Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Understanding crypter-as-a-service in a popular underground marketplace

Alejandro de la Cruz, Sergio Pastrana

TL;DR

The paper investigates Crypter-as-a-Service (CaaS) within HackForums, revealing a commoditized underground market for binary obfuscation aimed at AV evasion. It introduces a custom crawler, collects a large-scale dataset (1,492 threads, 128,384 comments, 17,751 users), and analyzes product features, pricing, and social networks to map the ecosystem. A case study of ByteCrypter v3 demonstrates that outdated stubs can limit evasion effectiveness, underscoring the necessity of dynamic updates in the service model. The work highlights the interconnected roles in CaaS, the business-to-business nature of the market, and the practical challenges of maintaining undetected binaries over time. This study provides a baseline for reproducible, cross-forum analyses and suggests avenues for expanded research into underground software obfuscation markets.

Abstract

Crypters are pieces of software whose main goal is to transform a target binary so it can avoid detection from Anti Viruses (AVs from now on) applications. They work similar to packers, by taking a malware binary and applying a series of modifications, obfuscations and encryptions to output a binary that evades one or more AVs. The goal is to remain fully undetected, or FUD in the hacking jargon, while maintaining its (often malicious) functionality. In line to the growth of commoditization in cybercrime, the crypter-as-a-service model has gained popularity, in response to the increased sophistication of detection mechanisms. In this business model, customers receive an initial crypter which is soon updated once becomes detected by anti-viruses. This paper provides the first study on an online underground market dedicated to crypter-as-a-service. We compare the most relevant products in sale, analyzing the existent social network on the platform and comparing the different features that they provide. We also conduct an experiment as a case study, to validate the usage of one of the most popular crypters sold in the market, and compare the results before and after crypting binaries (both benign and malware), to show its effectiveness when evading antivirus engines.

Understanding crypter-as-a-service in a popular underground marketplace

TL;DR

The paper investigates Crypter-as-a-Service (CaaS) within HackForums, revealing a commoditized underground market for binary obfuscation aimed at AV evasion. It introduces a custom crawler, collects a large-scale dataset (1,492 threads, 128,384 comments, 17,751 users), and analyzes product features, pricing, and social networks to map the ecosystem. A case study of ByteCrypter v3 demonstrates that outdated stubs can limit evasion effectiveness, underscoring the necessity of dynamic updates in the service model. The work highlights the interconnected roles in CaaS, the business-to-business nature of the market, and the practical challenges of maintaining undetected binaries over time. This study provides a baseline for reproducible, cross-forum analyses and suggests avenues for expanded research into underground software obfuscation markets.

Abstract

Crypters are pieces of software whose main goal is to transform a target binary so it can avoid detection from Anti Viruses (AVs from now on) applications. They work similar to packers, by taking a malware binary and applying a series of modifications, obfuscations and encryptions to output a binary that evades one or more AVs. The goal is to remain fully undetected, or FUD in the hacking jargon, while maintaining its (often malicious) functionality. In line to the growth of commoditization in cybercrime, the crypter-as-a-service model has gained popularity, in response to the increased sophistication of detection mechanisms. In this business model, customers receive an initial crypter which is soon updated once becomes detected by anti-viruses. This paper provides the first study on an online underground market dedicated to crypter-as-a-service. We compare the most relevant products in sale, analyzing the existent social network on the platform and comparing the different features that they provide. We also conduct an experiment as a case study, to validate the usage of one of the most popular crypters sold in the market, and compare the results before and after crypting binaries (both benign and malware), to show its effectiveness when evading antivirus engines.
Paper Structure (12 sections, 7 figures, 3 tables)

This paper contains 12 sections, 7 figures, 3 tables.

Table of Contents

  1. Introduction
  2. The Crypter-as-a-service model
  3. Data collection
  4. Data structure
  5. Crawling an antibot forum
  6. Data Analysis
  7. Global measurement
  8. Top100 posts
  9. Social Network
  10. Case study: ByteCrypter
  11. Related work
  12. Discussions and conclusions

Figures (7)

  • Figure 1: Components of a crypter
  • Figure 2: B2B relations in the crypting-as-a-service model
  • Figure 3: Word histogram
  • Figure 4: Thread creation and comments over time
  • Figure 5: Example of leaflet used
  • ...and 2 more figures