AceCryptor Malware Use Surges in Europe

Thousands of fresh infections linked to the AceCryptor tool — which enables hackers to conceal malware and infiltrate systems undetected by antivirus software — have been uncovered in a concerted effort targeting organizations across Europe.

Researchers have devoted years to monitoring AceCryptor. They revealed on Wednesday that the recent campaign differed from previous ones as attackers broadened the array of malicious code encapsulated within.

Traditionally, AceCryptor accompanies malware such as Remcos or Rescoms — potent remote surveillance tools frequently employed against organizations in Ukraine. Alongside Remcos and another known tool, SmokeLoader, researchers noted instances where AceCryptor distributed malware like the STOP ransomware and Vidar stealer.

Researchers observed distinct variations in the countries targeted. While SmokeLoader featured in attacks in Ukraine, incidents in Poland, Slovakia, Bulgaria, and Serbia involved Remcos.

In these operations, AceCryptor was utilized to target multiple European countries, extracting information or obtaining initial access to numerous companies. Malicious software was disseminated through spam emails, some of which were highly convincing, occasionally originating from legitimate yet exploited email accounts.

AceCryptor Attacks go After Browser Credentials

The recent operation aims to acquire email and browser credentials for subsequent assaults against the targeted entities. The majority of malware samples served as an initial compromise vector.

In the first half of 2023, the countries most impacted by AceCryptor-packed malware were Peru, Mexico, Egypt, and Turkey, with Peru enduring the highest number of attacks at 4,700.

In the latter half of 2023, the focus shifted to European nations, with Poland targeted by over 26,000 attacks. Ukraine, Spain, and Serbia also experienced thousands of attacks.

During the latter half of the year, Rescoms emerged as the predominant malware family packed by AceCryptor, accounting for over 32,000 instances. Poland recorded over half of these attempts, followed by Serbia, Spain, Bulgaria, and Slovakia, the researchers reported.

In total, over 26,000 of these attacks in Poland were recorded during this period.

Attacks on Polish enterprises featured similar subject lines related to B2B offers for a victim company. Hackers endeavored to lend legitimacy to the emails by utilizing genuine Polish company names and existing employee names.

Researchers noted uncertainty regarding whether the hackers aim to retain stolen credentials for their use or sell them to other threat actors.

While researchers couldn't pinpoint the source of the attack campaigns, Remcos and SmokeLoader have recurrently been associated with hackers operating on behalf of the Russian government.