ARCrypt Ransomware Adapts TOR Communication Channels to Avoid detection

A newly evolved Linux variant of AR crypt malware developed with GO language started targeting worldwide.

The emergence of AR Crypt malware was seen in the year of  Aug 2022, able to target both Linux and Windows machines.

EHA

According to Cyble Research, the new variant updated its tactics and techniques to interact with victims to evade detections.

Analysis of New Variant

Unlike the old variant, the new variant communicates with victims through mirror sites, and threat actors create unique chat sites for each victim.

Also, it instructs victims to create a user profile on the TOX messaging page for communication and offers a discount if the ransom was paid in Monero.

Since the attack vector of the ransomware is unknown, once executed the payload the ransomware copies to the %TEMP% directory and assigns a random six-digit upper alphanumeric value.

Later, it deletes the original ransomware binary using the command “cmd /c DEL “%SAMPLEPATH%” &EXIT,” where A batch script was used to remove the initial executable file in old versions

In addition to that, it terminates processes related to anti-malware, backup, and recovery to accelerate encryption to evade detection from EDR.

Finally, this ransomware delivers a ransom note before encrypting the files; it encrypts the files with the extension “.crYpt”, whereas the older variant uses the “.crypt” extension.

The binaries in the ransom note direct the victims to different Tor sites for communication, which share the same user interface but have different URLs. 

Typically, ransomware TAs include all the mirror sites in the ransom note to ensure accessibility for victims. This approach allows victims to access an alternative site if one becomes inaccessible.

This ARCrypt ransomware strain introduces a unique ransom note that only vaguely resembles the earlier ransom note.

An updated version of the ARCrypt ransomware has emerged with certain modifications. Researchers believe the TA who created the ARCrypt malware is attempting to stay out of the public eye.

Indicators of Compromise  

Indicators  
9b80a70be01700866a667085aad93b5a0408d6208440ef3caf7078361897f47c911de543a933ebeb8bec26881b2d191f5034b7d6cacbb8d2cc06eeb7327f752fd0fab24d
7df9c7e23c2a1f8d3d87cd2460bb275cb589fccc88bd05df102b7584c356fce21be1de5894e227ad918034ae9b569a380a5e6c8928428862236395e3357a085b03f25fef 
90aeedae5648c65ca3c3fb2ac038033744069c654987abb00ce9068dd856bd2065a20aa9e56eba93a0f3fab5e26c992a18cb6754c4b1a688e26a73c424d272babeab503c
a84957660902eb17fd021f3d187fb787cb3700cb561a449e6ff88978fb4ce1495982fe95b38807e5d6c4c4ae6811058fd868256abd6ed95f440e7f27ea81408bb9ee27fb
a0aad92f585dfc6ac762b5fc829e6fba9ad2ae2c7fda526131ad6d535b21fe55d027d3aa4f2e40e6353a2430a80824d113268b5cdb28a0ddb079418be05ba79dea608410

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.