Rescoms rides waves of AceCryptor spam

Last year ESET published a blogpost about AceCryptor – one of the most popular and prevalent cryptors-as-a-service (CaaS) operating since 2016. For H1 2023 we published statistics from our telemetry, according to which trends from previous periods continued without drastic changes.

However, in H2 2023 we registered a significant change in how AceCryptor is used. Not only we have seen and blocked over double the attacks in H2 2023 in comparison with H1 2023, but we also noticed that Rescoms (also known as Remcos) started using AceCryptor, which was not the case beforehand.

The vast majority of AceCryptor-packed Rescoms RAT samples were used as an initial compromise vector in multiple spam campaigns targeting European countries including Poland, Slovakia, Bulgaria, and Serbia.

Key points of this blogpost:

• AceCryptor continued to provide packing services to tens of very well-known malware families in H2 2023.
• Even though well known by security products, AceCryptor’s prevalence is not showing indications of decline: on the contrary, the number of attacks significantly increased due to the Rescoms campaigns.
• AceCryptor is a cryptor of choice of threat actors targeting specific countries and targets (e.g., companies in a particular country).
• In H2 2023, ESET detected multiple AceCryptor+Rescoms campaigns in European countries, mainly Poland, Bulgaria, Spain, and Serbia.
• The threat actor behind those campaigns in some cases abused compromised accounts to send spam emails in order to make them look as credible as possible.
• The goal of the spam campaigns was to obtain credentials stored in browsers or email clients, which in case of a successful compromise would open possibilities for further attacks.

AceCryptor in H2 2023

In the first half of 2023 ESET protected around 13,000 users from AceCryptor-packed malware. In the second half of the year, there was a massive increase of AceCryptor-packed malware spreading in the wild, with our detections tripling, resulting in over 42,000 protected ESET users worldwide. As can be observed in Figure 1, we detected multiple sudden waves of malware spreading. These spikes show multiple spam campaigns targeted at European countries where AceCryptor packed a Rescoms RAT (discussed more in the Rescoms campaigns section).

Furthermore, when we compare the raw number of samples: in the first half of 2023, ESET detected over 23,000 unique malicious samples of AceCryptor; in the second half of 2023, we saw and detected “only” over 17,000 unique samples. Even though this might be unexpected, after a closer look at the data there is a reasonable explanation. The Rescoms spam campaigns used the same malicious file(s) in email campaigns sent to a greater number of users, thus increasing the number of people who encountered the malware, but still keeping the number of different files low. This did not happen in previous periods as Rescoms was almost never used in combination with AceCryptor. Another reason for the decrement in the number of unique samples is because some popular families apparently stopped (or almost stopped) using AceCryptor as their go-to CaaS. An example is Danabot malware which stopped using AceCryptor; also, the prominent RedLine Stealer whose users stopped using AceCryptor as much, based on a greater than 60% decrease in AceCryptor samples containing that malware.

As seen in Figure 2, AceCryptor still distributes, apart from Rescoms, samples from many different malware families, such as SmokeLoader, STOP ransomware, and Vidar stealer.

In the first half of 2023, the countries most affected by malware packed by AceCryptor were Peru, Mexico, Egypt, and Türkiye, where Peru, at 4,700, had the greatest number of attacks. Rescoms spam campaigns changed these statistics dramatically in the second half of the year. As can be seen in Figure 3, AceCryptor-packed malware affected mostly European countries. By far the most affected country is Poland, where ESET prevented over 26,000 attacks; this is followed by Ukraine, Spain, and Serbia. And, it’s worth mentioning that in each of those countries ESET products prevented more attacks than in the most affected country in H1 2023, Peru.

AceCryptor samples that we’ve observed in H2 often contained two malware families as their payload: Rescoms and SmokeLoader. A spike in Ukraine was caused by SmokeLoader. This fact was already mentioned by Ukraine’s NSDC. On the other hand, in Poland, Slovakia, Bulgaria, and Serbia the increased activity was caused by AceCryptor containing Rescoms as a final payload.

Rescoms campaigns

In the first half of 2023, we saw in our telemetry fewer than a hundred incidents of AceCryptor samples with Rescoms inside. During the second half of the year, Rescoms became the most prevalent malware family packed by AceCryptor, with over 32,000 hits. Over half of these attempts happened in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia (Figure 4).

Campaigns in Poland

Thanks to ESET telemetry we’ve been able to observe eight significant spam campaigns targeting Poland in H2 2023. As can be seen in Figure 5, the majority of them happened in September, but there were also campaigns in August and December.

