AceCryptor Malware

Numerous fresh cases of infection linked to the AceCryptor tool have emerged, indicating a concerning trend. This tool, favored by hackers for its ability to camouflage malware and infiltrate systems undetected by conventional anti-malware defenses, has been utilized in a campaign aimed at organizations throughout Europe. Researchers who have monitored AceCryptor's activities for years observe a distinctive shift in this recent campaign. Unlike prior instances, attackers have broadened the range of tampered code bundled within their exploits, posing heightened threats to targeted entities.

AceCryptor is Used for the Delivery of Harmful Late-Stage Threats

AceCryptor is commonly paired with malware such as Remcos or Rescoms, which serve as potent remote surveillance tools frequently employed in attacks against organizations in Ukraine. Alongside Remcos and the well-known SmokeLoader, researchers have now observed AceCryptor disseminating other malware strains, including variants of the STOP/Djvu Ransomware and the Vidar Stealer.

Moreover, researchers have noted distinct patterns in the targeted countries. While SmokeLoader was involved in attacks in Ukraine, incidents in Poland, Slovakia, Bulgaria and Serbia featured the use of Remcos.

In meticulously orchestrated campaigns, AceCryptor has been leveraged to target multiple European countries, aiming to extract sensitive information or establish initial access to various companies. The distribution of malware in these attacks often occurred through spam emails, some of which were remarkably convincing; occasionally, legitimate email accounts were hijacked and abused to send these misleading messages.

The primary objective of the latest operation is to acquire email and browser credentials intended for further assaults against the targeted companies. Notably, the majority of recorded AceCryptor incidents have served as the initial point of compromise in these attacks.

AceCryptor's Targets Have Switched Throughout 2023

In the six months of 2023, the countries primarily impacted by AceCryptor-packed malware were Peru, Mexico, Egypt, and Turkey with Peru bearing the brunt of 4,700 attacks. However, in a notable shift during the latter half of the year, hackers redirected their focus towards European nations, particularly Poland, which endured over 26,000 attacks. Ukraine, Spain and Serbia were also subjected to thousands of attacks.

Over the latter half of the year, Rescoms emerged as the predominant malware family distributed via AceCryptor, with over 32,000 incidents. Poland accounted for more than half of these occurrences, followed by Serbia, Spain, Bulgaria and Slovakia.

Attacks targeting Polish businesses shared similar subject lines, often masquerading as B2B offers relevant to the victimized companies. The hackers utilized genuine Polish company names and existing employee identities in their emails to lend credibility. The motives behind these attacks remain ambiguous; it's uncertain whether the hackers aim to exploit stolen credentials for personal use or vend them to other threat actors.

Presently, the available evidence fails to attribute the attack campaigns to a specific source definitively. However, it's worth noting that hackers affiliated with the Russian government have recurrently employed Remcos and SmokeLoader in their operations.