ESET Research<p><a href="https://infosec.exchange/tags/ESETResearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETResearch</span></a>’s monitoring of <a href="https://infosec.exchange/tags/AceCryptor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AceCryptor</span></a> revealed a significant decrease in prevalence of the malware in H2 2024: we only observed around 3k unique samples as opposed to 13k in H1 2024. Overall hits went down by 68% compared to H1, and by 87% compared to H2 2023.</p><p>Similarly, the number of unique users targeted by AceCryptor campaigns decreased by 58% between H1 and H2 2024, and the decrease was even more pronounced when compared to H2 2023, amounting to 85%.</p><p>As for the malware families packed by the cryptor, we could yet again see the usual suspects such as <a href="https://infosec.exchange/tags/Rescoms" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rescoms</span></a>, <a href="https://infosec.exchange/tags/Smokeloader" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Smokeloader</span></a>, and <a href="https://infosec.exchange/tags/Stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Stealc</span></a> among the most delivered threats.</p><p>While much smaller in scale than in previous periods, we still detected two notable campaigns of the malware. First, on July 11, 2024, 500 victims in Germany 🇩🇪 were sent emails with malicious attachments disguised as financial documents inside a password protected archive.</p><p>Instead of the documents, the archive contained an AceCryptor executable packing the Racoon Stealer successor <a href="https://infosec.exchange/tags/RecordBreaker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RecordBreaker</span></a>, which then exfiltrated the victim information to a C&amp;C server with the IP address of 45[.]153[.]231[.]163.</p><p>Then on September 23, 2024 more than 1,600 endpoints of small businesses in Czechia 🇨🇿 received emails whose attachments contained an AceCryptor binary packing the <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>XWorm</span></a> RAT 🪱🐀. As a C&amp;C, XWorm RAT used easynation[.]duckdns[.]org.</p><p>The list of 🔍 Indicators of Compromise (IoCs) can be found in our GitHub repository: <a href="https://github.com/eset/malware-ioc/tree/master/ace_cryptor" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/eset/malware-ioc/tr</span><span class="invisible">ee/master/ace_cryptor</span></a></p>