Cracking the Crypter Code
The crypters have been used alongside malware that was previously leveraged in Trickbot or Conti attacks, such as Emotet, IcedID, Qakbot and Bumblebee. But they have also appeared alongside new malware families, such as SVCReady, CargoBay, Matanbuchus, Pikabot, Aresloader, Vidar, Minodo, and LummaC2 Stealer, said researchers.
These have included the Dave crypter, which researchers said is still under regular development with multiple variants. Many threat groups frequently use Dave in attacks that have been linked to at least 15 current malware families. Researchers earlier this year, for instance, observed the Dave loader being used in a February campaign with a new backdoor that they called Domino, which they believe was created by developers associated with the FIN7 cybercriminal group.
Researchers also discovered two new crypters that they linked to former Trickbot/Conti developers. The Forest crypter (also known as the Bumblebee loader due to its deployment alongside the known Bumblebee malware), which was found in March 2022, has been used frequently in campaigns over the past year alongside the IcedID, Qakbot, CobaltStrike and Gozi malware families (in addition to Bumblebee). The second new crypter, Snow, was observed in December 2022 and includes an overlap in its code with the now-retired Hexa crypter, also attributed to Trickbot/Conti, leading researchers to conclude that this is likely a successor to Hexa. This crypter has been leveraged in IcedID, Qakbot, Gozu and Pikabot malware campaigns.
More than half of the crypters studied by researchers, meanwhile, have not been observed in use since the first half of 2022. Researchers believe that the lack of activity surrounding these crypters – which include Galore, Rustic, Hexa, Charm and Graven – could be tied to the disruption that Trickbot/Conti faced during this time.
“We do not know the exact reasons why many of the crypters have not been seen since early 2022, but it is possible that during the period of disruption, key members of the development team left, or access to the crypter code or automation server was somehow lost,” said Hammond.