AceCryptor: Cybercriminals’ Potent Tool Detected in Over 240,000 Attacks

Crypter malware called AceCryptor has been used since 2016 to pack various strains of malware, according to Slovak cybersecurity firm ESET. ESET reported over 240,000 detections of AceCryptor in 2021 and 2022, averaging over 10,000 hits per month. Notable malware families found within AceCryptor include SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, Stop ransomware, and Amadey. The countries with the highest detections include Peru, Egypt, Thailand, Indonesia, Turkey, Brazil, Mexico, South Africa, Poland, and India. AceCryptor has been used to distribute malware through trojanized software installers, spam emails with malicious attachments, and pre-compromised host malware.

It is suspected to be sold as a crypter-as-a-service (CaaS) due to its use by multiple threat actors for propagating diverse malware families. AceCryptor utilizes obfuscation techniques, a three-layer architecture, and anti-VM, anti-debugging, and anti-analysis methods to evade detection. Another crypter service called ScrubCrypt has been used by cryptojacking groups, while Check Point discovered TrickGate, a packer used to deploy various malware strains.