Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FUD Crypters Recycling Old Malware

When I first started analyzing malware we stored it on floppy disks, so I know old malware when I see it. And, oddly enough, lately I’m seeing more and more of it – a phenomenon being driven, I believe, by the ongoing proliferation of FUD crypter services—FUD as in “Fully Undetectable.” I think this is evolving to the point where it will be an issue for the security industry. 

When I first started analyzing malware we stored it on floppy disks, so I know old malware when I see it. And, oddly enough, lately I’m seeing more and more of it – a phenomenon being driven, I believe, by the ongoing proliferation of FUD crypter services—FUD as in “Fully Undetectable.” I think this is evolving to the point where it will be an issue for the security industry. 

As a quick summary, FUD crypters are tools providing automatic detection evasion enhancements for any malware file and have become readily available “as-a-service” online. They have evolved to user-friendly web sites providing point-and-click file obfuscation, and typically offer the visitor up to a couple dozen evasion techniques to pick and choose from for a customized result. Recently we’ve noticed that crypters offering sandbox and virtual machine evasion have been more and more popular.

Advanced Coding Skills No Longer Required

If you haven’t been entirely following these developments and want to have your eyes opened, just type “fud crypter” into your preferred search engine. You’ll find results for best free FUD crypters, best paid FUD crypters, crypter YouTube tutorials, crypter reviews, and crypter directories to help you navigate the competing offerings. And this is a glimpse on the public internet – never mind the dark web, where the real epicenter of the industry resides. You’ll also still find crypter do-it-yourself guides, but as with so many aspects of malware, advanced coding skills are no longer required for sophisticated evasion techniques. 

In short, cybercrime is another industry previously the somewhat exclusive domain of the cognoscenti which is moving to a more democratized, frictionless service model, where even duffers can go to quickly pull together the elements necessary to launch attacks. Practically all it takes is a browser and a cryptocurrency account.

Old Malware Getting Recycled

This FUD crypter service industry is giving a second life to a lot of old and kind-of-old malware, which can be pulled off the shelf by just about anybody with confused ethics and a Bitcoin account; run through a FUD crypter service in minutes; and then sent back into circulation in email campaigns or for download. We are seeing evidence of this in many samples being pulled from malware detected in our sandboxing array.

This is happening not because crypters are an entirely new phenomenon, but because there’s a sophistication and “ease of use” threshold which appears to have been crossed. It is also appears to be feeding a volume of “new” malware appearing on the web and being distributed as attachments in emails that I believe many security providers are struggling to detect.

Advertisement. Scroll to continue reading.

Old Trojan Biggest Surge After Cryptominers

One example is the cross-platform JAVA Adwind Remote Access Trojan (RAT), which has been around since 2013, but over the past 10 months we have seen a surge in its distribution, now heavily obfuscated, encrypted and equipped with sandbox and Virtual Machine evasion not seen when it first came out, but happening now due to the availability and ease-of-use of specific JAVA RAT crypters. 

In fact, along with cryptominer malware, the surge in this five-year-old malware was the biggest increase in a unique malware family we observed in Q4 2017 and Q1 2018. The RAT itself was (and still is) easily obtainable on the web (I’ll skip providing a link, if you don’t mind). Once installed, the Adwind RATs are used to deliver all kinds of capabilities, like key logging, webcam hijacking, data stealing, and the further downloading of other malware. 

To pick a specific implementation as an example, we’ve seen many samples of an email pretending to be a purchase order with a related attachment. As well as heavy anti-reverse engineering evasion, the RAT has a config file which specifies anti-virtual machine checks and delays in connecting to the remote server. After burrowing through layers of decryption, one finally gets to the config file, which orders the RAT to not run in virtualized environments.

What’s happening, from a certain perspective, is the automation of evasion, along with other elements of the malware “supply chain.” The implications for security are important, as it means those on the defensive side need to raise their game, too.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.