• ESET researchers publish details about a prevalent cryptor malware, AceCryptor, which operates as a cryptor-as-a-service used by tens of malware families.
• AceCryptor samples are very prevalent worldwide because multiple threat actors are actively using the cryptor malware to spread packed malware in their campaigns.
• During 2021 and 2022, ESET protected more than 80,000 customers affected by malware packed by AceCryptor.
• Altogether, there have been 240,000 detections, including the same sample detected at multiple computers, and one computer being protected multiple times by ESET software. This amounts to over 10,000 hits every month.
• Among the malware families found that used AceCryptor, one of the most prevalent was RedLine Stealer – malware used to steal credit card credentials and sensitive data, upload and download files, and even steal cryptocurrency.
• AceCryptor is heavily obfuscated and has multiple variants, and throughout the years, has incorporated many techniques to avoid detection.

BRATISLAVA — May 25, 2023 — ESET researchers revealed today details about a prevalent cryptor malware, AceCryptor, which operates as a cryptor-as-a-service used by tens of malware families. This threat has been around since 2016, and has been distributed worldwide, with multiple threat actors actively using it to spread packed malware in their campaigns. During 2021 and 2022, ESET telemetry detected over 240,000 detection hits of this malware, which amounts to over 10,000 hits every month. It is likely sold on dark web or underground forums, and tens of different malware families have used the services of this malware. Many rely on this cryptor as their main protection against static detections.

Among the malware families found that used AceCryptor, one of the most prevalent was RedLine Stealer – malware available for purchase on underground forums and used to steal credit card credentials and other sensitive data, upload and download files, and even steal cryptocurrency. RedLine Stealer was first seen in Q1 2022; distributors have used AceCryptor since then, and continue to do so. “Thus, being able to reliably detect AceCryptor not only helps us with visibility into new emerging threats, but also with monitoring the activities of threat actors,” explains Kaloč.

Because AceCryptor is used by multiple threat actors, malware packed by it is distributed in multiple ways. According to ESET telemetry, devices were exposed to AceCryptor-packed malware mainly via trojanized installers of pirated software, or spam emails containing malicious attachments. Another way someone may be exposed is via other malware that downloaded new malware protected by AceCryptor. An example is the Amadey botnet, which we have observed downloading an AceCryptor-packed RedLine Stealer.

Even though attribution of AceCryptor to a particular threat actor is not possible for now, ESET Research expects that AceCryptor will continue to be widely used. Closer monitoring will help prevent and discover new campaigns of malware families packed with this cryptor.

Heatmap of countries affected by AceCryptor according to ESET telemetry

• As a Google App Defense Alliance partner, ESET detected a trojanized app available on the Google Play Store and named the AhMyth-based malware it contained AhRat.
• Initially, the iRecorder app did not have any harmful features. What is quite uncommon is that the application received an update containing malicious code quite a few months after its launch.
• The application’s specific malicious behavior, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign.
• The malicious app with over 50,000 downloads was removed from Google Play after ESET Research’s alert; ESET has not detected AhRat anywhere else in the wild.

BRATISLAVA, KOŠICE — May 23, 2023 — ESET researchers have discovered a trojanized Android app named iRecorder – Screen Recorder. It was available on Google Play as a legitimate app in September 2021, with malicious functionality most likely added in August 2022. During its existence, the app was installed on more than 50,000 devices. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what ESET named AhRat. The malicious app is capable of recording audio using the device’s microphone and stealing files, suggesting it might be part of an espionage campaign.

Besides the Google Play Store, ESET Research has not detected AhRat anywhere else in the wild. However, this is not the first time that AhMyth-based Android malware has been available on the official store; ESET previously published research on such a trojanized app in 2019. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming. However, the iRecorder app can also be found on alternative and unofficial Android markets, and the developer also provides other applications on Google Play, but they don’t contain malicious code.

“The AhRat research case serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy. While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses,” explains ESET researcher Lukáš Štefanko, who discovered and investigated the threat.

The remotely controlled AhRat is a customization of the open-source AhMyth RAT, which means that the authors of the malicious app invested significant effort into understanding the code of both the app and the back end, ultimately adapting it to suit their own needs.

Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control server. It can also exfiltrate from the device files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files.

Android users who installed an earlier version of iRecorder (prior to version 1.3.8), which lacked any malicious features, would have unknowingly exposed their devices to AhRat if they subsequently updated the app either manually or automatically, even without granting any further app permission approval.

“Fortunately, preventive measures against such malicious actions have already been implemented in Android 11 and higher versions in the form of app hibernation. This feature effectively places apps that have been dormant for several months into a hibernation state, thereby resetting their runtime permissions and preventing malicious apps from functioning as intended. The malicious app was removed from Google Play after our alert, which confirms that the need for protection to be provided through multiple layers, such as ESET Mobile Security, remains essential for safeguarding devices against potential security breaches,” concludes Štefanko.

ESET Research has not yet found any concrete evidence that would enable the attribution of this activity to a particular campaign or APT group.

For more technical information about the malicious iRecorder app and AhRat, check out the blogpost “Android app breaking bad: From legitimate screen recording to file exfiltration within a year” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

• Users in mainland China at an international NGO were targeted with malware delivered through updates for software developed by Chinese companies.
• With high confidence, we attribute this activity to the Chinese-speaking Evasive Panda APT group.
• The backdoor MgBot is used for cyberespionage.

