emails had very similar subject lines about B2B offers for the victim companies. To look as believable as possible, the attackers incorporated the following tricks into the spam emails:

  • Email addresses they were sending spam emails from imitated domains of other companies. Attackers used a different TLD, changed a letter in a company name or the word order in the case of a multi-word company name (this technique is known as typosquatting).
  • The most noteworthy is that multiple campaigns involved business email compromise – attackers abused previously compromised email accounts of other company employees to send spam emails. In this way even if the potential victim looked for the usual red flags, they were just not there, and the email looked as legitimate as it could have.

Attackers did their research and used existing Polish company names and even existing employee/owner names and contact information when signing those emails. This was done so that in the case where a victim tries to Google the sender’s name, the search would be successful, which might lead them to open the malicious attachment.

  • The content of spam emails was in some cases simpler but in many cases (like the example in Figure 6) quite elaborate. Especially these more elaborate versions should be considered dangerous as they deviate from the standard pattern of generic text, which is often riddled with grammatical mistakes.

The email shown in Figure 6 contains a message followed by information about the processing of personal information done by the alleged sender and the possibility to “access the content of your data and the right to rectify, delete, limit processing restrictions, right to data transfer, right to raise an objection, and the right to lodge a complaint with the supervisory authority”. The message itself can be translated thus:

Dear Sir,

I am Sylwester [redacted] from [redacted]. Your company was recommended to us by a business partner. Please quote the attached order list. Please also inform us about the payment terms.

We look forward to your response and further discussion.

--

Best Regards,

Figure 6. Example phishing email targeting Polish companies
Figure 6. Example phishing email targeting Polish companies, containing AceCryptor-packed Rescoms in the attachment

Attachments in all campaigns looked quite similar (Figure 7). Emails contained an attached archive or ISO file named offer/inquiry (of course in Polish), in some cases also accompanied with an order number. That file contained an AceCryptor executable that unpacked and launched Rescoms.

Figure 7. Compromise chain of Rescoms campaigns
Figure 7. Compromise chain of Rescoms campaigns

Based on the behavior of the malware, we assume that the goal of these campaigns was to obtain email and browser credentials, and thus gain initial access to the targeted companies. While it is unknown whether the credentials were gathered for the group that carried out these attacks or if those stolen credentials would be later sold to other threat actors, it is certain that successful compromise opens the possibility for further attacks, especially from, currently popular, ransomware attacks.

It is important to state that Rescoms RAT can be bought; thus many threat actors use it in their operations. These campaigns are not only connected by target similarity, attachment structure, email text, or tricks and techniques used to deceive potential victims, but also by some less obvious properties. In the malware itself, we were able to find artifacts (e.g., the license ID for Rescoms) that tie those campaigns together, revealing that many of these attacks were carried out by one threat actor.

Campaigns in Slovakia, Bulgaria, and Serbia

During the same time periods as the campaigns in Poland, ESET telemetry also registered ongoing campaigns in Slovakia, Bulgaria, and Serbia. These campaigns also mainly targeted local companies and we can even find artifacts in the malware itself tying these campaigns to the same threat actor that carried out the campaigns in Poland. The only significant thing that changed was, of course, the language used in the spam emails to be suitable for those specific countries.

Campaigns in Spain

Apart from previously mentioned campaigns, Spain also experienced a surge of spam emails with Rescoms as the final payload. Even though we can confirm that at least one of the campaigns was carried out by the same threat actor as in these previous cases, other campaigns followed a somewhat different pattern. Furthermore, even artifacts that were the same in previous cases differed in these and, because of that, we cannot conclude that the campaigns in Spain originated from the same place.

Conclusion

During the second half of 2023 we detected a shift in the usage of AceCryptor – a popular cryptor used by multiple threat actors to pack many malware families. Even though the prevalence of some malware families like RedLine Stealer dropped, other threat actors started using it or used it even more for their activities and AceCryptor is still going strong.In these campaigns AceCryptor was used to target multiple European countries, and to extract information or gain initial access to multiple companies. Malware in these attacks was distributed in spam emails, which were in some cases quite convincing; sometimes the spam was even sent from legitimate, but abused email accounts. Because opening attachments from such emails can have severe consequences for you or your company, we advise that you be aware about what you are opening and use reliable endpoint security software able to detect the malware.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of Indicators of Compromise (IoCs) can be found in our GitHub repository.

Files

SHA-1

Filename

Detection

Description

7D99E7AD21B54F07E857
FC06E54425CD17DE3003

PR18213.iso

Win32/Kryptik.HVOB

Malicious attachment from spam campaign carried out in Serbia during December 2023.

