In a major breakthrough that exposed how malware operators successfully bypassed various antivirus products, Europol has busted a Romanian cyber gang that offered CyberSeal and Dataprotector crypting services that helped evade malware detections by antivirus solutions.
The two Romanian hackers, who were arrested in a joint operation spearheaded by Europol and the Romanian Police, sold malware encryption services such as CyberSeal and Dataprotector as well as the Cyberscan service which allowed their clients to test their malware against antivirus solutions.
The hackers' CyberSeal and Dataprotector crypting services were purchased by more than 1,560 cyber criminals for between US$40 and US$300 who then used these services to encrypt several different types of malware, including Remote Access Trojans, information stealers, and ransomware.
These crypting services helped cyber criminals to encrypt or hide the underlying code in their malware variants in order to make their software appear harmless prior to getting installed on a victim's computer. According to Europol, the two crypting services have been offered for sale in the underground criminal market since 2010.
The two Romanian individuals also sold a Counter Antivirus platform on Dark Web marketplaces for between US$7 to US$40. This platform enabled buyers to test their malware samples against antivirus solutions until the malware became fully undetectable (FUD).
The successful operation that led to the arrest of the two Romanian hackers was led by the Romanian police and supported by Europol, the FBI, the Australian Federal Police (AFP), and the Norwegian National Criminal Investigation Service (Kripos).
This is not the first time that cyber criminals have been caught selling or using encrypted malware to bypass detection by antivirus solutions. In May last year, ten members of a cyber crime gang, five of whom were Russians, were indicted in the US for using the credential-stealing GozNym malware to steal banking logins and gain access to online bank accounts of more than 41,000 victims that included businesses and financial institutions.
The federal indictment noted that the cyber crime group used the GozNym malware to first steal online banking credentials from victims' computers, used the stolen credentials to log in to online banking accounts, stole money from such accounts, and then laundered the funds using US and foreign beneficiary bank accounts.
Before deploying GozNym malware, the cyber crime group encrypted the malware to enable it to avoid detection by anti-virus tools and other malware-detecting software. Once the malware stole online banking credentials from host devices, a member of the group whose role was as an "account takeover specialist" used the stolen credentials to access victims’ online bank accounts and attempt to steal victims’ money.
In 2017, security firm Check Point also discovered that hackers hid the ExpensiveWall malware inside as many as 50 Android apps that were downloaded between 1 million and 4.2 million times by Android device users worldwide. Hackers behind ExpensiveWall encrypted malicious code while including the malware in Android apps, thereby avoiding detection by Google Play’s built-in anti-malware protections.
Once installed, the malware obtained permission from users to access their Internet and SMS, sent fraudulent premium SMS messages on users' behalf without their knowledge, and thereby charged heir accounts for fake services. In order to widen its reach, the malware's operators heavily promoted the ExpensiveWall app for Android on social media platforms like Instagram.