Private Crypting Services for Bypassing Antivirus Scans & Reverse Engineering

Private crypting services offer strong protection and obfuscation. Any malicious tool can be encrypted to avoid detection by antivirus software or reverse engineering.
Updated on
April 19, 2023
Published on
October 27, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Malware Intelligence Industry: Underground Motivation: Financial Region: Global Source*: B2

Executive Summary

THREAT IMPACT MITIGATION
  • Private crypting services offering strong protection and obfuscation.
  • Any malicious tool can be encrypted to avoid detection by antivirus software or reverse engineering.
  • Encrypted malicious tools can be used to orchestrate scam campaigns.
  • Exfiltration of sensitive information.
  • Monitoring a device via remote desktop in live mode.
  • Download applications or software from legitimate sources only.
  • Monitor for suspicious activities/processes on the system.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising AV’s NIGHTMARE, a private crypting service that offers strong protection and obfuscation.
  • The service offered can encrypt any tool (stealer, rat, botnet, etc) making it go undetectable by antivirus or reverse engineering.
  • The following information has been shared about the service:
    • The tool is almost undetectable as it can bypass almost all antivirus.
    • It stays hidden from reverse engineering.
    • The service can work with any RAT, stealers, malicious files, botnets, etc.
    • Its main goal is to bypass windows defender.
    • The product that is used to encrypt the tool is coded in C++.
    • The services range from USD 30 to USD 160, based on the type of package and features.
[caption id="attachment_21256" align="alignnone" width="611"]Threat actor’s advertisement on cybercrime forum Threat actor’s advertisement on cybercrime forum[/caption]

Features of the Tool

According to the advertisement, the crypting services packages had the following features:
  • Private and dedicated powerful encryption methods for every customer.
  • Advanced technology of injection having .NET/Native payloads.
  • Compatible with both .NET and Native files.
  • Hidden startup and persistence installation.
  • Private dedicated stub.
  • Fully dedicated support.
  • Long FUD.

Information from Cybercrime Forums

  • The threat actor was previously very active on another famous cybercrime forum.
  • The post’s credibility is assured in a thread posted by another threat actor who was a buyer of these services.
  • The actor also mentioned having over 50 satisfied customers with no complaints.

Information from a Sensitive Source

A sensitive source in contact with the threat actor has ascertained that:
  • The threat actor shared a video sample demonstrating the workflow of a crypter executable.
  • The video demonstrated the actor monitoring a victim’s device via remote desktop in live mode.
  • The crypter executable file got 0 detections from over 20 antivirus scans.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since August 2022
Reputation High (No complaints or concerns against the actor)
Current Status Active
History Previously seen dealing with crypts for miner UAC bypass and Windows Defender exclusions.
Point of Contact
  • Discord: BigStuart#1880
  • Telegram: @bigstuart
Rating B2 (B: Usually Reliable; 2: Probably True)

Impact & Mitigation

Impact Mitigation
  • Crypting services can be used to hide stealers, rats, and botnets as legitimate software which can be used to launch scam campaigns.
  • Infiltration of the organization’s infrastructure.
  • Exfiltrating sensitive and confidential data.
  • Monitoring a victim’s device via remote desktop in live mode.
  • Demanding a ransom or selling the accesses/ databases for monetary benefits.
  • The tools encrypted using this service are undetectable and hence can maintain persistence in the system for a long time.
  • Download applications or software from legitimate portals/websites.
  • Look around for any suspicious activities or processes on the system.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

Indicators of Compromise (IoCs)

The following IoCs have been gathered based on the results from AntiScan[.]me and information from a sensitive source.
Hash
82c0632b2b5e5c4ae40edba657ad5250

References

Appendix

[caption id="attachment_21257" align="alignnone" width="1757"]A threat actor vouching for the services A threat actor vouching for the services[/caption] [caption id="attachment_21258" align="alignnone" width="292"]Threat actor’s testimonial about the satisfied customers Threat actor’s testimonial about the satisfied customers[/caption]   [caption id="attachment_21259" align="aligncenter" width="1920"] Workflow demonstrated in the video shared with a sensitive source Workflow demonstrated in the video shared with a sensitive source[/caption]   [caption id="attachment_21260" align="aligncenter" width="580"]The exe file getting 0 flags by antiviruses The exe file getting 0 flags by antiviruses[/caption]   [caption id="attachment_21261" align="aligncenter" width="1330"]Live monitoring of victim’s system via remote desktop as depicted in the video shared with a sensitive source Live monitoring of victim’s system via remote desktop as depicted in the video shared with a sensitive source[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations