Rescoms rides waves of AceCryptor spam

Final yr ESET printed a blogpost about AceCryptor – one of the vital in style and prevalent cryptors-as-a-service (CaaS) working since 2016. For H1 2023 we printed statistics from our telemetry, in keeping with which tendencies from earlier durations continued with out drastic adjustments.

Nonetheless, in H2 2023 we registered a major change in how AceCryptor is used. Not solely we’ve got seen and blocked over double the assaults in H2 2023 compared with H1 2023, however we additionally observed that Rescoms (often known as Remcos) began utilizing AceCryptor, which was not the case beforehand.

The overwhelming majority of AceCryptor-packed Rescoms RAT samples had been used as an preliminary compromise vector in a number of spam campaigns focusing on European international locations together with Poland, Slovakia, Bulgaria, and Serbia.

Key factors of this blogpost:

• AceCryptor continued to supply packing companies to tens of very well-known malware households in H2 2023.
• Though well-known by safety merchandise, AceCryptor’s prevalence is just not displaying indications of decline: quite the opposite, the variety of assaults considerably elevated because of the Rescoms campaigns.
• AceCryptor is a cryptor of selection of risk actors focusing on particular international locations and targets (e.g., corporations in a specific nation).
• In H2 2023, ESET detected a number of AceCryptor+Rescoms campaigns in European international locations, primarily Poland, Bulgaria, Spain, and Serbia.
• The risk actor behind these campaigns in some instances abused compromised accounts to ship spam emails so as to make them look as credible as doable.
• The objective of the spam campaigns was to acquire credentials saved in browsers or electronic mail shoppers, which in case of a profitable compromise would open potentialities for additional assaults.

AceCryptor in H2 2023

Within the first half of 2023 ESET protected round 13,000 customers from AceCryptor-packed malware. Within the second half of the yr, there was a large improve of AceCryptor-packed malware spreading within the wild, with our detections tripling, leading to over 42,000 protected ESET customers worldwide. As could be noticed in Determine 1, we detected a number of sudden waves of malware spreading. These spikes present a number of spam campaigns focused at European international locations the place AceCryptor packed a Rescoms RAT (mentioned extra within the Rescoms campaigns part).

Moreover, after we evaluate the uncooked variety of samples: within the first half of 2023, ESET detected over 23,000 distinctive malicious samples of AceCryptor; within the second half of 2023, we noticed and detected “solely” over 17,000 distinctive samples. Though this is perhaps sudden, after a better take a look at the information there’s a cheap clarification. The Rescoms spam campaigns used the identical malicious file(s) in electronic mail campaigns despatched to a larger variety of customers, thus growing the quantity of people that encountered the malware, however nonetheless preserving the variety of completely different recordsdata low. This didn’t occur in earlier durations as Rescoms was nearly by no means utilized in mixture with AceCryptor. One more reason for the decrement within the variety of distinctive samples is as a result of some in style households apparently stopped (or nearly stopped) utilizing AceCryptor as their go-to CaaS. An instance is Danabot malware which stopped utilizing AceCryptor; additionally, the distinguished RedLine Stealer whose customers stopped utilizing AceCryptor as a lot, based mostly on a larger than 60% lower in AceCryptor samples containing that malware.

As seen in Determine 2, AceCryptor nonetheless distributes, other than Rescoms, samples from many various malware households, reminiscent of SmokeLoader, STOP ransomware, and Vidar stealer.

Within the first half of 2023, the international locations most affected by malware packed by AceCryptor had been Peru, Mexico, Egypt, and Türkiye, the place Peru, at 4,700, had the best variety of assaults. Rescoms spam campaigns modified these statistics dramatically within the second half of the yr. As could be seen in Determine 3, AceCryptor-packed malware affected largely European international locations. By far essentially the most affected nation is Poland, the place ESET prevented over 26,000 assaults; that is adopted by Ukraine, Spain, and Serbia. And, it’s price mentioning that in every of these international locations ESET merchandise prevented extra assaults than in essentially the most affected nation in H1 2023, Peru.

AceCryptor samples that we’ve noticed in H2 usually contained two malware households as their payload: Rescoms and SmokeLoader. A spike in Ukraine was brought on by SmokeLoader. This truth was already talked about by Ukraine’s NSDC. Then again, in Poland, Slovakia, Bulgaria, and Serbia the elevated exercise was brought on by AceCryptor containing Rescoms as a last payload.

Rescoms campaigns

Within the first half of 2023, we noticed in our telemetry fewer than 100 incidents of AceCryptor samples with Rescoms inside. Through the second half of the yr, Rescoms grew to become essentially the most prevalent malware household packed by AceCryptor, with over 32,000 hits. Over half of those makes an attempt occurred in Poland, adopted by Serbia, Spain, Bulgaria, and Slovakia (Determine 4).

Campaigns in Poland

Due to ESET telemetry we’ve been in a position to observe eight vital spam campaigns focusing on Poland in H2 2023. As could be seen in Determine 5, nearly all of them occurred in September, however there have been additionally campaigns in August and December.

