You know what secretly holds much of the financially-oriented cybercrime world together? It's the relatively few evil code wizards who are really good at making malware look benign. They call them cryptors, or encryptors, and their services are known as "crypting."
Crypting is a core method by which malware purveyors try to evade antivirus and security tools, and virtually all serious malware that is deployed for use in data stealing at some point needs to be crypted. Because if you're not doing stuff to obfuscate your malware before sending it out, it's probably going to mostly get caught by antivirus. So, if you're not crypting it yourself (challenging), you probably need to pay someone else to do that.
There are countless cybercriminals who've hung out their shingles as crypting service providers, but most of these people are really not very good at what they do, and are soon out of business. Still, there are a fair number of crypting services that have been around for a while and do a passable job, with somewhat unreliable results.
However, it's crazy how many different big time cybercrime outfits turn to a fairly small number of super-scary crytpers who've been doing malware a LONG time (15-20+ years).
One thing I have discovered in all my lurking on the forums is that the best cryptors are independent contractors who tend to have arrangements with multiple, often competing cybercriminal operations.
In short, if you want to really kneecap a number of cybercrime enterprises all at once, go after the top crypting service providers, and take them off the board.
"If you operate a cybercrime business that relies on disseminating malicious software, you probably also spend a good deal of time trying to disguise or “crypt” your malware so that it appears benign to antivirus and security products. In fact, the process of “crypting” malware is sufficiently complex and time-consuming that most serious cybercrooks will outsource this critical function to a handful of trusted third parties. This story explores the history and identity behind Cryptor[.]biz, a long-running crypting service that is trusted by some of the biggest names in cybercrime."
@briankrebs We found something similar with the server operators holding the booster market together, but the difference between them and the crypter purveyors would be very interesting to investigate.
@fugueish That's probably true. The cryptors I'm talking about are often catering to groups that have the money to spend to ensure their malware is broadly undetected. In some cases, the malware has to work w/out detection or much potential profit is wasted.
I once worked on project for a client who... lets just say they def had state-level actors in their threat model
one time we were (FORCED, however stupidly) to use a Slack/Discord group to coord (forget which)
one day I saw two gentlemen "join" the group, within span of few mins. cuz of their names/pics I glance at their profile. both said like Moscow/StP (forget which)
next day I glanced at them again. both changed to "E. Europe"
@erraggy I agree with the first part of what you said, but it's sadly still very common in the cybercrime space for the leading players to have that much experience under their belts.
@briankrebs hopefully the authorities lurking on the same forums will arrive at that same conclusion and will direct their formidable echelon & co apparatus toward identifying those actors and get them...
@briankrebs I have a bet that a subset of public GitHub repos/projs are basically intended (or used/adopted) as malware delivery points
"Yes just blindly trust this code by a rando and run it on your machine, as you, with acceas to all your data, what could possibly go wrong?"
cuz a lot of young people who have grown up in GitHub's world (or the like) take it for granted, like its air or water, and thus just as (almost always) harmless
the "almost always" is what makes it good for baddies
Taking cryptors off the board is absolutely worth pursuing.
IANAA so I'm curious what crime one would allege that cryptors committed, and you'd have to prove conspiracy or receipt of illegally obtained proceeds.
How would a prosecutor argue to effectively distinguish crypter code from other libraries and code bits that one finds in malware that are commonly available in repos or freeware sites?
@securityskeptic@synlogic It would have to be some type of conspiracy. The really good cryptors work directly with clients, usually communicating on private messaging systems like jabber or tox.
If this is the typical case, then the prosecutor or a company filing a suit would probably add the cryptors (by name or even as John Doe) as defendants in the complaint, as Microsoft did with parties who wrote software in the Kelihos and Necurs takedowns in the past.
Add comment