Avast Says OnionCrypter Has Been in Use Since 2016
Security researchers at Avast have discovered that more than 30 hacker groups have been using a malware crypter dubbed OnionCrypter.
A crypter is used for encrypting, obfuscating and manipulating malware to make detection more difficult. Hacker groups – including Lokibot, Zeus, AgentTesla and Smokeloader – have been using the recently discovered multilayer OnionCrypter since 2016, Avast says.
“Its widespread use and length of time in use make it a key malware infrastructure component,” says Avast threat researcher Jakub Kaloč. “We believe that likely the authors of OnionCrypter offer it as an encrypting service. Based on the uniqueness of the first layer, it is also safe to assume that authors of OnionCrypter offer the option of a unique stub file to ensure that encrypted malware will be undetectable.”
Avast says OnionCrypter, 32-bit software written in C++, has three layers:
- Layer 1: This outer layer has one main function, which varies based on the encrypted malware. For example, it can allocate and load data to memory, decrypt the loaded data and pass execution of the decrypted data to the second layer.
- Layer 2: This is a shell code that decrypts another layer. It uses a complex process, decrypting chunks of data according to size and then putting them together. When all the pieces have been decrypted and joined, execution is passed to the place where the decrypted data is stored and the crypter starts execution of the third layer.
- Layer 3: This layer uses the same decryption processes as the second layer to load important API functions to change permissions of memory. It then copies decrypted data and overwrites itself, after which the payload is injected into the crypter.
“OnionCrypter is a malware family which has been around for some time,” Kaloč notes. “Combined with the prevalence of this crypter and the fact that samples have such a unique first layer, it’s logical to assume that crypter wasn’t developed as a one-time thing. On the contrary, according to analysis of multiple samples and their capture date, it was possible to see multiple versions of some parts of OnionCrypter.”
Encryption as a Service
Some security experts say the demand for crypters and for encryption as a service is growing, with some facilitators offering free samples to entice customers. Some hackers have also been partnering with malware crypter services as part of their campaigns.
For instance, in 2018, the operators of the GandCrab ransomware-as-a-service affiliate operation announced their partnership with NTCrypt, a malware crypter service (see: GandCrab Ransomware Partners With Crypter Service).
Last year, Europol arrested the operators of the CyberSeal and Dataprotector encrypting services that enabled hackers to test their malware against antivirus tools (see: 2 Arrested for Operating Malware Encryption Service).