- Private crypting services offering strong protection and obfuscation.
- Any malicious tool can be encrypted to avoid detection by antivirus software or reverse engineering.
- Encrypted malicious tools can be used to orchestrate scam campaigns.
- Exfiltration of sensitive information.
- Monitoring a device via remote desktop in live mode.
- Download applications or software from legitimate sources only.
- Monitor for suspicious activities/processes on the system.
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising AV’s NIGHTMARE, a private crypting service that offers strong protection and obfuscation.
- The service offered can encrypt any tool (stealer, rat, botnet, etc) making it go undetectable by antivirus or reverse engineering.
- The following information has been shared about the service:
- The tool is almost undetectable as it can bypass almost all antivirus.
- It stays hidden from reverse engineering.
- The service can work with any RAT, stealers, malicious files, botnets, etc.
- Its main goal is to bypass windows defender.
- The product that is used to encrypt the tool is coded in C++.
- The services range from USD 30 to USD 160, based on the type of package and features.
[caption id="attachment_21256" align="alignnone" width="611"]
Threat actor’s advertisement on cybercrime forum[/caption]
Features of the Tool
According to the advertisement, the crypting services packages had the following features:
- Private and dedicated powerful encryption methods for every customer.
- Advanced technology of injection having .NET/Native payloads.
- Compatible with both .NET and Native files.
- Hidden startup and persistence installation.
- Private dedicated stub.
- Fully dedicated support.
- Long FUD.
Information from Cybercrime Forums
- The threat actor was previously very active on another famous cybercrime forum.
- The post’s credibility is assured in a thread posted by another threat actor who was a buyer of these services.
- The actor also mentioned having over 50 satisfied customers with no complaints.
Information from a Sensitive Source
A sensitive source in contact with the threat actor has ascertained that:
- The threat actor shared a video sample demonstrating the workflow of a crypter executable.
- The video demonstrated the actor monitoring a victim’s device via remote desktop in live mode.
- The crypter executable file got 0 detections from over 20 antivirus scans.
Threat Actor Activity and Rating
|Threat Actor Profiling
||High (No complaints or concerns against the actor)
||Previously seen dealing with crypts for miner UAC bypass and Windows Defender exclusions.
|Point of Contact
- Discord: BigStuart#1880
- Telegram: @bigstuart
||B2 (B: Usually Reliable; 2: Probably True)
Impact & Mitigation
- Crypting services can be used to hide stealers, rats, and botnets as legitimate software which can be used to launch scam campaigns.
- Infiltration of the organization’s infrastructure.
- Exfiltrating sensitive and confidential data.
- Monitoring a victim’s device via remote desktop in live mode.
- Demanding a ransom or selling the accesses/ databases for monetary benefits.
- The tools encrypted using this service are undetectable and hence can maintain persistence in the system for a long time.
- Download applications or software from legitimate portals/websites.
- Look around for any suspicious activities or processes on the system.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
Indicators of Compromise (IoCs)
The following IoCs have been gathered based on the results from AntiScan[.]me and information from a sensitive source.
[caption id="attachment_21257" align="alignnone" width="1757"]
A threat actor vouching for the services[/caption]
[caption id="attachment_21258" align="alignnone" width="292"]
Threat actor’s testimonial about the satisfied customers[/caption]
[caption id="attachment_21259" align="aligncenter" width="1920"]
Workflow demonstrated in the video shared with a sensitive source[/caption]
[caption id="attachment_21260" align="aligncenter" width="580"]
The exe file getting 0 flags by antiviruses[/caption]
[caption id="attachment_21261" align="aligncenter" width="1330"]
Live monitoring of victim’s system via remote desktop as depicted in the video shared with a sensitive source[/caption]