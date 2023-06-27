As described in our previous report, crypters, which are also referred to as loaders or packers, are applications designed to encrypt and obfuscate malware to evade detection by antivirus (AV) scanners and hinder analysis. Crypters generally operate by encrypting the pre-compiled malware payload and embedding it within a secondary binary, which we refer to as a loader. The loader contains code to decrypt and execute the malicious payload, and may also include additional sandbox-evasion or anti-analysis functions. The loaders are often designed to evade AV and signature-based detection, and will often make use of obfuscation and code-morphing techniques that render each compiled loader different from a code perspective, increasing the challenge of writing effective signatures. The use of crypters allows malware developers to easily experiment with different methods of evading antivirus detection without having to make changes to the malware itself.

As of May last year, we were tracking 13 crypters that we had attributed to ITG23, and that had been used with malware built or operated by ITG23 and their “friends and family.” Eight of these crypters have not been seen since the first half of 2022, and their retirement may be linked to the disruption experienced by the group during that time period. We also identified two new crypters which we were able to attribute to former ITG23 developers. The first is Forest, which was introduced in March 2022 and is sometimes known as the Bumblebee Loader, due to its prolific usage with the Bumblebee malware. The second is Snow, which was first observed in December 2022. Its introduction coincided with the retirement of Hexa, and code overlap between the two indicates that Snow is likely Hexa’s successor.

Over the past year, we also identified some noteworthy trends regarding crypter use on malware, including their use with several new malware families. Previously, the crypters were used predominately with the core malware families associated with ITG23 and their close partners; this included Trickbot, Emotet, BazarLoader, IcedID, CobaltStrike, and the Ryuk, Conti, and Quantum ransomware strains. However, the fracturing of ITG23 and emergence of new factions, relationships, and methods, have affected how the crypters are used.

In early 2022, the syndicate began to develop stronger ties with Qakbot, including the first use in February 2022 of ITG23 crypters with Qakbot payloads. Qakbot previously had been using its own set of crypters, including the crypter-as-a-service CryptOne and two others that we call Quartz and Quixotic. Over the course of 2022, Qakbot continued to use ITG23-related crypters alongside their own; Hexa was used predominately through May 2022 followed by Forest until the introduction of Snow in December 2022. In 2023, Qakbot’s use of ITG23-related crypters, in particular the new Snow crypter, increased steadily to the point that Qakbot now uses Snow almost exclusively. Early 2022 also saw the introduction of the Bumblebee malware, indicating a potential relationship between ITG23 and the developers of the Ramnit malware. Bumblebee was released alongside the new Forest crypter, which it uses almost exclusively to the present day.

In April 2022, we observed the first use of an ITG23 crypter with the Gozi banking trojan, which we linked back to a campaign operated by Hive0106 (TA551) with whom ITG23 had an established relationship. Like Qakbot, crypted Gozi payloads have increased steadily throughout the past year, during which we have observed crypters such as Hexa, Forest, Snow, Lore and Dave used on Gozi malware, most often with LDR4 and Cutwail botnet distributions. Interestingly, in 2023 we also observed the Dave and Forest crypters used with Pushdo, a downloader tied to the Cutwail botnet.

From June 2022 onwards, we began to see an uptick in new malware families being used with the crypters, likely a consequence of the shutdown of the Conti ransomware strain and the emergence of the new factions. Some of these factions likely forged new relationships with other criminal gangs, in turn leading to the testing and use of new malware, such as SVCReady, CargoBay, and Matanbuchus, on which we have observed crypters such as Hexa and Dave deployed.

In 2023, this trend continued and we observed ITG23-related crypters deployed on a range of new malware, reflecting the continued focus on building new relationships with other threat actors to purchase and use new malware strains. These new families included information stealers (Lumma C2, Vidar), backdoors/downloaders (Aresloader, Canyon), and malware acquired from FIN7 developers such as Minodo and Diceloader.

More information on the crypters and associated malware can be found in the below sections. The following table also provides an overview of the current status of the core ITG23-related crypters that we track.