FULL Origated Crypter FUD
Kanisha Dezarn
As described in our previous report, crypters, which are also referred to as loaders or packers, are applications designed to encrypt and obfuscate malware to evade detection by antivirus (AV) scanners and hinder analysis. Crypters generally operate by encrypting the pre-compiled malware payload and embedding it within a secondary binary, which we refer to as a loader. The loader contains code to decrypt and execute the malicious payload, and may also include additional sandbox-evasion or anti-analysis functions. The loaders are often designed to evade AV and signature-based detection, and will often make use of obfuscation and code-morphing techniques that render each compiled loader different from a code perspective, increasing the challenge of writing effective signatures. The use of crypters allows malware developers to easily experiment with different methods of evading antivirus detection without having to make changes to the malware itself.
Over the past year, we also identified some noteworthy trends regarding crypter use on malware, including their use with several new malware families. Previously, the crypters were used predominately with the core malware families associated with ITG23 and their close partners; this included Trickbot, Emotet, BazarLoader, IcedID, CobaltStrike, and the Ryuk, Conti, and Quantum ransomware strains. However, the fracturing of ITG23 and emergence of new factions, relationships, and methods, have affected how the crypters are used.
In April 2022, we observed the first use of an ITG23 crypter with the Gozi banking trojan, which we linked back to a campaign operated by Hive0106 (TA551) with whom ITG23 had an established relationship. Like Qakbot, crypted Gozi payloads have increased steadily throughout the past year, during which we have observed crypters such as Hexa, Forest, Snow, Lore and Dave used on Gozi malware, most often with LDR4 and Cutwail botnet distributions. Interestingly, in 2023 we also observed the Dave and Forest crypters used with Pushdo, a downloader tied to the Cutwail botnet.
From June 2022 onwards, we began to see an uptick in new malware families being used with the crypters, likely a consequence of the shutdown of the Conti ransomware strain and the emergence of the new factions. Some of these factions likely forged new relationships with other criminal gangs, in turn leading to the testing and use of new malware, such as SVCReady, CargoBay, and Matanbuchus, on which we have observed crypters such as Hexa and Dave deployed.
In 2023, this trend continued and we observed ITG23-related crypters deployed on a range of new malware, reflecting the continued focus on building new relationships with other threat actors to purchase and use new malware strains. These new families included information stealers (Lumma C2, Vidar), backdoors/downloaders (Aresloader, Canyon), and malware acquired from FIN7 developers such as Minodo and Diceloader.
More information on the crypters and associated malware can be found in the below sections. The following table also provides an overview of the current status of the core ITG23-related crypters that we track.
Forest was first seen in March 2022 when it was used predominantly with the newly released Bumblebee malware. To this day, Forest is one of the only ITG23 crypters configured for use with the Bumblebee malware, and it is likely that it was specifically designed for that purpose; however, its capabilities were soon expanded to handle additional payload types.
The Snow crypter was used almost exclusively with IcedID and Qakbot from its debut in December 2022 to May 2023, when we observed Snow being used for the first time to crypt Gozi LDR4 and Pikabot malware. We also identified a DLL in March 2023 which we determined to be the Snow loader converted from a payload loader into a downloader. The sample was attached to an email providing instructions about an extortion attempt and was described as an Active Directory listing of stolen information. We assess this modified Snow loader was used during a fake extortion campaign affiliated with Royal ransomware.
This variant of Snow is rarely seen, having been observed in use with only a handful of IcedID samples. The vast majority of malware activity utilising the Snow crypter uses the original version of the loader.
Dave is one of the oldest crypters still in use by ITG23-related actors and dates back to at least 2019 when it was used primarily with Emotet and Trickbot. Over the past few years, Dave has continued to be the preferred loader for Emotet malware, though it is common to see it used with a wide range of ITG23 related payloads, especially during time periods when Emotet is offline.
Tron first appeared in the wild in September 2021 when it was used to crypt Trickbot binaries followed by a number of other payloads including Emotet, Trickbot, BazarLoader, IcedID, Conti and CobaltStrike. Since our last report, ITG23-related actors have continued to use Tron fairly consistently, although it has not been observed as frequently as some of the other crypters.
