Full Report
The sites were used for more than a decade by cybercriminals who wanted to test malware against security tools.
Analysis Summary
# Tool/Technique: Counter-Antivirus (CAV) / Crypting Services (AVCheck.net, Crypt.guru, Cryptor.live, Cryptor.biz)
## Overview
These platforms were online services, often referred to as crypting services or counter-antivirus (CAV) testing facilities, used extensively by cybercriminals to test and perfect their malware against modern cyber defense tools (antivirus programs). They served as essential 'enablers' for malware developers to ensure their tools remained undetectable.
## Technical Details
- Type: Tool / Service (Infrastructure)
- Platform: Not directly applicable as they were websites/services, but their purpose was to test malware targeting Windows systems (implied by the use of traditional AV).
- Capabilities: Allowing users to test/obfuscate malware submissions against active cyber defense products to achieve higher evasion rates.
- First Seen: Used for more than a decade.
## MITRE ATT&CK Mapping
These services primarily support the process of initial access and execution by ensuring the payload bypasses defenses.
- **T1566 - Phishing** (Indirectly, feeds into T1566 payloads)
- **T1566.002 - Spearphishing Link** (Payloads refined here are used in phishing)
- **T1027 - Obfuscated Files or Information**
- **T1027.004 - Compilation Languages** (The resulting tools are highly obfuscated)
- **TA0005 - Defense Evasion**
- **T1484 - Bypass Host Security Software** (The primary operational goal in using these services)
## Functionality
### Core Capabilities
- **Malware Testing:** Providing a platform where cybercriminals could submit their malicious code to test against real, up-to-date antivirus signatures and detection engines.
- **Obfuscation Refinement (Crypting):** Facilitating the refinement of crypting software used to obfuscate malware code, making it challenging for static and dynamic analysis tools to identify.
- **Evasion Development:** Enabling actors to test evasion methods against firewalls and forensic analysis tools.
### Advanced Features
- **Syndicated Infrastructure:** Operated as a syndicate offering these services widely across cybercriminal forums.
- **Scalability:** Services were tiered, costing between $15 and $1,000 depending on the required number of tests.
## Indicators of Compromise
The identified indicators relate to the seized infrastructure rather than malware samples themselves.
- File Hashes: N/A (Infrastructure takedown)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- avcheck[.]net (Defanged by takedown)
- crypt[.]guru (Defanged by takedown)
- cryptor[.]live (Defanged by takedown)
- cryptor[.]biz (Defanged by takedown)
- Behavioral Indicators: Traffic patterns associated with high-volume, automated file submissions for testing purposes.
## Associated Threat Actors
- **Ryuk Ransomware Gang:** Explicitly linked via investigation data, particularly concerning the use of `cryptor[.]biz`.
- General cybercriminals developing and deploying malware, including droppers and ransomware operators.
## Detection Methods
Detection focused on observing network traffic patterns related to these specific domains prior to the takedown, or detecting the final elusive malware payloads that successfully passed through these services.
- Signature-based detection: N/A (Focus was on infrastructure)
- Behavioral detection: Monitoring for unusual automated submissions to services offering obfuscation/testing.
- YARA rules: N/A
## Mitigation Strategies
The primary mitigation success here was law enforcement intervention, not typical security controls.
- Prevention measures: Law enforcement seizure and operational disruption (Operation Endgame).
- Hardening recommendations: Traditional endpoint security remains crucial, as threat actors are constantly relying on these services to bypass them. Maintaining updated security products is vital, as new signatures are required to catch malware refined by these CAV services.
## Related Tools/Techniques
- Cryptors/Crypters (General category of software used for obfuscation)
- Malware Development Frameworks (The tools being refined using these services)
- Operation Endgame (The law enforcement operation responsible for the seizure)