Attacker-Crypter (v0.9): Unveiling a Powerful Tool for Evading Antivirus and Enhancing Malware Capabilities

EXECUTIVE SUMMARY

Cyfirma remains committed to tracking new threats and trends in the cybersecurity landscape. One noteworthy tool that has emerged is Attacker-Crypter. A crypter is a type of software that can encrypt, obfuscate and manipulate malicious code to make detection harder by the security tools, and is used by cybercriminals to create malware that can deceive security checks and AV detections. Attacker- Crypter is equipped with various options that can be leveraged to significantly reduce detections of the existing malware and bypass security scans when used in combination, making it a definite ‘one to watch’ in the threat-of sphere.

INTRODUCTION

Attacker-Crypter is a tool that provides an interface to create an encrypted payload, helps evading antivirus, using different inbuilt techniques. It also supports multiple features that can be added to the existing malware to enhance the capabilities of the malicious code, such as Process injection, Persistence mechanism, using scheduled task and startup programs, .Net and native injection methods, file obfuscation etc.

KEY FINDINGS

• Attacker-Crypter; a Potent Malware Tool – Cyfirma research team discovers the emergence of Attacker-Crypter; a powerful and easy to use software designed to encrypt, obfuscate, and manipulate malicious code, rendering it harder to detect by security tools and antivirus software.
• Attacker-Crypter is freely available on GitHub, has been attributed to a creator of Russian origin, raising concerns about its potential misuse in cyberattacks.
• This tool empowers cybercriminals to add a range of features to their malware, including WoW64 environment detection, debugger evasion, process termination, network communication, process injection, and more, augmenting the malware’s destructive potential.
• Attacker-Crypter incorporates defense mechanisms such as Microsoft Defender and AMSI (Windows Antimalware Scan Interface) bypass, Melt function with RunPE and Sleep function, further evading detection by security programs.
• With version 0.8 introducing ‘Pumper’ that inserts bytes into the malware, which makes the file size bigger than the actual payload, that adds an obfuscation layer to the malicious code.
• The newer version (0.9) adding the virtual environment (VM) detection feature that can deter the execution of malware if executed within virtual machines, thwarts analysis in virtual environments.
• It can notify the user of the tool if the encrypted payload is executed using the Telegram bot, or Socket server settings.
• The tool continues to evolve, making it a looming threat in the cybersecurity landscape.
• A moderator on a Russian underground forum is actively promoting the Attacker-Crypter, raising concerns about its potential popularity amongst malicious actors.

EXTERNAL THREAT LANDSCAPE MANAGEMENT ATTRIBUTION

Threat Actor Profile: The developer of the Attacker-Crypter tool has an account on GitHub with the profile name “TheNewAttacker” and named the tool as “TheAttacker-Crypter”, and made it available for free:

The profile behind this tool appears to-be of Russian Origin (as per the profile on the GitHub), has 284 followers and 259 contributions since last year.

Prominent Features:

As per the details mentioned on the page, the tool is able to “Evade Antivirus with Different Techniques” and clearly instructed to not upload this tool on VirusTotal, so that it’s longevity can be optimized.

The screenshots mentioning the features, PoC and user instructions for the tool are also published on the page:

Evolving Threat

The threat actor also planned to add five additional features (as mentioned on the page) to this tool, including different encryption methods, Linux support and loading payload from local system:

Promotion in Underground Forums:

Moderator of a Russian underground forum is also promoting this tool

Threat Landscape: From an external threat landscape perspective, the discovery of “TheAttacker- Crypter” tool by the Cyfirma research team highlights the concerning trend of threat actors developing advanced methods to evade anti-malware tools. The threat actor behind this tool has a significant online presence, with a substantial number of followers and contributions. This discovery emphasizes the ongoing need for robust security measures to counteract the evolving tactics of threat actors in the digital landscape.

ANALYSIS OF ATTACKER-CRYPTER

The Attacker-Crypter comes as a RAR archive, comprised of other supporting file for its operation, which includes a DLL and configuration files:

File Name: dnlib.dll
File Size: 1.11 MB (1164800 bytes)
MD5: 281670cbc3bd5f20950d5caa3810998c
SHA-256: e5992503cad2a2ef71b6253716ac58f842a2f0099b1d70286f17beae37842d79

File Name: dnlib.xml
File Size: 1.76 MB (18,54,717 bytes)
MD5: ce2d5f5d812c192e3b61330b93921c2d
SHA-256: 4248434dc14209d2f10a5c2a2f1cdde44aea2f43c8798cf5c7e7d14a8f124e9c

These DLL and configuration files are a vital part of the tool and support the working of the main module (Attacker-Crypter).

The main module (Attacker-Crypter) is an unsigned, GUI based 32-bit Windows executable. It does not need administrative or escalated privileges, instead runs with the current user’s default security settings.

