Private Crypting Services for Bypassing Antivirus Scans & Reverse Engineering

Summary

Private crypting services offer strong protection and obfuscation. Any malicious tool can be encrypted to avoid detection by antivirus software or reverse engineering.
Category: Malware Intelligence Industry: Underground Motivation: Financial Region: Global Source*: B2

Executive Summary

THREAT IMPACT MITIGATION
  • Private crypting services offering strong protection and obfuscation.
  • Any malicious tool can be encrypted to avoid detection by antivirus software or reverse engineering.
  • Encrypted malicious tools can be used to orchestrate scam campaigns.
  • Exfiltration of sensitive information.
  • Monitoring a device via remote desktop in live mode.
  • Download applications or software from legitimate sources only.
  • Monitor for suspicious activities/processes on the system.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising AV’s NIGHTMARE, a private crypting service that offers strong protection and obfuscation.
  • The service offered can encrypt any tool (stealer, rat, botnet, etc) making it go undetectable by antivirus or reverse engineering.
  • The following information has been shared about the service:
    • The tool is almost undetectable as it can bypass almost all antivirus.
    • It stays hidden from reverse engineering.
    • The service can work with any RAT, stealers, malicious files, botnets, etc.
    • Its main goal is to bypass windows defender.
    • The product that is used to encrypt the tool is coded in C++.
    • The services range from USD 30 to USD 160, based on the type of package and features.
Threat actor’s advertisement on cybercrime forum
Threat actor’s advertisement on cybercrime forum

Features of the Tool

According to the advertisement, the crypting services packages had the following features:
  • Private and dedicated powerful encryption methods for every customer.
  • Advanced technology of injection having .NET/Native payloads.
  • Compatible with both .NET and Native files.
  • Hidden startup and persistence installation.
  • Private dedicated stub.
  • Fully dedicated support.
  • Long FUD.

Information from Cybercrime Forums

  • The threat actor was previously very active on another famous cybercrime forum.
  • The post’s credibility is assured in a thread posted by another threat actor who was a buyer of these services.
  • The actor also mentioned having over 50 satisfied customers with no complaints.

Information from a Sensitive Source

A sensitive source in contact with the threat actor has ascertained that:
  • The threat actor shared a video sample demonstrating the workflow of a crypter executable.
  • The video demonstrated the actor monitoring a victim’s device via remote desktop in live mode.
  • The crypter executable file got 0 detections from over 20 antivirus scans.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since August 2022
Reputation High (No complaints or concerns against the actor)
Current Status Active
History Previously seen dealing with crypts for miner UAC bypass and Windows Defender exclusions.
Point of Contact
  • Discord: BigStuart#1880
  • Telegram: @bigstuart
Rating B2 (B: Usually Reliable; 2: Probably True)

Impact & Mitigation

Impact Mitigation
  • Crypting services can be used to hide stealers, rats, and botnets as legitimate software which can be used to launch scam campaigns.
  • Infiltration of the organization’s infrastructure.
  • Exfiltrating sensitive and confidential data.
  • Monitoring a victim’s device via remote desktop in live mode.
  • Demanding a ransom or selling the accesses/ databases for monetary benefits.
  • The tools encrypted using this service are undetectable and hence can maintain persistence in the system for a long time.
  • Download applications or software from legitimate portals/websites.
  • Look around for any suspicious activities or processes on the system.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

Indicators of Compromise (IoCs)

The following IoCs have been gathered based on the results from AntiScan[.]me and information from a sensitive source.
Hash
82c0632b2b5e5c4ae40edba657ad5250

References

Appendix

A threat actor vouching for the services
A threat actor vouching for the services
Threat actor’s testimonial about the satisfied customers
Threat actor’s testimonial about the satisfied customers
 
 Workflow demonstrated in the video shared with a sensitive source
Workflow demonstrated in the video shared with a sensitive source
 
The exe file getting 0 flags by antiviruses
The exe file getting 0 flags by antiviruses
 
Live monitoring of victim’s system via remote desktop as depicted in the video shared with a sensitive source
Live monitoring of victim’s system via remote desktop as depicted in the video shared with a sensitive source

Table of Contents

Request an easy and customized demo for free