In total, ESET registered over 26,000 of these attacks in Poland for this period. All spam campaigns targeted businesses in Poland and all emails had very similar subject lines about B2B offers for the victim companies. To look as believable as possible, the attackers incorporated the following tricks into the spam emails:

• Email addresses they were sending spam emails from imitated domains of other companies. Attackers used a different TLD, changed a letter in a company name or the word order in the case of a multi-word company name (this technique is known as typosquatting).
• The most noteworthy is that multiple campaigns involved business email compromise – attackers abused previously compromised email accounts of other company employees to send spam emails. In this way even if the potential victim looked for the usual red flags, they were just not there, and the email looked as legitimate as it could have.

Attackers did their research and used existing Polish company names and even existing employee/owner names and contact information when signing those emails. This was done so that in the case where a victim tries to Google the sender’s name, the search would be successful, which might lead them to open the malicious attachment.

• The content of spam emails was in some cases simpler but in many cases (like the example in Figure 6) quite elaborate. Especially these more elaborate versions should be considered dangerous as they deviate from the standard pattern of generic text, which is often riddled with grammatical mistakes.

The email shown in Figure 6 contains a message followed by information about the processing of personal information done by the alleged sender and the possibility to “access the content of your data and the right to rectify, delete, limit processing restrictions, right to data transfer, right to raise an objection, and the right to lodge a complaint with the supervisory authority”. The message itself can be translated thus:

Dear Sir,

I am Sylwester [redacted] from [redacted]. Your company was recommended to us by a business partner. Please quote the attached order list. Please also inform us about the payment terms.

We look forward to your response and further discussion.

—

Best Regards,

Attachments in all campaigns looked quite similar (Figure 7). Emails contained an attached archive or ISO file named offer/inquiry (of course in Polish), in some cases also accompanied with an order number. That file contained an AceCryptor executable that unpacked and launched Rescoms.

Based on the behavior of the malware, we assume that the goal of these campaigns was to obtain email and browser credentials, and thus gain initial access to the targeted companies. While it is unknown whether the credentials were gathered for the group that carried out these attacks or if those stolen credentials would be later sold to other threat actors, it is certain that successful compromise opens the possibility for further attacks, especially from, currently popular, ransomware attacks.

It is important to state that Rescoms RAT can be bought; thus many threat actors use it in their operations. These campaigns are not only connected by target similarity, attachment structure, email text, or tricks and techniques used to deceive potential victims, but also by some less obvious properties. In the malware itself, we were able to find artifacts (e.g., the license ID for Rescoms) that tie those campaigns together, revealing that many of these attacks were carried out by one threat actor.

Campaigns in Slovakia, Bulgaria, and Serbia

During the same time periods as the campaigns in Poland, ESET telemetry also registered ongoing campaigns in Slovakia, Bulgaria, and Serbia. These campaigns also mainly targeted local companies and we can even find artifacts in the malware itself tying these campaigns to the same threat actor that carried out the campaigns in Poland. The only significant thing that changed was, of course, the language used in the spam emails to be suitable for those specific countries.

Campaigns in Spain

Apart from previously mentioned campaigns, Spain also experienced a surge of spam emails with Rescoms as the final payload. Even though we can confirm that at least one of the campaigns was carried out by the same threat actor as in these previous cases, other campaigns followed a somewhat different pattern. Furthermore, even artifacts that were the same in previous cases differed in these and, because of that, we cannot conclude that the campaigns in Spain originated from the same place.

Conclusion

During the second half of 2023 we detected a shift in the usage of AceCryptor – a popular cryptor used by multiple threat actors to pack many malware families. Even though the prevalence of some malware families like RedLine Stealer dropped, other threat actors started using it or used it even more for their activities and AceCryptor is still going strong.In these campaigns AceCryptor was used to target multiple European countries, and to extract information or gain initial access to multiple companies. Malware in these attacks was distributed in spam emails, which were in some cases quite convincing; sometimes the spam was even sent from legitimate, but abused email accounts. Because opening attachments from such emails can have severe consequences for you or your company, we advise that you be aware about what you are opening and use reliable endpoint security software able to detect the malware.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of Indicators of Compromise (IoCs) can be found in our GitHub repository.

