Growing AceCryptor attacks in Europe

ESET Research has recorded a considerable increase in AceCryptor attacks, with detections tripling between the first and second halves of 2023.

In recent months, researchers registered a significant change in how AceCryptor is used, namely that the attackers spreading Rescoms (also known as Remcos) started utilizing AceCryptor, which was not the case beforehand.

Rescoms is a remote access tool (RAT) often used by threat actors for malicious purposes. AceCryptor is a cryptor-as-a-service that obfuscates malware to hinder its detection.

Based on the behavior of deployed malware, ESET researchers assume that these campaigns aimed to obtain email and browser credentials for further attacks against the targeted companies. Most AceCryptor-packed Rescoms RAT samples were used as an initial compromise vector in multiple spam campaigns targeting European countries, including Central Europe (Poland, Slovakia), the Balkans (Bulgaria, Serbia), and Spain.

“In these campaigns, AceCryptor was used to target multiple European countries, and to extract information or gain initial access to multiple companies. Malware in these attacks was distributed in spam emails, which were in some cases quite convincing; sometimes the spam was even sent from legitimate, but abused, email accounts,” says ESET researcher Jakub Kaloč, who discovered the latest AceCryptor with Rescoms campaign. “Because opening attachments from such emails can have severe consequences for you or your company, we advise you to be aware about what you are opening and use reliable endpoint security software able to detect this malware,” he adds.

In the first half of 2023, the countries most affected by malware packed by AceCryptor were Peru, Mexico, Egypt, and Türkiye. Peru had the most significant number of attacks, at 4,700. Rescoms spam campaigns dramatically changed these statistics in the year’s second half. AceCryptor-packed malware primarily affected European countries.

AceCryptor samples they’ve observed in the second half of 2023 often contained two malware families as their payload: Rescoms and SmokeLoader. SmokeLoader caused a spike detected in Ukraine. On the other hand, AceCryptor containing Rescoms as a final payload caused increased activity in Poland, Slovakia, Bulgaria, and Serbia.

All spam campaigns that targeted businesses in Poland had emails with similar subject lines about B2B offers for the victim companies. To look as believable as possible, attackers researched and used existing Polish company names and even existing employee/owner names and contact information when signing those emails. This was done so that in the case of a victim Googling the sender’s name, the search would be successful, which might lead to the victim opening the malicious attachment.

While it is unknown whether the credentials were gathered for the group that carried out these attacks or if those stolen credentials would be later sold on to other threat actors, it is certain that successful compromise opens the possibility for further attacks, especially for ransomware attacks.

In parallel with the campaigns in Poland, ESET telemetry also registered ongoing campaigns in Slovakia, Bulgaria, and Serbia. The only significant difference, of course, was that the language used in the spam emails was localized for those specific countries. Apart from the previously mentioned campaigns, Spain also experienced a surge of spam emails with Rescoms as the final payload.