crypter is used for encrypting, obfuscating and manipulating malware to make detection more difficult. Hacker groups including Lokibot, Zeus, AgentTesla and Smokeloader – have been using the recently discovered multilayer 2012 Malware Crypter
“Its widespread use and length of time in use make it a key malware infrastructure component,” says Avast threat researcher Jakub Kaloč. “We believe that likely the authors of Crypter offer it as an encrypting service. Based on the uniqueness of the first layer, it is also safe to assume that authors of Crypter offer the option of a unique stub file to ensure that encrypted malware will be undetectable.”
Avast says 2012 Malware Crypter, 32-bit software written in C++, has three layers:
- Layer 1: This outer layer has one main function, which varies based on the encrypted malware. For example, it can allocate and load data to memory, decrypt the loaded data and pass execution of the decrypted data to the second layer.
- Layer 2: This is a shell code that decrypts another layer. It uses a complex process, decrypting chunks of data according to size and then putting them together. When all the pieces have been decrypted and joined, execution is passed to the place where the decrypted data is stored and the crypter starts execution of the third layer.
- Layer 3: This layer uses the same decryption processes as the second layer to load important API functions to change permissions of memory. It then copies decrypted data and overwrites itself, after which the payload is injected into the crypter.
“2012 malware Crypter is a malware family which has been around for some time,” Kaloč notes. “Combined with the prevalence of this crypter and the fact that samples have such a unique first layer, it’s logical to assume that crypter wasn’t developed as a one-time thing. On the contrary, according to analysis of multiple samples and their capture date, it was possible to see multiple versions of some parts of 2012 Malware Crypter.”
Some security experts say the demand for crypters and for encryption as a service is growing, with some facilitators offering free samples to entice customers. Some hackers have also been partnering with malware crypter services as part of their campaigns.
The real payload is hidden inside of another encrypted resource. The name of the file, as well as the decryption key is included in the parameters that are decrypted in the previous step:
Zip Password : www.masterscyber.com