‘Crypters’: An Overview
What are ‘crypters’?
A crypter is a piece of software designed to obfuscate or encrypt the underlying code in a piece of software, typically malware, for the purpose of subverting detection by Anti-Virus products.
Malware can be provided to the crypter software, whereby a new but altered malware file is then created that can then be used in the wild. Crypters are dangerous tools, and feature prevalently on underground cybercriminal networks, often being sold either as software or as a service.
Certain crypter software advertised through underground websites allow criminals without extensive technical knowledge to package malware with various options through graphical interfaces, with relative ease. Some of these options include selecting encryption methods, including metadata to masquerade as something harmless, and even selecting the target where the payload should be delivered. In addition, the use of this technique can prevent the embedded malware from being reverse engineered – this makes it more difficult to protect against future attacks from these malwares.
In a recently outlined example from the NCSC (pg. 23), under the pseudonym KillaMuvz, Goncalo Esteves sold custom made malware disguising products and offered technical support to users. Esteves called these products Cryptex Reborn and Cryptext Lite. Part of a family of crypters, they could be used by hackers to improve their chances of evading antivirus.
He sold them for use in packages that varied in price acording to the length of the licence. A month of Cryptext Lite cost US $7.99 (about £5) while a lifetime licence for Cryptext Reborn cost US $90 (about £60). Esteves provided customer support via a dedicated Skype account and accepted payment either in conventional currency, Bitcoin or in Amazon vouchers.
The NCA and TrendMicro worked collaboratively to take down these services, and Goncalo Esteves was sentenced to two years in prison in January 2018.
How do they work?
Many crypters advertise or self-proclaim themselves as being fully-undetectable, or ‘FUD’. This means that the algorithm or obfuscation techniques employed by the crypter developer are enough to cloak the true nature of the malware’s functionality, if only for a short amount of time.
To stay ahead of inevitable detection, many crypter authors will provide frequent updates to the crypter software, in the form of stub files. These contain the latest methods or algorithms used to augment the malware passed through to it, in an attempt to stay ahead of Anti-Virus companies detecting their methods and rolling out definitions to customers. Some crypter authors can update a stub file as often as every 12 / 24 hours in an attempt to evade detection. This functionality is effectively what you pay for when purchasing a fixed-length license of the crypter.
As part of a recent investigation, a crypter service was examined to demonstrate the effectiveness of such tools. The guinea-pig malware used was arguably the most ‘popular’ malware around today – WannaCry.
During testing, close to 70 Anti-Virus tools were used to scan against the file, with a respectable 61 of them detecting the file as dangerous, malicious software.
When WannaCry was processed through the crypter, the results were a different story. Less than half of the vendors products were able to detect the augmented code.
Interesting…so what do I do about this?
Crypters themselves are not the main source of potential damage, rather it is the malware that they aim to conceal that will deliver the actual payload. Usually, the ‘attack vectors’ will be broadly similar to many other malware oriented attacks, however it is the evasion of Anti-Virus software that makes this approach particularly potent. Organisations cannot rely on security products for complete protection. Here are some tips to to help mitigate the threats associated with crypters:
Educate Employees with Security Training and Awareness
Crypters can enable malware to pass through networks undetected to be delivered to potential victims. For this reason, education, security training and awareness are paramount to bolstering cyber resilience within organisations. Phishing is a highly common method of attack with a high yield for cyber criminals. Users need to be routinely educated as to the risks of opening unexpected and/or suspicious emails and links from unfamiliar sources. Similarly, it is also important that users question correspondence from familar addresses as well (we frequently encounter employees who have been socially engineered through spoofed internal email addresses).
Further technical controls for email security and anti-spoofing can be found in the published guidance section of the NCSC website.
If you are responsible for the administration of your organisation’s network, you should configure your staff accounts using the principle of ‘least privilege’. This means giving staff the lowest level of user rights required to perform their jobs, so if they are the victim of a phishing attack, the potential damage is reduced.
To further mitigate the damage that results from malware or loss of login details, ensure that your staff don’t browse the web or check emails from an account with Administrator privileges. An Administrator account is a user account that allows you to make changes that will affect other users. Administrators can change security settings, install software and hardware, and access all files on the computer. So an attacker having unauthorised access to an Administrator account can be far more damaging than accessing a standard user account.
Updates, updates, updates
Making sure that your anti-virus software is constantly updated is vital to detecting crypters and the malware that is embedded within. In addition, a large percentage of malware will seek to exploit known vulnerabilities in systems and networks, so it is crucial that all IT services are frequently updated with the latest security patches for mitigation against malware attacks. Again, users need to be educated as to the importance of this aspect. Ensure that updates are allowed to be carried out, and that computers should be left on overnight to receive security patches.
The South West Regional Cyber Crime Unit is comprised of dedicated individuals who investigate serious cybercrime, offer advice and guidance to small businesses, and work with a range of partners to prevent people from engaging in cybercrime. For more articles and case studies like this, sign up to our Regional Cyber Briefing/ Cyber Intelligence Report, and follow us on LinkedIn and on Twitter (@swrccu).
We also have a node on the Cyber Security Information Sharing Partnership (CiSP), and we strongly encourage organisations to sign up for real time cyber threat information in a secure, confidential and dynamic environment https://www.ncsc.gov.uk/cisp.