The executable file comprises of 3 sections with .text section (executable) of higher entropy (7.841):

It only imports one DLL (mscoree.dll), which is essential for the execution of “managed code” applications, written for use with the .NET Framework. The imported functions from this library indicates potential capabilities of the specimen for the cryptography related operations:

BEHAVIORAL & CODE ANALYSIS

It uses ‘DLLImport’ function to import and uses the kernel32.dll and ntdll.dll libraries, when executed:

The extracted codes from the Attacker-Crypter tool confirm some of the functionalities, claimed by the developer, and the capabilities that it can add to the existing malwares, such as detection of WoW64 environment, debugger detection, process termination, writing process memory and mapping and un- mapping of the sections, network communication, use of HTTP protocol, self-deletion of file after execution etc.

ATTACKER-CRYPTER FUNCTIONS

Attacker-Crypter has an intuitive graphical interface with several options for malware modification, using different built-in methods that can be availed using simple clicks:

Payload Encryptor allows to choose the (malware) file, generates the encryption key with ‘Generate’ button, and then the ‘Encrypt’ option creates the encrypted payload but requires copying the text from ‘Loader.txt’ file that it generates (in the current working directory) on the Pastebin (web application to share plain text online) and pasting the raw URL under “Builder Area” to build the encrypted payload.

Injection Settings has options for .NET Assembly and RunPE process injection methods. The Post exploitation options provide a facility that incorporates anti-malware defense such as Windows defender exclusion, Bypass Windows Antimalware Scan Interface, Anti-Vm check, as well as option to create mutex and Sleep after execution. Persistence setting allows to register and run the malware as a scheduled task or run at system startup.

The .Net Obfuscate provides an option to obfuscate a File, which it says, “Under development”, and the File pumper that inserts bytes (Fake Bytes or Real Bytes, as shown in the image below) to increase the file size. It results in a file that is distinctive from the original, which makes it less prone for detection by security tools, adds the anti-malware defense:

There is an option for the Change Assembly by cloning it from a legitimate executable that makes the malware instructions more complex and less prone to detection:

A Telegram chat bot ID and/or Socket server setting can be defined to get notified if the encrypted/modified payload is executed.

DOES ATTACKER-CRYPTER REALLY WORK?

We tested the functionality of Attacker-Crypter (V0.9) with an active malware sample “AgentTesla”, which has wider detection by the security tools, as shown in the following screenshot (sample uploaded to the VirusTotal):

And when we modified the malware sample (Encrypted with “Payload Encryptor”, obfuscated using ‘Pumper’ and used other available options for modification) using Attacker-Crypter tool, we get lower detection than the original malware:

Besides this, the Window defender with latest security intelligence update was unable to detect the encrypted payload, while original sample was detected by the Real-Time protection feature:

In our investigation, we found that while Attacker-Crypter tool was not able to generate the fully undetectable malware after modification, it is quite effective against the static signature detections and static heuristics.

ATTACKER-CRYPTER CAPABILITIES

The analysis of the Attacker-Crypter tool provides insights and reveals its functionality. Based on the analysis and the extracted data, the following are the capabilities of the Attacker-Crypter tool that it can add to malware:

1. Malware encryption.
2. AMSI (Windows Antimalware Scan Interface) bypass.
3. Process injection using RunPE and .NET assembly loading into existing process.
4. 32-bit and 64-bit process injection.
5. Cloning assembly of a legitimate process to the malware.
6. Checking for the analysis environment, such as virtual machines and debuggers.
7. Melt function for the executable to delete itself after process injection.
8. Adding bytes to the malicious file to make the file size bigger and distinctive from the original malware.
9. File obfuscation.
10. Execute PowerShell command upon execution of malware file.
11. Notify the user of the tool if encrypted malware is executed using the Telegram chat bot or socket server setting.

CONCLUSION

The Attacker-Crypter tool is potentially of Russian origin and available for free, posing a significant concern in the realm of threat landscape. The creator, known as “TheNewAttacker,” aims to seek support from other contributors by enhancing their malware’s attack capabilities and evading antivirus detection. The tool is actively developed and constantly updated, with plans for future feature additions. By adding complexity to the malware and making analysis more difficult, this tool increases the risk to cybersecurity. Its availability and encouragement for malicious use by other threat actors further emphasize the need for robust defense measures and heightened awareness within the security community.

RECOMMENDATIONS

• Implement threat intelligence to proactively counter such threats.
• Update security patches, which can reduce the risk for potential compromise.
• To protect the endpoints, use the endpoint security solutions for real-time monitoring and threat detection, such as Antimalware security suit and host-based intrusion prevention system.
• Continuous monitoring of network activity with NIDS/NIPS and using the web application firewall to filter/block suspicious activity provides comprehensive protection from compromise, due to encrypted payloads.
• Conducting vulnerability assessment and penetration testing on the environment periodically helps in hardening the security, by finding the security loopholes followed by remediation process.
• Use of security benchmarks to create baseline security procedures and organizational security policies is also recommended.
• Security awareness and training programs help to protect from security incidents, such as social engineering attacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by tools like Attacker-Crypter.

INDICATORS OF COMPROMISE

MITRE ATT&CK TACTICS AND TECHNIQUES