Crypter

A crypter is a type of software that can encrypt, obfuscate, and manipulate malware, to make it harder to detect by security programs. It is used by cybercriminals to create malware that can bypass security programs by presenting itself as a harmless program until it gets installed.

Types of crypters

A crypter contains a crypter stub, or a code used to encrypt and decrypt malicious code. Depending on the type of stub they use, crypters can be classified as either static/statistical or polymorphic.

  • Static/statistical crypters use different stubs to make each encrypted file unique. Having a separate stub for each client makes it easier for malicious actors to modify or, in hacking terms, “clean” a stub once it has been detected by a security software.
  • Polymorphic crypters are considered more advanced. They use state-of-the-art algorithms that utilize random variables, data, keys, decoders, and so on. As such, one input source file never produces an output file that is identical to the output of another source file.

 Cybercriminal underground prices

Crypters abound in the cybercriminal underground market and are usually offered with the following pricing schemes:

 

 

2011

2012

2013

Basic static

US$ 10 - 30

US$ 4 – 10

No data

Static with stub and add-ons

US$ 30 - 80

US$ 15 – 25

US$ 10 - 30

Polymorphic

US$ 100

US$ 80

US$ 65

Price of crypters in the Russian underground, 2011- 2013

Underground markets were also found advertising crypter-modification training sessions and lessons on creating crypters

Website advertising a crypter-modification training

 

In a 2016 research on cybercrime and the Deep Web, Trend Micro found that crypters can be bought in various underground markets worldwide. Crypters are available in the Russia, China, Germany, the U.S., and Brazil cybercrime underground markets.

 How crypters spread malicious code

  1. Cybercriminals create crypters or buy them on underground markets.
  2. They use crypters to encrypt a malicious program then reassemble the code into an actual working program.
  3. They send these programs as part of an attachment in spear phishing emails and spammed messages.
  4. Unknowing users open the program, which will force the crypter to decrypt itself and then release the malicious code.

Takedown of crypting services

Trend Micro works with public and private institutions to take down sites that offer crypters and other malicious tools. In November 2015, a partnership between the Trend Micro Forward-Looking Threat Research team and the National Crime Agency of the UK [NCA] led to the shutdown of Refud.me and Cryptex Reborn, popular sources of crypting services.


Related infographics