Files

SHA-1	Filename	Detection	Description
7D99E7AD21B54F07E857 FC06E54425CD17DE3003	PR18213.iso	Win32/Kryptik.HVOB	Malicious attachment from spam campaign carried out in Serbia during December 2023.
7DB6780A1E09AEC6146E D176BD6B9DF27F85CFC1	zapytanie.7z	Win32/Kryptik.HUNX	Malicious attachment from spam campaign carried out in Poland during September 2023.
7ED3EFDA8FC446182792 339AA14BC7A83A272F85	20230904104100858.7z	Win32/Kryptik.HUMX	Malicious attachment from spam campaign carried out in Poland and Bulgaria during September 2023.
9A6C731E96572399B236 DA9641BE904D142F1556	20230904114635180.iso	Win32/Kryptik.HUMX	Malicious attachment from spam campaign carried out in Serbia during September 2023.
57E4EB244F3450854E5B 740B95D00D18A535D119	SA092300102.iso	Win32/Kryptik.HUPK	Malicious attachment from spam campaign carried out in Bulgaria during September 2023.
178C054C5370E0DC9DF8 250CA6EFBCDED995CF09	zamowienie_135200.7z	Win32/Kryptik.HUMI	Malicious attachment from spam campaign carried out in Poland during August 2023.
394CFA4150E7D47BBDA1 450BC487FC4B970EDB35	PRV23_8401.iso	Win32/Kryptik.HUMF	Malicious attachment from spam campaign carried out in Serbia during August 2023.
3734BC2D9C321604FEA1 1BF550491B5FDA804F70	BP_50C55_20230 309_094643.7z	Win32/Kryptik.HUMF	Malicious attachment from spam campaign carried out in Bulgaria during August 2023.
71076BD712C2E3BC8CA5 5B789031BE222CFDEEA7	20_J402_MRO_EMS	Win32/Rescoms.B	Malicious attachment from spam campaign carried out in Slovakia during August 2023.
667133FEBA54801B0881 705FF287A24A874A400B	7360_37763.iso	Win32/Rescoms.B	Malicious attachment from spam campaign carried out in Bulgaria during December 2023.
AF021E767E68F6CE1D20 B28AA1B36B6288AFFFA5	zapytanie ofertowe.7z	Win32/Kryptik.HUQF	Malicious attachment from spam campaign carried out in Poland during September 2023.
BB6A9FB0C5DA4972EFAB 14A629ADBA5F92A50EAC	129550.7z	Win32/Kryptik.HUNC	Malicious attachment from spam campaign carried out in Poland during September 2023.
D2FF84892F3A4E4436BE DC221102ADBCAC3E23DC	Zamowienie_ andre.7z	Win32/Kryptik.HUOZ	Malicious attachment from spam campaign carried out in Poland during September 2023.
DB87AA88F358D9517EEB 69D6FAEE7078E603F23C	20030703_S1002.iso	Win32/Kryptik.HUNI	Malicious attachment from spam campaign carried out in Serbia during September 2023.
EF2106A0A40BB5C1A74A 00B1D5A6716489667B4C	Zamowienie_830.iso	Win32/Kryptik.HVOB	Malicious attachment from spam campaign carried out in Poland during December 2023.
FAD97EC6447A699179B0 D2509360FFB3DD0B06BF	lista zamówień i szczegółowe zdjęcia.arj	Win32/Kryptik.HUPK	Malicious attachment from spam campaign carried out in Poland during September 2023.
FB8F64D2FEC152D2D135 BBE9F6945066B540FDE5	Pedido.iso	Win32/Kryptik.HUMF	Malicious attachment from spam campaign carried out in Spain during August 2023.

MITRE ATT&CK techniques

This table was built using version 14 of the MITRE ATT&CK framework.

Tactic	ID	Name	Description
Reconnaissance	T1589.002	Gather Victim Identity Information: Email Addresses	Email addresses and contact information (either bought or gathered from publicly available sources) were used in phishing campaigns to target companies across multiple countries.
Resource Development	T1586.002	Compromise Accounts: Email Accounts	Attackers used compromised email accounts to send phishing emails in spam campaigns to increase spam email’s credibility.
	T1588.001	Obtain Capabilities: Malware	Attackers bought and used AceCryptor and Rescoms for phishing campaigns.
Initial Access	T1566	Phishing	Attackers used phishing messages with malicious attachments to compromise computers and steal information from companies in multiple European countries.
	T1566.001	Phishing: Spearphishing Attachment	Attackers used spearphishing messages to compromise computers and steal information from companies in multiple European countries.
Execution	T1204.002	User Execution: Malicious File	Attackers relied on users opening and launching malicious files with malware packed by AceCryptor.
Credential Access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	Attackers tried to steal credential information from browsers and email clients.

• SEO Powered Content & PR Distribution. Get Amplified Today.
• PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
• PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
• PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
• PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
• Source: https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/