In complete, ESET registered over 26,000 of those assaults in Poland for this era. All spam campaigns focused companies in Poland and all emails had very comparable topic strains about B2B affords for the sufferer corporations. To look as plausible as doable, the attackers integrated the next methods into the spam emails:

• Electronic mail addresses they had been sending spam emails from imitated domains of different corporations. Attackers used a special TLD, modified a letter in an organization identify or the phrase order within the case of a multi-word firm identify (this method is called typosquatting).
• Probably the most noteworthy is that a number of campaigns concerned enterprise electronic mail compromise – attackers abused beforehand compromised electronic mail accounts of different firm staff to ship spam emails. On this manner even when the potential sufferer appeared for the same old purple flags, they had been simply not there, and the e-mail appeared as official because it may have.

Attackers did their analysis and used present Polish firm names and even present worker/proprietor names and speak to info when signing these emails. This was performed in order that within the case the place a sufferer tries to Google the sender’s identify, the search would achieve success, which could make them open the malicious attachment.

• The content material of spam emails was in some instances easier however in lots of instances (like the instance in Determine 6) fairly elaborate. Particularly these extra elaborate variations needs to be thought-about harmful as they deviate from the usual sample of generic textual content, which is commonly riddled with grammatical errors.

The e-mail proven in Determine 6 accommodates a message adopted by details about the processing of non-public info performed by the alleged sender and the likelihood to “entry the content material of your information and the best to rectify, delete, restrict processing restrictions, proper to information switch, proper to boost an objection, and the best to lodge a grievance with the supervisory authority”. The message itself could be translated thus:

Expensive Sir,

I’m Sylwester [redacted] from [redacted]. Your organization was really useful to us by a enterprise associate. Please quote the hooked up order listing. Please additionally inform us in regards to the cost phrases.

We stay up for your response and additional dialogue.

—

Greatest Regards,

Attachments in all campaigns appeared fairly comparable (Determine 7). Emails contained an hooked up archive or ISO file named provide/inquiry (in fact in Polish), in some instances additionally accompanied with an order quantity. That file contained an AceCryptor executable that unpacked and launched Rescoms.

Based mostly on the conduct of the malware, we assume that the objective of those campaigns was to acquire electronic mail and browser credentials, and thus acquire preliminary entry to the focused corporations. Whereas it’s unknown whether or not the credentials had been gathered for the group that carried out these assaults or if these stolen credentials could be later offered to different risk actors, it’s sure that profitable compromise opens the likelihood for additional assaults, particularly from, at the moment in style, ransomware assaults.

It is very important state that Rescoms RAT could be purchased; thus many risk actors use it of their operations. These campaigns should not solely related by goal similarity, attachment construction, electronic mail textual content, or methods and methods used to deceive potential victims, but in addition by some much less apparent properties. Within the malware itself, we had been capable of finding artifacts (e.g., the license ID for Rescoms) that tie these campaigns collectively, revealing that many of those assaults had been carried out by one risk actor.

Campaigns in Slovakia, Bulgaria, and Serbia

Throughout the identical time durations because the campaigns in Poland, ESET telemetry additionally registered ongoing campaigns in Slovakia, Bulgaria, and Serbia. These campaigns additionally primarily focused native corporations and we are able to even discover artifacts within the malware itself tying these campaigns to the identical risk actor that carried out the campaigns in Poland. The one vital factor that modified was, in fact, the language used within the spam emails to be appropriate for these particular international locations.

Campaigns in Spain

Aside from beforehand talked about campaigns, Spain additionally skilled a surge of spam emails with Rescoms as the ultimate payload. Though we are able to affirm that at the very least one of many campaigns was carried out by the identical risk actor as in these earlier instances, different campaigns adopted a considerably completely different sample. Moreover, even artifacts that had been the identical in earlier instances differed in these and, due to that, we can not conclude that the campaigns in Spain originated from the identical place.

Conclusion

Through the second half of 2023 we detected a shift within the utilization of AceCryptor – a well-liked cryptor utilized by a number of risk actors to pack many malware households. Though the prevalence of some malware households like RedLine Stealer dropped, different risk actors began utilizing it or used it much more for his or her actions and AceCryptor continues to be going robust.In these campaigns AceCryptor was used to focus on a number of European international locations, and to extract info or acquire preliminary entry to a number of corporations. Malware in these assaults was distributed in spam emails, which had been in some instances fairly convincing; typically the spam was even despatched from official, however abused electronic mail accounts. As a result of opening attachments from such emails can have extreme penalties for you or your organization, we advise that you simply remember about what you might be opening and use dependable endpoint safety software program in a position to detect the malware.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis affords non-public APT intelligence stories and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

A complete listing of Indicators of Compromise (IoCs) could be present in our GitHub repository.

Recordsdata

MITRE ATT&CK methods

This desk was constructed utilizing model 14 of the MITRE ATT&CK framework.