Lmst

#ESETResearch’s monitoring of #AceCryptor revealed a significant decrease in prevalence of the malware in H2 2024: we only observed around 3k unique samples as opposed to 13k in H1 2024. Overall hits went down by 68% compared to H1, and by 87% compared to H2 2023.

Similarly, the number of unique users targeted by AceCryptor campaigns decreased by 58% between H1 and H2 2024, and the decrease was even more pronounced when compared to H2 2023, amounting to 85%.

As for the malware families packed by the cryptor, we could yet again see the usual suspects such as #Rescoms, #Smokeloader, and #Stealc among the most delivered threats.

While much smaller in scale than in previous periods, we still detected two notable campaigns of the malware. First, on July 11, 2024, 500 victims in Germany 🇩🇪 were sent emails with malicious attachments disguised as financial documents inside a password protected archive.

Instead of the documents, the archive contained an AceCryptor executable packing the Racoon Stealer successor #RecordBreaker, which then exfiltrated the victim information to a C&C server with the IP address of 45[.]153[.]231[.]163.

Then on September 23, 2024 more than 1,600 endpoints of small businesses in Czechia 🇨🇿 received emails whose attachments contained an AceCryptor binary packing the #XWorm RAT 🪱🐀. As a C&C, XWorm RAT used easynation[.]duckdns[.]org.

The list of 🔍 Indicators of Compromise (IoCs) can be found in our GitHub repository: https://github.com/eset/malware-ioc/tree/master/ace_cryptor

Chart showing malware families using AceCryptor.

Example of email containing the malicious attachment.

Thousands of AceCryptor malware infections has surged in Europe.

AceCryptor was used to target multiple European countries, and to extract information or gain initial access to multiple companies. Malware in these attacks was distributed in spam emails, which were in some cases quite convincing. Sometimes the spam was even sent from legitimate, but abused, email accounts.

https://www.helpnetsecurity.com/2024/03/20/acecryptor-attacks-increase/

#security #news #acecryptor #europe #press

ESET Research reports that AceCryptor use surged in the second half of 2023. This included Remcos RAT campaigns for the first time, using compromised accounts for credibility in phishing emails. AceCryptor + Remcos campaigns targeted Poland, Bulgaria, Spain, and Serbia. Campaigns were described, MITRE ATT&CK TTPs and IOC provided. 🔗 https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/

#AceCryptor #threatintel #IOC #Remcos #RemcosRAT #VidarStealer #Stopransomware #SmokeLoader

#AceCryptor

Client Info