European authorities have arrested two Romainian suspects for allegedly running two crypter services that helped cybercriminals encrypt malicious files to evade antimalware systems.
The arrests were part of a joint operation by Europol, the Romanian Police, the FBI, and other national police forces to target cybercrime services. The two crypter services the suspects allegedly operated are CyberSeal and Dataprotector, and officials say the suspects also ran a separate service called Cyberscan that would test encrypted malicious files against various antimalware software to ensure that they were not detected. The unnamed suspects advertised the various services on underground forums, charging up to $300, depending upon the length of the license.
Crypter services have been around for many years and are used by a wide variety of cybercriminals to prepare their malware to slip by security software. Generally, the services run malicious files through one or more encryption algorithms and then pass them back to the customer. In some cases, as with the Romanian suspects’ services, the buyer can pay extra to have the file tested against a menu of antimalware systems to ensure the crypting process was effective.
“At the same time, the developers promoted the services intensively in the online environment and on platforms dedicated to cybercrime, offering users even video tutorials on the functionalities of the services for modifying various malware files,” the Romanian Police said.
“Following the investigations, a total number of approximately 3000 malware files modified by using the illegal services CyberSeal and DataProtector could be identified, files used to launch cyber attacks on computer systems around the world, including Romania.”
As cybercrime has proliferated and evolved in the last decade, individuals and small groups have begun to gravitate toward specific skills and services, a kind of division of labor that enables criminals to focus on what they’re best at and outsource the rest. While APT groups have internal development teams, operators, QA groups, and intrusion teams, cybercriminals who are farther down the food chain don’t have all of those resources at their disposal, so they often buy what they need from others in the criminal underground.
As part of the operation that included the two arrests, law enforcement officials also took down the back end infrastructure used by the suspects in the United States, Romania, and Norway.
“Crypter services facilitate the spread and development of cyber attacks, thus becoming very dangerous and easy to use tools for both cybercriminals with experience and technical knowledge, but also for young people who are at the stage of experiments in the online environment,” the Romanian police said.