AceCryptor Malware-Packer Has Been Detected in Over 240,000 Attacks
AceCryptor, a prominent crypter malware that has been used to pack a handful of malware strains since 2016, has been detected 240,000 times between 2021 and 2022, accumulating over 10,000 hits per month. Unlike packers that use compression to obfuscate code, crypters use encryption to enhance stealth and increase the difficulty of reverse engineering. Researchers found that AceCryptor contained prominent malware families including SmokeLoader, RedLine Stealer RanumBot, Racoon Stealer, Stop ransomware, Amadey, and more. AceCryptor is sold to threat actors in a crypter-as-a-service (CaaS) format, and it has been observed being used to propagate a wide host of malware families by a multitude of threat actors. It can be both time-consuming and technically difficult for threat actors to maintain their own crypters that are difficult to detect, leading crimeware threat actors to seek CaaS options to pack malware. AceCryptor is heavily obfuscated with a three-layer architecture that decrypts and unpacks at each stage to eventually launch the payload and contains anti-VM, anti-debugging, and anti-analysis features to help avoid detection. AceCryptor's malware is delivered using trojanized installers of pirated software, malicious links embedded in phishing emails, or with the help of other malware that has already compromised a host.
Threat Actor Activity
Threat Actor Tied to Tortoiseshell Compromises Israeli Websites, Steals User Information
CISA Adds Critical Barracuda Networks ESG Vulnerability to their Known Exploited Vulnerabilities Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical vulnerability affecting Barracuda Networks devices to their Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies apply the update by no later than June 16, 2023. The flaw tracked as CVE-2023-2868, is an improper input validation bug in Barracuda Networks' Email Security Gateway (ESG) appliances, stemming from a failure to properly sanitize .tar file archives. A threat actor could exploit this vulnerability by providing a maliciously crafted .tar file to conduct remote code execution (RCE) with the privileges of the ESG product. Barracuda Networks is a very popular company and serves more than 200,000 customers across the world. The CISA advisory states that these types of vulnerabilities "are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." Barracuda Networks has stated that any users who they believe were impacted by the exploitation of this vulnerability have been notified and given actions to take to mitigate the damage. Barracuda Networks sent out automatic patches on May 20 and 21, and CTIX analysts recommend that any administrators responsible for these devices ensure that they have been patched.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.