Security Experts:

FUD Crypters Recycling Old Malware

When I first started analyzing malware we stored it on floppy disks, so I know old malware when I see it. And, oddly enough, lately I’m seeing more and more of it – a phenomenon being driven, I believe, by the ongoing proliferation of FUD crypter services—FUD as in “Fully Undetectable.” I think this is evolving to the point where it will be an issue for the security industry. 

As a quick summary, FUD crypters are tools providing automatic detection evasion enhancements for any malware file and have become readily available “as-a-service” online. They have evolved to user-friendly web sites providing point-and-click file obfuscation, and typically offer the visitor up to a couple dozen evasion techniques to pick and choose from for a customized result. Recently we’ve noticed that crypters offering sandbox and virtual machine evasion have been more and more popular.

Advanced Coding Skills No Longer Required

If you haven’t been entirely following these developments and want to have your eyes opened, just type “fud crypter” into your preferred search engine. You’ll find results for best free FUD crypters, best paid FUD crypters, crypter YouTube tutorials, crypter reviews, and crypter directories to help you navigate the competing offerings. And this is a glimpse on the public internet – never mind the dark web, where the real epicenter of the industry resides. You’ll also still find crypter do-it-yourself guides, but as with so many aspects of malware, advanced coding skills are no longer required for sophisticated evasion techniques. 

In short, cybercrime is another industry previously the somewhat exclusive domain of the cognoscenti which is moving to a more democratized, frictionless service model, where even duffers can go to quickly pull together the elements necessary to launch attacks. Practically all it takes is a browser and a cryptocurrency account.

Old Malware Getting Recycled

This FUD crypter service industry is giving a second life to a lot of old and kind-of-old malware, which can be pulled off the shelf by just about anybody with confused ethics and a Bitcoin account; run through a FUD crypter service in minutes; and then sent back into circulation in email campaigns or for download. We are seeing evidence of this in many samples being pulled from malware detected in our sandboxing array.

This is happening not because crypters are an entirely new phenomenon, but because there’s a sophistication and “ease of use” threshold which appears to have been crossed. It is also appears to be feeding a volume of “new” malware appearing on the web and being distributed as attachments in emails that I believe many security providers are struggling to detect.

Old Trojan Biggest Surge After Cryptominers

One example is the cross-platform JAVA Adwind Remote Access Trojan (RAT), which has been around since 2013, but over the past 10 months we have seen a surge in its distribution, now heavily obfuscated, encrypted and equipped with sandbox and Virtual Machine evasion not seen when it first came out, but happening now due to the availability and ease-of-use of specific JAVA RAT crypters. 

In fact, along with cryptominer malware, the surge in this five-year-old malware was the biggest increase in a unique malware family we observed in Q4 2017 and Q1 2018. The RAT itself was (and still is) easily obtainable on the web (I’ll skip providing a link, if you don’t mind). Once installed, the Adwind RATs are used to deliver all kinds of capabilities, like key logging, webcam hijacking, data stealing, and the further downloading of other malware. 

To pick a specific implementation as an example, we’ve seen many samples of an email pretending to be a purchase order with a related attachment. As well as heavy anti-reverse engineering evasion, the RAT has a config file which specifies anti-virtual machine checks and delays in connecting to the remote server. After burrowing through layers of decryption, one finally gets to the config file, which orders the RAT to not run in virtualized environments.

What’s happening, from a certain perspective, is the automation of evasion, along with other elements of the malware “supply chain.” The implications for security are important, as it means those on the defensive side need to raise their game, too.

view counter
Sigurdur “Siggi” Stefnisson is vice president of threat detection at Cyren, an Internet Security as a Service provider that protects users against cyberattacks and data breaches through cloud-based web security, email security, DNS security and sandboxing solutions.