OnionCrypter Uses Three Individual Layers of Encryption

  • A crypter that uses three layers of obfuscation has just been discovered and analyzed.
  • The particular piece of software has been around since 2016, helping thousands of malware payloads find their way into machines.
  • The crypter is very effective in evading AV detection and offers rich customization options.

Avast has discovered a malware crypter that uses an encryption technique that resembles Tor’s Onion network, and thus the researchers named it “OnionCrypter.” Crypters are indispensable parts of malware distribution campaigns. They help crooks obfuscate the wrap their payloads in anti-detection shells that can trick AV tools and dramatically increase the successful infection rates as a result. Oftentimes, these tools are very sophisticated, rotating or enriching their encryption methods to always stay ahead of AV companies.

In the case of the OnionCrypter, we have multiple layers of code encryption that remind us of Tor’s Onion network. However, we should clarify that there is no relation or any form of abuse of the encrypted network.

According to the researchers, OnionCrypter has actually been around since 2016, used by malware families such as Ursnif, Lokibot, AgentTesla, Zeus, Smokeloader, and at least another 25 strains. In total, Avast has detected and blocked about 400,000 cases of malware wrapped with the OnionCrypter, so it’s clear that its deployment is pretty extensive.

Source: Avast

This tells us that OnionCrypter is almost certainly offered as a service to malware authors and campaigners, which is the case with almost all crypters out there. Avast also mentions some level of diversion in the various samples that they have analyzed, so it seems that OnionCrypter offers its customers the ability to customize it according to their needs, making it less detectable. So, while Avast’s AV solutions caught 400,000 instances, there could be a lot more flying around, which also explains why the particular crypter is still so widely used.

Source: Avast

As explained in the relevant analysis, OnionCrypter is a 32-bit software written in C++ and which uses three layers of encryption, each with its own unique tricks. For example, the first layer relies a lot on junk code use, while layers two and three perform a lot of breaking-up in the code. There are several decryption, decompression, and assembly functions taking place when the malware is eventually deployed, but despite the complexity, everything works like clockwork.

NBA 2023 Live Stream: How to Watch Basketball Online from Anywhere
The wait is almost over, and basketball fans worldwide can finally look forward to the start of the 2023/24 NBA season. The...
How to Watch 2023 NHL Without Cable: Live Stream Hockey Games Online from Anywhere
The 2023/24 season of the National Hockey League is finally upon us, and fans are gearing up to watch the hard-hitting action...
NFL 2023 Live Stream: How to Watch Football Online from Anywhere
The 104th season of the National Football League is already underway, and we anticipate some thrilling action in the coming months. The...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari