Criminal Services – Crypting

18 December 2015

In the world of cybercrime, malicious software (malware) plays an important role. But if you’re a cybercriminal, how do you keep your malware from being detected?

Financially motivated cybercriminals can use malware to facilitate fraud, as is the case with the currently very active credential-stealer malware, Dridex; or to commit extortion, as is the case for ransomware variants such as the recently active variant Cryptowall 4.0. And there are multiple other uses for malware such as generating fraudulent advertising revenue, or accessing individual computers to steal data or takeover the machine.

The proliferation and infection of these damaging programs is highly dependent on whether or not they can be detected by security controls such as commercial antivirus products and the need to ensure it is not detected has spawned its own industry dedicated to this endeavour.

I blogged recently about Counter-AV (CAV) services which assist in testing the stealth of malware files. Alongside these services, and sometimes affiliated to CAVs are “crypters” or ”crypting services.” These services are designed to take a piece of malware and run custom encryption routines, which makes the file appear differently to the piece of code which antivirus products recognise as “bad.” The files can then be tested against a CAV to see if commercial antivirus products recognise them.

Arrests were made in the UK last month of two people suspected of involvement with the (now defunct) CAV service refud[.]me, the announcements also included mention of a crypting service, “Cryptex Reborn.” Like refud[.]me, this service was also advertised on the notorious hackforums, a huge forum dedicated to hacking and previously associated with several other law enforcement initiatives such as the arrests of Blackshades remote access Trojan (RAT) users in May 2014.

A review of the product made in August this year on an associated website, gives the service five stars and reads more like a glowing movie write-up than something you’d expect for a malware service:

“Absolutely gorgeous…this crytper is amazing”

“the UI [user interface] is even more responsive, clean and beautiful than before”

According to the review, the program allowed users to choose one of nine different encryption algorithms, create fake messages to be shown to the victim and even had the option to apply certificates to files, to make the look as authentic as possible.

Cryptex 

Figure 1 - screenshot of Cryptex Reborn showing choice of algorithms

As with so many other criminal services available on the underground, services such as these are not hard to find. The review site lists six other crypting services on hackforums alone – and those are only the ones with reviews, not to mention those to be found on the countless other deep and dark web sites that advertise these services. Despite disclaimers that these services are only meant for security research or penetration testing, the stark reality is that they facilitate the infection of individuals and businesses and have the potential to cause significant and long-term impact.