Threat Research

Avast researchers identify OnionCrypter, a key malware component since 2016

Christopher Budd, 17 Mar 2021
Christopher Budd, 17 Mar 2021

We've protected nearly 400,000 global Avast users from malware that makes use of OnionCrypter

Today’s malware is a lot like a car. Both cars and malware are made up of many components that enable them to run. Cars have different parts like engines, tires, and steering wheels; malware has loaders, payloads, and command modules.

Recently, researchers at Avast Threat Labs spent time looking at a specific “part” that malware authors use to make their “cars”. It’s called a “crypter”, which is a tool used to hide malicious parts of code using encryption in an effort to appear as harmless and more difficult to read. Malware authors use this technique to hide their malicious code from researchers, antivirus and security software. From a malware author’s point of view, a crypter is an important tool to counter protections against malware. From a researcher point of view, though, being able to identify a crypter helps us better and more quickly identify new malware when that malware has this component in it.

Introducing OnionCrypter

Our researchers looked into a specific crypter that we’re calling OnionCrypter. We’ve chosen this name because this particular crypter uses multiple techniques to make it harder for researchers, antivirus, and security software to read the information that it protects. Put simply, the information is hidden within the layers of the “onion” of its encryption. OnionCrypter is unusual because of the way it uses multiple layers to hide its information. It’s important to note that the name reflects the many layers this crypter uses, and it’s in no way related to the Tor browser or network.

OnionCrypter-logos_finalWe also found that OnionCrypter has been widely used since 2016 by some of the best known and most prevalent malware families such as Ursnif, Lokibot, Zeus, AgentTesla, and Smokeloader, among others. In the last three years, we have protected almost 400,000 Avast users around the world from malware that makes use of OnionCrypter. The chart below shows the different malware families we found using OnionCrypter.

Because of how long OnionCrypter has been around and how widely it's used, our researchers believe that the authors of OnionCrypter offer it for sale as a service. This makes sense: we’ve seen the market for malware mature so that some people and companies offer specific, specialized services. Consistent with that kind of mature market, we also believe the authors of OnionCrypter offer customization for their customers, helping to make it even less detectable. In advertising on forums, this is frequently advertised as a fully undetectable (FUD) crypter.

With the information that Avast researchers have found on OnionCrypter, we’re making it easier for us and others to detect not only OnionCrypter, but also anything that uses it.

Returning to the car analogy, we’ve identified a specific part in the engine that many malware families use. Now, we’re able to look for that part and examine it more closely when we find it in something new our research has shown us that in these cases, it’s a new kind of malware. Our team’s capability for deep research is good for both Avast customers and also for everyone else because this information helps inform those who design and improve upon security software.

To read more about OnionCryper and how it works, check out Jakub Kaloč’s posting on Avast Decoded.