|
Each time organizations shore up their network defenses, cybercriminals devise new and innovative ways to up the cyber attack ante. That’s actually the rationale behind malware crypting—the process of making malicious programs, apps, and files appear harmless to anti-malware and intrusion detection solutions. And given the huge threat malware crypting could pose to even the most secure networks, many in the cybersecurity community are strongly recommending a clampdown on the actors and sites that offer them.
In an effort to make the Internet safer, WhoisXML API recently took a DNS dive deep to find connections to malware crypting. First, we expanded a list of eight domains identified as malware crypting indicators of compromise (IoCs) related to the threat. Second, we conducted research specific to AceCryptor, which has been dubbed as one of the most prolific crypters out in the market today.
Read on to know more about our findings, including:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our in-depth analysis with a bulk WHOIS lookup for the IoCs Krebs identified, which led to the following discoveries:
A bulk IP geolocation lookup for the host IP addresses, meanwhile, revealed that:
To further our investigation, we looked for DNS traces connected to the malware crypting-related IoCs.
A reverse IP lookup for the dedicated IP address led to the discovery of two connected domains that remained live to this day.
Next, we noticed the presence of two strings that could potentially point to malware crypting sites in two of the domains identified as IoCs—mobile-soft and cryptor. Domains & Subdomains Discovery searches for these uncovered 786 domains created since 1 January 2023, two of which were classified as malicious by a bulk malware check tool.
To gain more insights on what has been dubbed the top crypter today, we obtained a list of AceCryptor-related IoCs comprising seven domains and three IP addresses.
A bulk WHOIS lookup for the domains tagged as IoCs showed that only four had retrievable WHOIS records. Of these, two were registered with GoDaddy.com, LLC and one each with OnlineNIC, Inc. and Namecheap, Inc. All four were aged, having been created between 2005 and 2016 across four countries—two in the U.S. and one each in Afghanistan and Iceland.
Next, we subjected the domains to DNS lookups that revealed they resolved to five unique IP addresses, none of which were included in the current list of AceCryptor IoCs. Reverse IP lookups for them showed that two of the IP addresses were dedicated and another two were possibly dedicated. In addition, two of the IP hosts were categorized as malicious by a malware check tool.
The reverse IP lookups also led to the discovery of 279 domains, 17 of which were deemed malicious by a malware check tool. In addition, 13 of them continued to host live content although none looked like malicious sites. Here are some examples.
We are bound to see more crypter-aided cyber attacks in the future, given the cloak of invisibility the solution provides to any malicious website.
Our latest DNS deep dive into general malware crypting services, for instance, uncovered 786 potentially connected artifacts while that for leading service AceCryptor led to the discovery of nearly 300 DNS-connected properties.
If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byRadix