ASMCrypt is a loader and crypter that is being marketed as an updated version of the DoubleFinger loader malware [3]. Its primary objective is to load the final payload without being detected by antivirus or endpoint detection and response systems [1] [2] [3] [4].
Description
ASMCrypt offers customers the ability to establish communication with a backend service through the TOR network, using pre-set credentials [3] [4]. This allows them to create their own payloads for use in campaigns [4]. Additionally, ASMCrypt conceals an encrypted blob within a .PNG file [4], which must be uploaded to an image hosting site [2] [4]. Kaspersky has conducted an analysis of ASMCrypt and published their findings, which reveal its communication with a backend service over the TOR network and the creation of the encrypted blob within a .PNG file.
Conclusion
The use of ASMCrypt poses significant challenges for antivirus and endpoint detection and response systems, as it is designed to evade detection. Organizations should be aware of this threat and take appropriate measures to mitigate the risk. Furthermore, the ability to create custom payloads through ASMCrypt increases the potential for targeted and sophisticated attacks. It is crucial for security professionals to stay updated on the latest developments in malware like ASMCrypt and implement robust security measures to protect against such threats.
References
[1] https://beker.uk/2023/09/29/cybercriminals-using-new-asmcrypt-malware-loader-flying-under-the-radar/
[2] http://bssn.esy.es/index.php/2023/09/29/cybercriminals-using-new-asmcrypt-malware-loader-flying-under-the-radar/
[3] https://cybersec84.wordpress.com/2023/09/30/cybercriminals-using-asmcrypt-malware-loader-to-attack-businesses/
[4] https://thehackernews.com/2023/09/cybercriminals-using-new-asmcrypt.html
