Cyber Threat Analysis: User-friendly loaders and crypters simplify intrusions and malware delivery

Recorded Future analyzed current data from the Recorded Future® Platform, information security reporting, and other open source intelligence (OSINT) sources to identify loaders and crypters that facilitate threat actor campaigns. This report expands upon findings addressed in the report “Automation and Commoditization in the Underground Economy,” following reports on database breaches and on checkers and brute forcers. This report will be of most interest to network defenders, security researchers, and executives charged with security risk management and mitigation. Dark web sourcing for this research is available to Recorded Future clients.

EXECUTIVE SUMMARY

In our February 2020 report “Automation and Customization in the Underground Economy,” we identified automated services and products produced by threat actors and developers that facilitate criminal activities. This report dives further into loaders and crypters, identifying popular loader variants within select dark web forums and analyzing widely used crypters via clearnet domains, as well as providing mitigation strategies to identify loaders and crypters attempting to intrude into your network.

Loaders and crypters are an example of products and services that operate in tandem to elude network security settings, maintain presence on impacted machines and networks, and encrypt malicious payloads to masquerade intent. Executing malware on a victim’s machine while remaining undetected by antivirus software usually requires some technical skill, but there is a growing trend for these products to be offered as services by developers who provide user support, easy-to-use interfaces, and regular updates in response to new antivirus features in return for subscription fees rather than one-time purchases. Samples and older versions are offered for free, and the subscriptions are increasingly affordable (tens or hundreds of dollars a month rather than thousands), making it easier than ever for threat actors with limited technical knowledge to execute attacks.

KEY JUDGMENTS

• Developers of loaders and crypters are creating products and offering services that are customizable, automated, and designed to be user-friendly to cater to non-technical users.
• Threat actors are using loader and crypter services to elude network security settings and to encrypt and obfuscate payloads that propagate malware.
• Threat actors are discussing specific loader variants on different forums, with SmokeLoader and Amedy Loader being widely advertised and discussed.
• Threat actors are directing forum users to clearnet domains that advertise crypting services, with Moon Crypter and Saddam’s Crypter variants identified as containing multiple encrypting capabilities with an easy-to-use interface