A Peek Inside a Recently Seized Malware Crypting as a Service Domain Portfolio - An Analysis

 

Dear blog readers,

In this analysis I’ll take a look at a recently seized malware crypting as a service domain and will offer additional insights into how the service works.

From the press release:

"AegisTools.pw is a platform known in the underground economy since 2020 that primarily provided counter antivirus and crypting services - two important pillars within cybercrime-as-a-service from a phenomenological perspective model. It made it possible to disguise malware so that it could not be detected by common antivirus programs. “Aegis Tools.pw” also offered tests to check the effectiveness of the encryption directly on the platform. Furthermore, software was offered for the unauthorized acquisition of user password access data. “AegisTools.pw” itself, on the other hand, did not require any classic registration from its users and could be used almost anonymously. The police evaluations indicate that the platform has been used by over 1,000 users worldwide for their cybercriminal activities in the past. All services could be paid for with cryptocurrencies."

Related URLs and known responding IPs:

hxxp://aegistools[.]pw

188[.]114[.]96[.]14

188[.]114[.]97[.]9

188[.]114[.]97[.]3

18[.]66[.]122[.]31

188[.]114[.]97[.]11

Sample MD5s known to have phoned back to the service:

2988d6cadc497893955ea80fd825978c0cda7ed5cd39e7f8fdf70e3ddbfd1b97

6492ebf2b7aa38fa836ef525515c3eea43c7a90bbc0626607b0b3f5139e977a6

67114ed2eb89c89b3abb07f4379d1482fa7ee165c6d11491dff383ae292c9b50

7a4cc644bdace1909c649a42dbaee5b68ae3fa9e242a5e741924b14f1ee85083

9c3abe3349c450ed1943d28c3b1abc398ae2be5ebe21762c9e44eccca8d26793

b49bec25e7ee0e9de2004eeaef7ae1a4e509e0efa4a3618e009687c5322570d0

cbaf7335eb0b5937ebd23495faf37e406f98a8e4d8436db2d0746a8a44df0274

da6704d4e134d4e7acccfb86fa9c9bdf2310db0666105faae7307e53f0a18d16

e82bc0f09530aacef6f1d4a8e5d627b4df8b9af7ed0d8d744038a5816db0e9c8

eb62d844f531911c4b87d6313336ee9a8e92c4548b17d4b5a6e74a9ffdb58b30

1e6ef1b35a4632284f631f214960be2bf0cda25c16c6c13ace6f8ed399cef3f0

2988d6cadc497893955ea80fd825978c0cda7ed5cd39e7f8fdf70e3ddbfd1b97

3d901e7da0cfbdfd64100a06abdae284eb8555bf979ecc69b6fc08a8068dec9f

91d475bd61c48d46d66b094a17968639a9cb81038fccc0e6523e81ec7d524890

a3d3138b1f826bb54b6c96e2f02a3f975f1d8d4a204f24df8da5077f6843e4e8

46e89ca6d9e04c39c9a32b4cbae5e6a1355eadccb6c643c4aebbe0ebf4f21bbe

0e5912fc9be4333ed10288eeb95862886e47cf2a7a7a82ab7ceb03a0d7ec182f

8f75a63194c7bab36616ed2e072213d72621ba6df9cfdebd929b5f47e2f6acd3

30993b4ddecde947b1720620e950c30b00d3badde656b8206cf64ef697b4b50a

b285b159a313f10304ebed8cde6ac2f2c887165726ea144536b5503432148764

27b87aee748aad93a92df284eaf573c3e777db21dc523150ac6883c9140ab2d8

eb62d844f531911c4b87d6313336ee9a8e92c4548b17d4b5a6e74a9ffdb58b30

cbaf7335eb0b5937ebd23495faf37e406f98a8e4d8436db2d0746a8a44df0274

e82bc0f09530aacef6f1d4a8e5d627b4df8b9af7ed0d8d744038a5816db0e9c8

Sample malicious MD5s phone back URLs:

hxxp://aegistools[.]pw/ui/account/static/css/2[.]7c0cfee5[.]chunk[.]css

hxxp://aegistools[.]pw/ui/account/favicon[.]svg

hxxp://aegistools[.]pw/api/licensing/dl/dep

hxxp://aegistools[.]pw/ui/account/static/js/main[.]40ef9d2c[.]chunk[.]js

hxxp://aegistools[.]pw/api/licensing/dl/dep/sig

hxxp://aegistools[.]pw/ui/account/static/js/main[.]a689ac00[.]chunk[.]js

hxxp://aegistools[.]pw/favicon[.]ico

hxxp://aegistools[.]pw/ui/account/static/css/main[.]e29978e2[.]chunk[.]css

hxxp://aegistools[.]pw/ui/account/login?redirect=http://aegistools[.]pw/ui/licensing

hxxp://aegistools[.]pw/ui/account/static/js/2[.]ca13c3d6[.]chunk[.]js

Sample screenshots: