AceCryptor attacks on the rise with Central Europe, Balkans, and Spain as major targets

ESET Research has recorded a dramatic increase in AceCryptor attacks, with ESET detections tripling between the first and second halves of 2023, correlating to the protection of 42,000 ESET users worldwide. Furthermore, in recent months, ESET registered a significant change in how AceCryptor is used, namely that the attackers spreading Rescoms (also known as Remcos) started utilizing AceCryptor, which was not the case beforehand.

Rescoms is a remote access tool (RAT) that is often used by threat actors for malicious purposes; AceCryptor is a cryptor-as-a-service that obfuscates malware to hinder its detection. Based on the behavior of deployed malware ESET researchers assume that the goal of these campaigns was to obtain email and browser credentials for further attacks against the targeted companies.

The vast majority of AceCryptor-packed Rescoms RAT samples were used as an initial compromise vector in multiple spam campaigns targeting European countries, including Central Europe (Poland, Slovakia), the Balkans (Bulgaria, Serbia), and Spain.

“In these campaigns, AceCryptor was used to target multiple European countries, and to extract information or gain initial access to multiple companies. Malware in these attacks was distributed in spam emails, which were in some cases quite convincing; sometimes the spam was even sent from legitimate, but abused, email accounts,” says ESET researcher Jakub Kaloč, who discovered the latest AceCryptor with Rescoms campaign. “Because opening attachments from such emails can have severe consequences for you or your company, we advise you to be aware about what you are opening and use reliable endpoint security software able to detect this malware,” he adds.

In the first half of 2023, the countries most affected by malware packed by AceCryptor were Peru, Mexico, Egypt, and Türkiye, with Peru, at 4,700, having the greatest number of attacks. Rescoms spam campaigns changed these statistics dramatically in the second half of the year. AceCryptor-packed malware affected mostly European countries.

AceCryptor samples that we’ve observed in the second half of 2023 often contained two malware families as their payload: Rescoms and SmokeLoader. A spike detected in Ukraine was caused by SmokeLoader. On the other hand, in Poland, Slovakia, Bulgaria, and Serbia, increased activity was caused by AceCryptor containing Rescoms as a final payload.

Heatmap of countries affected by AceCryptor, according to ESET telemetry

All spam campaigns that targeted businesses in Poland had emails with very similar subject lines about B2B offers for the victim companies. To look as believable as possible, attackers did their research and used existing Polish company names and even existing employee (or owner) names and contact information when signing those emails. This was done so that in the case of a victim Googling the sender’s name, the search would be successful, which might lead to the victim opening the malicious attachment.

While it is unknown whether the credentials were gathered for the group that carried out these attacks or if those stolen credentials would be later sold on to other threat actors, it is certain that successful compromise opens the possibility for further attacks, especially for ransomware attacks.

In parallel with the campaigns in Poland, ESET telemetry also registered ongoing campaigns in Slovakia, Bulgaria, and Serbia. The only significant difference, of course, was that the language used in the spam emails was localized for those specific countries. Apart from the previously mentioned campaigns, Spain also experienced a surge of spam emails with Rescoms as the final payload.


Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.