Over the past year, Tron has primarily been used for crypting CobaltStrike and Metasploit stagers which are often linked to attacks leading to ransomware. Like other crypters, its use has not been restricted to a particular ITG23-related faction, as Tron-crypted malware has been observed in incidents linked to BlackBasta, Quantum, and Royal ransomware. In addition to CobaltStrike payloads, Tron has been used to crypt the BlackBasta ransomware itself and has been observed loading IcedID, most notably during campaigns targeting Ukraine in April 2022. It was also observed on a NetSupport sample used during a Royal ransomware attack.
Lore crypter has had low levels of use over the past year, with a large gap from June to December 2022. Since its reappearance, it has been used primarily with the forked variants of IcedID, and occasionally with Royal ransomware, Qakbot and Gozi.
Hexa crypter was first observed towards the end of 2021, with payloads including BazarLoader, Cobalt Strike, and Conti. Over the course of 2022 its use expanded to include malware such as IcedID, Qakbot, Gozi, Quantum ransomware, SVCReady, and Matanbuchus. Hexa was used particularly often with IcedID until December 2022 when the latter switched to using the Snow crypter along with Qakbot.
In addition to the ITG23-related crypters above, we are also tracking several additional loaders related to former ITG23 partners or factions. These include three loaders linked to the Qakbot group, which have been used regularly to deploy Qakbot malware; one linked to BlackBasta; and several others which appear to have been used exclusively by a BlackBasta-affiliated team to crypt their CobaltStrike samples.
In addition to these, we also track ITG23-related use of the CryptOne crypter, which has been used frequently with Qakbot. This is a Delphi-based crypter, which dates back to 2015, and is reportedly offered as a Crypter-As-A-Service. CryptOne has been used with a wide range of different malware families over the years including Gozi, Dridex, NetWalker, and WastedLocker. In 2019 it was observed with Emotet, and over the past couple of years it has been used heavily by Qakbot. CryptOne has also been recently used by former ITG23 actors to crypt malware other than Qakbot itself, including NetSupport used in an attack last fall as well as a Vidar infostealer from March 2023.
SharpDepositorCrypter appears to have originated as a loader for a .NET infostealer named SharpDepositor, which may explain the name found in PDB strings of early samples; however, it has evolved into a more complex loader and is no longer restricted to .NET payloads. The original version which loaded the .NET payload appears to have been based off a crypter named BrutoCrypt. It loaded a payload from the resources and decrypted it using AES.
The use of SharpDepositorCrypter (SDC)/OMCLoader appears to have decreased during 2023, and the BlackBasta ransomware has been seen increasingly using other crypters including Quixotic, Quicksand, Dave and Tron.
About a year ago, ITG23 ceased using its highly successful Conti ransomware strain after which its members and affiliates created or joined new ransomware operations such as Quantum, Royal, Zeon, and BlackBasta. Through the next year, these actors and their partners continued to use many of the same crypters initially developed by ITG23, providing evidence of their continued close relationships.
Over the past several months, Cisco Talos has seen attackers carrying out ongoing email-based malware distribution campaigns to distribute various malware payloads. These email campaigns feature several notable characteristics that appear designed to evade detection and maximize the effectiveness of these campaigns. The use of web-based contact forms, legitimate hosting platforms, and a specific crypter make analysis and detection more difficult. All of the malware samples associated with these campaigns feature a modified DOS header containing the string "Salfram," making them extremely easy to track over time. The crypter used in these campaigns is undergoing active development and improvements to obfuscate the contents of malware payloads. Additionally, the crypter uses several effective techniques to make the detection and analysis of the final malware payload more difficult. It obfuscates the original payload binaries in a way that results in payloads that appear completely different from each other after being packed using the same crypter. It even takes a great amount of effort to compare the packed binaries in a disassembler and determine if the same packer was used.
We also discovered infection chains that deliver multiple payloads to a single victim as part of a multi-stage infection process. While the payload delivery features several distinct malware families, in all of the campaigns observed, the initial malware payloads used the same crypter, which obfuscates the malicious contents present in the binary executable and make analysis more difficult. As shown in Figure 5 these samples can be quickly observed as the packed samples feature a specific modification to the DOS stub:
05f2edc126