Fud Sheikh Crypter [EXCLUSIVE]
Recently, two suspects were arrested for selling Cryptex Reborn and other FUD tools (helping to install malware in a Fully UnDetectable way). Today, we will study some examples to make sure that everyone knows what this type of tools are and why they are dangerous. We will also present some example of identifying and unpacking a malware crypter.Crypters - what are they?Most modern malware samples, in addition to built-in defensive techniques, are protected by some packer or crypter. A crypter's role is basically to be the first - and most complex - layer of defense for the malicious core. They try to deceive pattern-based or even behavior-based detection engines - often slowing down the analysis process by masquerading as a harmless program then unpacking/decrypting their malicious payload.
fud sheikh crypter
Underground crypters, created to defend malware against antivirus/anti-malware products, are sold in typical cybercriminal hangouts. Below, you can see examples of crypters being advertised on the black market and the tricks they use:
As you can see, a crypter is a completely independent module. Cybercriminals can use it to protect any malware that they want to deliver. That's why knowing the crypter that is used does not help in identifying the malware family. As an example, I would like to present you several different malware samples packed by the same/similar crypter.Analyzed samples27b138e6bed7acfe72daa943762c9443 - a DLL delivered by Magnitude Exploit Kit (will be referred as: Magnitude.dll)carrying payload: d890bd08180d69ee6ee5f7658be33030
bbcfb9db21299e9f3b248aaec0a702a5 - an executable captured under the name: makta.execarrying payload: 3cf25fa56e8e8ececf90d8f2e8f123e8
1afb93d482fd46b44a64c9e987c02a27 - an executable delivered by Blackhole Exploit Kit (will be referred as: blackhole.exe)carrying payload: 5a58395fda49c8f3f4571a007cf02f4d
Identifying similaritiesBefore we start unpacking, let's have a look at similarities in the code that made me to believe that the above three samples (captured in different distribution campaigns) are all packed by the same tool.
stage#1makta.exe: key = 0x57FC
blackhole.exe: key = 0x82A3, max_size = 0x19400
Magnitude.dll: key = 0x0A42
stage#2all 3 files: key = 0x03E9
Writing Auto-unpackerThe characteristics of this packer allows us to write an auto-unpacker. It can be done in the following steps:Find the encrypted chunks (by patterns) and glue them together
Find the XOR key (by XOR with expected output)
Use it to decrypt the memory fragment (stage#1)
Decrypt stage#2
Save the decrypted PE file (payload)
Full code of static unpacker: decrypter1.cpp
The described crypter seems to be popular nowadays. However, it's not any advanced tool. For example, there is no defense deployed against the debugger or virtual environment. The author puts a lot of effort in obfuscating code in order to hide the encryption method but looking at visualization, we can recognize that it is an XOR-based encryption and not even implemented well (encrypting DWORD size unit with WORD size key leads to visible artifacts). This is why we could easily write a static unpacker for the future use.
I will give you some information about a crypter. This software will help you to remove all the false detections. It can be defeated with de software and your file will get protected. It is easy to use it.
The reason why it is so difficult is because anti-viruses will release updates that can continue to cause conflict. The problem with most crypters is that they are usually not updated to remain protected from antiviruses.
Crypter is a high-performance packer and protector for Windows 32bit executables Crypter can encrypt and compress any 32-bit executable without affecting its direct functionality. For instance, if you're a software developer, you can encrypt your applications before they are delivered to customers. By using Crypter, the applications will be more protected and smaller.The official Crypter website: www.crypter.comCrypter is fully compatible with Windows 2k, Windows XP, Windows Vista, Windows 7 and Windows 8 (both 32-bit and 64-bit systems).
Mini Crypter provides maximum protection against reverse engineering and antivirus detections, making it the perfect choice for developers who want to add tough-to-crack protection to their software programs. Nonetheless, our crypter is in the same time an executable packer. The...
CypherX Crypter is a unique type of FUD crypter that will protect your files using undetectable encryption and obfuscation algorithms. CypherX Crypter ensures maximum security from reverse engineering and antivirus false positives, making it a perfect choice for penetration testers...