In the second half of 2023, ESET discovered AceCryptor campaigns using the Rescoms remote access tool in several European countries to obtain credentials saved in browsers or email clients
ESET, the global European leader in the cybersecurity market, has recorded a dramatic increase in AceCryptor attacks, to the point that detections tripled between the first and second half of 2023, intercepted thanks to protection activities carried out on a group of 42,000 ESET users in the whole world. Furthermore, in recent months, ESET has seen a significant change in the way AceCryptor is used: attackers spreading Rescoms (also known as Remcos) have started using AceCryptor, contrary to what was previously the case. Rescoms is a remote access tool (RAT) that is often used by threat actors for malicious purposes; AceCryptor is a cryptor-as-a-service that obfuscates malware to hinder its detection. Based on the behavior of the distributed malware, ESET researchers hypothesized that the goal of the campaigns was to obtain email and browser credentials for further attacks against the targeted companies. The majority of Rescoms RAT samples with AceCryptor were used as initial compromise vectors in multiple spam campaigns targeting several European countries, including Central Europe (Poland, Slovakia), the Balkans (Bulgaria, Serbia ) and Spain.
“In these campaigns, AceCryptor was used to target European targets and to steal information or gain initial access to several companies. The malware was distributed in spam emails, which in some cases were quite convincing; sometimes the spam was even sent from legitimate, but hacked, email accounts,” he explains Jakub Kaloč, ESET researcher, who discovered the latest AceCryptor campaign with Rescoms. “Since opening attachments in these types of emails can have serious consequences for users and businesses, it is always advisable to be proactive and use reliable endpoint security software that can detect malware,” he adds.
In the first half of 2023, the countries most affected by the malware implemented by AceCryptor were Peru, Mexico, Egypt and Turkey, with Peru recording the highest number of attacks (4,700). Rescoms spam campaigns dramatically changed these statistics in the second half of the year.
AceCryptor samples observed by ESET in the second half of 2023 often contained two types of malware as payloads: Rescoms and SmokeLoader. A spike detected in Ukraine was caused by SmokeLoader. In Poland, Slovakia, Bulgaria and Serbia, however, the increase in activity was generated by AceCryptor containing Rescoms as the final payload.
The spam campaigns that targeted companies in Poland had emails with very similar subject lines: all of them referred to B2B offers for the hacked companies. To appear as credible as possible, the attackers researched and used names of existing Polish companies, complete with names of employees/owners and contact information as a signature at the bottom of the emails. In this way, if a victim had searched for the sender's name on Google, the search would have been successful and would have facilitated the opening of the malicious attachment.
While it is not known whether the credentials were collected for the group that conducted these attacks or were subsequently sold to other parties, it is certain that a successful compromise opens up the possibility of further attacks, particularly for ransomware.
In parallel to the activities detected in Poland, ESET telemetry also recorded ongoing campaigns in Slovakia, Bulgaria and Serbia. The only significant difference is that the language used in the spam emails was, of course, adapted to those specific countries. In addition to the campaigns already mentioned, Spain has also seen a wave of spam emails with Rescoms as the final payload.
For more technical information on the AceCryptor and Rescoms RAT campaign, see the blog post “Rescoms rides waves of AceCryptor spam”. Be sure to follow ESET Research on Twitter (now known as X) for the latest news from ESET Research.
