AceCryptor malware has surged in Europe, researchers say

Thousands of new infections involving the AceCryptor tool — which allows hackers to obfuscate malware and slip it into systems without being detected by anti-virus software — have been discovered as part of a campaign targeting organizations across Europe. 

Researchers at ESET have spent years tracking AceCryptor, and they said on Wednesday that the most recent campaign was different from previous iterations because attackers had expanded the kinds of malicious code packaged inside.

AceCryptor is typically used with malware known as Remcos or Rescoms — a powerful remote surveillance tool researchers have seen used repeatedly against organizations in Ukraine. In addition to Remcos and another familiar tool known as SmokeLoader, ESET said it has now seen AceCryptor distribute malware like the STOP ransomware and Vidar stealer.

ESET found several differences based on the countries targeted. Attacks in Ukraine involved SmokeLoader, while incidents in Poland, Slovakia, Bulgaria and Serbia deployed Remcos. 

“In these campaigns, AceCryptor was used to target multiple European countries, and to extract information or gain initial access to multiple companies. Malware in these attacks was distributed in spam emails, which were in some cases quite convincing; sometimes the spam was even sent from legitimate, but abused, email accounts,” said ESET researcher Jakub Kaloč, who discovered the campaign. 

The goal of the most recent operation is to obtain email and browser credentials for further attacks against the targeted companies, ESET said, adding that the vast majority of malware samples they saw were used as an initial compromise vector.

ESET said that in the first half of 2023, the countries most affected by malware packed by AceCryptor were Peru, Mexico, Egypt and Turkey, with Peru seeing the most attacks at 4,700.

In the second half of 2023, the hackers switched their focus to European countries, targeting Poland with more than 26,000 attacks. Ukraine, Spain and Serbia also saw thousands of attacks. 

“During the second half of the year, Rescoms became the most prevalent malware family packed by AceCryptor, with over 32,000 hits. Over half of these attempts happened in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia,” the researchers said. 

“In total, ESET registered over 26,000 of these attacks in Poland for this period.”

The attacks on Polish businesses carried similar subject lines involving B2B offers for a victim company. The hackers tried to make the emails look legitimate by using real Polish company names and existing employee names as well. 

ESET said it is unclear if the hackers intend to gather stolen credentials for themselves or sell it on to other threat actors. 

While ESET was not able to identify the source of the attack campaigns, Remcos and SmokeLoader have been used repeatedly by hackers working on behalf of the Russian government. 

ESET noted last year that it found over 240,000 detections throughout 2021 and 2022 in Peru, Egypt, Thailand, Indonesia, Turkey, Brazil, Mexico, South Africa, Poland and India.