![]() Our team’s capability for deep research is good for both Avast customers and also for everyone else because this information helps inform those who design and improve upon security software. Now, we’re able to look for that part and examine it more closely when we find it in something new - our research has shown us that in these cases, it’s a new kind of malware. Returning to the car analogy, we’ve identified a specific part in the engine that many malware families use. With the information that Avast researchers have found on OnionCrypter, we’re making it easier for us and others to detect not only OnionCrypter, but also anything that uses it. In advertising on forums, this is frequently advertised as a fully undetectable (FUD) crypter. Consistent with that kind of mature market, we also believe the authors of OnionCrypter offer customization for their customers, helping to make it even less detectable. This makes sense: we’ve seen the market for malware mature so that some people and companies offer specific, specialized services. The chart below shows the different malware families we found using OnionCrypter.īecause of how long OnionCrypter has been around and how widely it's used, our researchers believe that the authors of OnionCrypter offer it for sale as a service. ![]() ![]() In the last three years, we have protected almost 400,000 Avast users around the world from malware that makes use of OnionCrypter. We also found that OnionCrypter has been widely used since 2016 by some of the best known and most prevalent malware families such as Ursnif, Lokibot, Zeus, AgentTesla, and Smokeloader, among others. It’s important to note that the name reflects the many layers this crypter uses, and it’s in no way related to the Tor browser or network. OnionCrypter is unusual because of the way it uses multiple layers to hide its information. Put simply, the information is hidden within the layers of the “onion” of its encryption. We’ve chosen this name because this particular crypter uses multiple techniques to make it harder for researchers, antivirus, and security software to read the information that it protects. Our researchers looked into a specific crypter that we’re calling OnionCrypter. From a researcher point of view, though, being able to identify a crypter helps us better and more quickly identify new malware when that malware has this component in it. From a malware author’s point of view, a crypter is an important tool to counter protections against malware. Malware authors use this technique to hide their malicious code from researchers, antivirus and security software. ![]() It’s called a “crypter”, which is a tool used to hide malicious parts of code using encryption in an effort to appear as harmless and more difficult to read. Recently, researchers at Avast Threat Labs spent time looking at a specific “part” that malware authors use to make their “cars”. Cars have different parts like engines, tires, and steering wheels malware has loaders, payloads, and command modules. Both cars and malware are made up of many components that enable them to run. We've protected nearly 400,000 global Avast users from malware that makes use of OnionCrypter ![]()
0 Comments
Leave a Reply. |