7DB6780A1E09AEC6146E
D176BD6B9DF27F85CFC1

zapytanie.7z

Win32/Kryptik.HUNX

Malicious attachment from spam campaign carried out in Poland during September 2023.

7ED3EFDA8FC446182792
339AA14BC7A83A272F85

20230904104100858.7z

Win32/Kryptik.HUMX

Malicious attachment from spam campaign carried out in Poland and Bulgaria during September 2023.

9A6C731E96572399B236
DA9641BE904D142F1556

20230904114635180.iso

Win32/Kryptik.HUMX

Malicious attachment from spam campaign carried out in Serbia during September 2023.

57E4EB244F3450854E5B
740B95D00D18A535D119

SA092300102.iso

Win32/Kryptik.HUPK

Malicious attachment from spam campaign carried out in Bulgaria during September 2023.

178C054C5370E0DC9DF8
250CA6EFBCDED995CF09

zamowienie_135200.7z

Win32/Kryptik.HUMI

Malicious attachment from spam campaign carried out in Poland during August 2023.

394CFA4150E7D47BBDA1
450BC487FC4B970EDB35

PRV23_8401.iso

Win32/Kryptik.HUMF

Malicious attachment from spam campaign carried out in Serbia during August 2023.

3734BC2D9C321604FEA1
1BF550491B5FDA804F70

BP_50C55_20230
309_094643.7z

Win32/Kryptik.HUMF

Malicious attachment from spam campaign carried out in Bulgaria during August 2023.

71076BD712C2E3BC8CA5
5B789031BE222CFDEEA7

20_J402_MRO_EMS

Win32/Rescoms.B

Malicious attachment from spam campaign carried out in Slovakia during August 2023.

667133FEBA54801B0881
705FF287A24A874A400B

7360_37763.iso

Win32/Rescoms.B

Malicious attachment from spam campaign carried out in Bulgaria during December 2023.

AF021E767E68F6CE1D20
B28AA1B36B6288AFFFA5

zapytanie ofertowe.7z

Win32/Kryptik.HUQF

Malicious attachment from spam campaign carried out in Poland during September 2023.

BB6A9FB0C5DA4972EFAB
14A629ADBA5F92A50EAC

129550.7z

Win32/Kryptik.HUNC

Malicious attachment from spam campaign carried out in Poland during September 2023.

D2FF84892F3A4E4436BE
DC221102ADBCAC3E23DC

Zamowienie_ andre.7z

Win32/Kryptik.HUOZ

Malicious attachment from spam campaign carried out in Poland during September 2023.

DB87AA88F358D9517EEB
69D6FAEE7078E603F23C

20030703_S1002.iso

Win32/Kryptik.HUNI

Malicious attachment from spam campaign carried out in Serbia during September 2023.

EF2106A0A40BB5C1A74A
00B1D5A6716489667B4C

Zamowienie_830.iso

Win32/Kryptik.HVOB

Malicious attachment from spam campaign carried out in Poland during December 2023.

FAD97EC6447A699179B0
D2509360FFB3DD0B06BF

lista zamówień i szczegółowe zdjęcia.arj

Win32/Kryptik.HUPK

Malicious attachment from spam campaign carried out in Poland during September 2023.

FB8F64D2FEC152D2D135
BBE9F6945066B540FDE5

Pedido.iso

Win32/Kryptik.HUMF

Malicious attachment from spam campaign carried out in Spain during August 2023.

MITRE ATT&CK techniques

This table was built using version 14 of the MITRE ATT&CK framework.

Tactic

ID

Name

Description

Reconnaissance

T1589.002

Gather Victim Identity Information: Email Addresses

Email addresses and contact information (either bought or gathered from publicly available sources) were used in phishing campaigns to target companies across multiple countries.

Resource Development

T1586.002

Compromise Accounts: Email Accounts

Attackers used compromised email accounts to send phishing emails in spam campaigns to increase spam email’s credibility.

T1588.001

Obtain Capabilities: Malware

Attackers bought and used AceCryptor and Rescoms for phishing campaigns.

Initial Access

T1566

Phishing

Attackers used phishing messages with malicious attachments to compromise computers and steal information from companies in multiple European countries.

T1566.001

Phishing: Spearphishing Attachment

Attackers used spearphishing messages to compromise computers and steal information from companies in multiple European countries.

Execution

T1204.002

User Execution: Malicious File

Attackers relied on users opening and launching malicious files with malware packed by AceCryptor.

Credential Access

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

Attackers tried to steal credential information from browsers and email clients.