News, 21.03.2024, 09:30 AM
Company researchers ESET discovered thousands of new AceCryptor malware infections, which are part of a campaign directed against specific countries and targets (companies in specific countries) in Europe.
ESET researchers have been tracking AceCryptor for years, and say the latest campaign is different from previous ones because the attackers have expanded the types of malicious code packed into the malware.
AceCryptor is commonly used with the Remcos or Rescoms malware, a powerful remote surveillance tool that has been used repeatedly against targets in Ukraine. In addition to Remcos and another well-known malware known as SmokeLoader, researchers said that AceCryptor now distributes malware such as STOP and Vidar ransomware.
The researchers also noted several differences in the attacks depending on the countries targeted. SmokeLoader was used in the attacks in Ukraine, while Remcos were used in the attacks in Poland, Slovakia, Bulgaria and Serbia.
“In these campaigns, AceCryptor was used to target multiple European countries and gain information or initial access to multiple companies. The malware in these attacks was distributed in spam emails, which in some cases were quite convincing; sometimes spam mail was even sent from legitimate but misused email accounts,” said ESET researcher Jakub Kaloč, who discovered these attacks.
The goal of the latest campaign is to obtain login credentials for email accounts and browsers for further attacks on targeted companies, and ESET said the vast majority of malware samples they saw were used as the initial compromise vector.
According to ESET data, in the first half of 2023 the countries most affected by the AceCryptor malware were Peru, Mexico, Egypt and Turkey.
In the second half of 2023, hackers shifted to European countries, targeting Poland with more than 26,000 attacks, followed by Serbia, Spain, Bulgaria and Slovakia, which suffered thousands of attacks.
Themes that included B2B offers for victim companies were used in the attacks on Polish businesses. The hackers tried to make the emails look legitimate by using the names of Polish companies and their employees.
In Serbia, Slovakia and Bulgaria, hackers mostly attacked local companies, and the only thing that distinguished the attacks in these countries from the attacks in Poland was, of course, the language used in spam emails.
ESET said it was unclear whether the hackers intended to keep the stolen credentials for themselves or sell them to other attackers.
Although ESET could not identify the source of the attack, Remcos and SmokeLoader have been used repeatedly by hackers working for the Russian government.
Photo: Pixabay / Pexels