Today’s malware is a lot like a car. Both cars and malware are made up of many components that enable them to run. Cars have different parts such as engines, tires, and steering wheels; malware has loaders, payloads, and command modules.
Recently, researchers at Avast Threat Labs spent time looking at a specific “part” that malware authors use to make their “cars”. It’s called a “crypter”, which is a tool used to hide malicious parts of code using encryption in an effort to appear as harmless and more difficult to read. Malware authors use this technique to hide their malicious code from researchers, antivirus and security software.
From a malware author’s point of view, a crypter is an important tool to counter protections against malware. From a researcher point of view, though, being able to identify a crypter helps to better and more quickly identify new malware when that malware has this component in it.
The digital security and privacy products company’s researchers looked into a specific crypter that it’s calling OnionCrypter. It chose the name because this particular crypter uses multiple techniques to make it harder for researchers, antivirus, and security software to read the information that it protects.
Put simply, the information is hidden within the layers of the “onion” of its encryption. OnionCrypter is unusual because of the way it uses multiple layers to hide its information. It’s important to note that the name reflects the many layers this crypter uses, and it’s in no way related to the Tor browser or network.
Avast has found that OnionCrypter has been used by more than 30 different malware families since 2016. This includes some of the best known-most prevalent families such as Ursnif, Lokibot, Zeus, AgentTesla, and Smokeloader among others. In the last three years, the company has protected almost 400,000 users around the world from malware protected by this crypter. Its widespread use and length of time in use make it a key malware infrastructure component.
One of the goals of malware authors is to keep their creation undetected by antivirus software. One possible solution for this is a crypter which encrypts a program so it looks like meaningless data. It creates an envelope for this encrypted program also called a stub. This stub looks like an innocent program, it may also perform some tasks which are not harmful at all but its primary task is to decrypt a payload and run it.