AceCryptor first appeared in the year 2016. Since, this cryptor has been used to pack tens of malware to date, many of its technical components have already been discussed and detailed. We may already be familiar with this cryptor, sometimes referred to as the DJVU obfuscation, SmokeLoader's stage 1, RedLine stealer's stage 1, 2, and 3, easy and popular packer, etc. Let us connect the dots for you by offering not only a technical analysis of its variants but also an overview of the malware families that can be found packed by it and how common AceCryptor is in the wild. Many (but not all) of the published blog posts fail to even recognize this cryptor as a separate malware family.
For malware programmers, protecting their malwares from being detected is a challenge. The first line of protection against malware from getting distributed is cryptors. Threat actors are capable of designing and maintaining their own unique cryptors, however, for crimeware threat actors, keeping their cryptor in a condition known as FUD (fully undetectable) is frequently a time-consuming or technically challenging task. Numerous malware-packed cryptor-as-a-service (CaaS) alternatives have emerged in response to the demand for this protection. These cryptors can combine several anti-VM, anti-debugging, and anti-analysis approaches to achieve payload hiding.
Since its establishment, AceCryptor has been used by several malware programmers. Its services were even used by crimeware like Emotet, which did not have its own cryptor at that time. During 2021-22, software company ESET found more than 80,000 different AceCryptor samples. It is believed that AceCryptor is offered somewhere as a CaaS due to the significant variety of malware families that are crammed inside. Even if we are not aware of the exact cost of this service, if we take into account the number of unique files found, we may conclude that the benefits to the AceCryptor creators are indeed not insignificant.
Taking into account that AceCryptor is used by a wide range of threat actors, malware packed by it is also distributed in a variety of ways. Based on ESET telemetry, devices were primarily exposed to AceCryptor-packed malware through spam emails with dangerous attachments or trojanized installers of piracy software.
Additionally, other malware that downloads new malware protected by AceCryptor may as well expose a user to AceCryptor-packed malware. The Amadey botnet, which we have seen downloading an AceCryptor-packed RedLine Stealer, serves as an example.
Currently, AceCryptor works as a significantly long-lasting cryptor-malware. It is anticipated that it is offered as a CaaS on some dark web or underground forums. Tens of different malware families have utilized the services of this virus, and many of them rely on this cryptor as their primary defense against static detections.
Since this malware is used by several threat actors, it is capable of affecting anyone. Considering the diversity of packed malware, it is challenging to predict how severe the repercussions are for a victim. AceCryptor may have been downloaded by additional malware or may have been dropped by other malware that was already active on the victim's computer. If the victim was directly affected, such as by opening a malicious email attachment, it may be very challenging to clean the compromised system.