Each time organizations shore up their network defenses, cybercriminals devise new and innovative ways to up the cyber attack ante. That’s actually the rationale behind malware crypting—the process of making malicious programs, apps, and files appear harmless to anti-malware and intrusion detection solutions. And given the huge threat malware crypting could pose to even the most secure networks, many in the cybersecurity community are strongly recommending a clampdown on the actors and sites that offer them.

In an effort to make the Internet safer, WhoisXML API recently took a DNS dive deep to find connections to malware crypting. First, we expanded a list of eight domains identified as malware crypting indicators of compromise (IoCs) related to the threat. Second, we conducted research specific to AceCryptor, which has been dubbed as one of the most prolific crypters out in the market today.

Read on to know more about our findings, including:

• 786 domains that contained the same strings as those with IP connections to Krebs’s IoC list, two of which have been classified as malicious by a bulk malware check tool
• Four dedicated and possibly dedicated IP addresses to which some AceCryptor IoCs resolved, two of which have been categorized as malicious by a bulk malware check tool
• 279 domains hosted on the dedicated AceCryptor IP addresses, 17 of which have been dubbed malicious by a bulk malware check tool

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Part 1: Behind the Malware Crypting IoCs

We began our in-depth analysis with a bulk WHOIS lookup for the IoCs Krebs identified, which led to the following discoveries:

• Two domains were registered with PDR Ltd. while Dynadot, REGRU-RU, RU-CENTER-RU, and SALENAMES-RU each managed one domain.
• A majority of the domains were aged, created between 2006 and 2022.
• Three of the domain names were registered in the U.S.
• The domains resolved to eight unique IP addresses, one of which (138[.]201[.]203[.]122) turned out to be a dedicated host based on a reverse IP lookup.

A bulk IP geolocation lookup for the host IP addresses, meanwhile, revealed that:

• A majority of the IP addresses, five to be exact, pointed to the U.S. as their origin. One IP address each pointed to Germany, the Netherlands, and Russia.
• Four out of the five U.S.-geolocated IP addresses were managed by Cloudflare, Inc. while the remaining one fell under Trellian’s administration. The German, Dutch, and Russian IP addresses, meanwhile, were managed by Hetzner Online GmbH; Serverel, Inc.; and REG.RU, Ltd., respectively.

To further our investigation, we looked for DNS traces connected to the malware crypting-related IoCs.

A reverse IP lookup for the dedicated IP address led to the discovery of two connected domains that remained live to this day.

Next, we noticed the presence of two strings that could potentially point to malware crypting sites in two of the domains identified as IoCs—mobile-soft and cryptor. Domains & Subdomains Discovery searches for these uncovered 786 domains created since 1 January 2023, two of which were classified as malicious by a bulk malware check tool.

Part 2: AceCryptor Findings

To gain more insights on what has been dubbed the top crypter today, we obtained a list of AceCryptor-related IoCs comprising seven domains and three IP addresses.

A bulk WHOIS lookup for the domains tagged as IoCs showed that only four had retrievable WHOIS records. Of these, two were registered with GoDaddy.com, LLC and one each with OnlineNIC, Inc. and Namecheap, Inc. All four were aged, having been created between 2005 and 2016 across four countries—two in the U.S. and one each in Afghanistan and Iceland.

Next, we subjected the domains to DNS lookups that revealed they resolved to five unique IP addresses, none of which were included in the current list of AceCryptor IoCs. Reverse IP lookups for them showed that two of the IP addresses were dedicated and another two were possibly dedicated. In addition, two of the IP hosts were categorized as malicious by a malware check tool.

The reverse IP lookups also led to the discovery of 279 domains, 17 of which were deemed malicious by a malware check tool. In addition, 13 of them continued to host live content although none looked like malicious sites. Here are some examples.

We are bound to see more crypter-aided cyber attacks in the future, given the cloak of invisibility the solution provides to any malicious website.

Our latest DNS deep dive into general malware crypting services, for instance, uncovered 786 potentially connected artifacts while that for leading service AceCryptor led to the discovery of nearly 300 DNS-connected properties.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.