BRATISLAVA, MONTREAL — April 26, 2023 — ESET researchers have discovered a campaign conducted by the APT group known as Evasive Panda, in which update channels of legitimate Chinese applications were hijacked to also deliver the installer for the MgBot malware, Evasive Panda’s flagship cyberespionage backdoor. Chinese users were the focus of this malicious activity, which ESET telemetry shows started in 2020. The targeted users were located in the Gansu, Guangdong, and Jiangsu provinces. The majority of the Chinese victims are members of an international non-governmental organizations (NGO).

In January 2022, ESET Research discovered that while performing updates, a legitimate Chinese application had received an installer for the Evasive Panda MgBot backdoor and that the same malicious actions had already taken place as far back as 2020 with several other legitimate applications developed by Chinese companies.

“Evasive Panda uses a custom backdoor known as MgBot that has seen little evolution since its discovery in 2014. To the best of our knowledge, the backdoor has not been used by any other group. Therefore, we attribute this activity to Evasive Panda with high confidence,” says ESET researcher Facundo Muñoz, who discovered this latest campaign. “During our investigation, we discovered that when performing automated updates, several legitimate application software components also downloaded MgBot backdoor installers from legitimate URLs and IP addresses,” explains Muñoz.

When ESET researchers analyzed the likelihood of several methods that could explain how the attackers managed to deliver malware through legitimate updates, two scenarios stood out: supply-chain compromises, and adversary-in-the-middle (AitM) attacks.

“Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users in order to deliver the malware, and filtering out non-targeted users and delivering them legitimate updates. This is because we registered cases where legitimate updates were downloaded through the same abused protocols,” says Muñoz. “On the other hand, AitM approaches to interception would be possible if the attackers were able to compromise vulnerable devices such as routers or gateways and the attackers could have gained access to ISP infrastructure”.

MgBot’s modular architecture allows it to extend its functionality by receiving and deploying modules on the compromised machine. The functionalities of the backdoor include recording keystrokes; stealing files, credentials, and content from the Tencent messaging apps QQ and WeChat; and capturing both audio streams and text copied to the clipboard.

Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at least 2012. ESET Research has observed the group conducting cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria. One victim of this campaign was verified to be located in Nigeria and was compromised through the Chinese software Mail Master by NetEase.

For more technical information about the latest Evasive Panda campaign, check out the blogpost “Evasive Panda APT group delivers malware via updates for popular Chinese software” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

• ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users.
• Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure.
• ESET reconstructed the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy up until the final backdoor payload.
• Similarities with this latest Linux backdoor link it with high confidence to the 3CX supply-chain attack. 3CX is an international VoIP software developer and distributor that provides phone system services.
• 3CX was compromised and its software was used in a supply-chain attack driven by external threat actors to distribute additional malware to specific 3CX customers. The attack had been planned well in advance – as early as December 2022.

BRATISLAVA, PRAGUE — April 20, 2023 — ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. ESET Research was able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account. It is the first time for this major North Korea–aligned threat actor to be using Linux malware as part of this operation. Similarities with this newly discovered Linux malware corroborate the theory that the infamous North Korea–aligned group is behind the 3CX supply-chain attack.

“This latest discovery provides corroborating evidence and reinforces our high level of confidence that the recent 3CX supply-chain attack was in fact conducted by Lazarus – a link that was suspected from the very beginning and demonstrated by several security researchers since,” says ESET researcher Peter Kálnai, who investigates Lazarus activities.

3CX is an international VoIP software developer and distributor that provides phone system services to many organizations. According to its website, 3CX has more than 600,000 customers and 12 million users in various sectors, including aerospace, healthcare, and hospitality. It provides client software to use its systems via a web browser, mobile app, or a desktop application. Late in March 2023, it was discovered that the desktop application for both Windows and macOS contained malicious code that enabled a group of attackers to download and run arbitrary code on all machines where the application was installed. 3CX itself was compromised and its software was used in a supply-chain attack driven by external threat actors to distribute additional malware to specific 3CX customers.

The perpetrators had planned the attacks long before execution – as early as December 2022. This suggests that they already had a foothold inside 3CX’s network late last year. Several days before the attack was publicly revealed, a mysterious Linux downloader was submitted to VirusTotal. It downloads a new Lazarus backdoor for Linux, SimplexTea, which connects to the same Command & Control server as payloads involved in the 3CX compromise.

“This compromised software, deployed on various IT infrastructures, allows the download and execution of any kind of payload, which can have devastating impacts. The stealthiness of a supply-chain attack makes this method of distributing malware very appealing from an attacker’s perspective, and Lazarus has already used this technique in the past,” explains Kálnai. “It is also interesting to note that Lazarus can produce and use native malware for all major desktop operating systems: Windows, macOS, and Linux,” adds Marc-Etienne M.Léveillé , ESET researcher who helped with the research.

Operation DreamJob is the name for a series of campaigns where Lazarus uses social engineering techniques to compromise its targets, with fake job offers as the lure. On March 20, a user in the country of Georgia submitted to VirusTotal a ZIP archive called HSBC job offer.pdf.zip. Given other DreamJob campaigns by Lazarus, this payload was probably distributed through spearphishing or direct messages on LinkedIn. The archive contains a single file: a native 64-bit Intel Linux binary written in Go and named HSBC job offer․pdf.

For more technical information about the latest Lazarus DreamJob campaign and links to the 3CX supply-chain attack, check out the blog post “Linux malware strengthens links between Lazarus and the 3CX supply-chain attack” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.