Understanding crypter-as-a-service in a popular underground marketplace

TL;DR

This paper investigates the crypter-as-a-service model in an underground marketplace, analyzing products, social networks, and validating effectiveness in evading antivirus detection through a case study.

Contribution

First comprehensive analysis of crypter-as-a-service in underground markets, including product comparison, social network analysis, and experimental validation of evasion capabilities.

Findings

Crypter products vary significantly in features and effectiveness.

Social networks facilitate the distribution and support of crypter services.

Crypting binaries can significantly improve evasion of antivirus detection.

Abstract

Crypters are pieces of software whose main goal is to transform a target binary so it can avoid detection from Anti Viruses (AVs from now on) applications. They work similar to packers, by taking a malware binary and applying a series of modifications, obfuscations and encryptions to output a binary that evades one or more AVs. The goal is to remain fully undetected, or FUD in the hacking jargon, while maintaining its (often malicious) functionality. In line to the growth of commoditization in cybercrime, the crypter-as-a-service model has gained popularity, in response to the increased sophistication of detection mechanisms. In this business model, customers receive an initial crypter which is soon updated once becomes detected by anti-viruses. This paper provides the first study on an online underground market dedicated to crypter-as-a-service. We compare the most relevant products in sale, analyzing the existent social network on the platform and comparing the different features that they provide. We also conduct an experiment as a case study, to validate the usage of one of the most popular crypters sold in the market, and compare the results before and after crypting binaries (both benign and malware), to show its effectiveness when evading antivirus engines.