A DNS Deep Dive into Malware Crypting | WhoisXML API

Threat Reports

A DNS Deep Dive into Malware Crypting

These days, it has become common practice for threat actors to employ malware crypting to better evade detection and consequent blocking. And that has made AceCryptor a must-have, it seems, for cyber attackers.1

The ubiquity of malware crypting has also sparked a clamor among several cybersecurity community members to push for a clampdown on the service.2

To uncover yet-unidentified more connected artifacts in our bid to make the Internet safer, WhoisXML API expanded lists of IoCs connected to malware crypting services in general3 and AceCryptor4 aided by our extensive DNS intelligence.

Our in-depth analysis led to the discovery of:

  • 786 domains that contained the string mobile-soft or cryptor similar to the dedicated IP-connected domains, two of which were tagged as malicious by a bulk malware check tool
  • Four dedicated and possibly dedicated IP addresses to which some AceCryptor IoCs resolved, two of which may have already figured in malware campaigns based on a bulk malware check
  • 279 domains hosted on the dedicated AceCryptor IP addresses, 17 of which were dubbed malicious by a bulk malware check tool

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://thehackernews.com/2023/05/acecryptor-cybercriminals-powerful.html
  • [2] https://krebsonsecurity.com/2023/06/why-malware-crypting-services-deserve-more-scrutiny/
  • [3] https://otx.alienvault.com/pulse/64944c08e39f6f341f7add45
  • [4] https://otx.alienvault.com/pulse/647555f0ead1826af32ece1d
Try our WhoisXML API for free
Get started