Cryptone

CryptOne is a Delphi-based crypter malware, dating back to 2015, that has been frequently used by various malicious software families such as Gozi, Dridex, NetWalker, and WastedLocker. This crypter is reportedly offered as a Crypter-As-A-Service and it's capable of detecting and disabling a list of security software. While it was initially utilized by Qakbot, which had its own set of crypters including CryptOne, Quartz, and Quixotic, CryptOne has since been adopted by more malware families and variants, suggesting it may be a third-party service. In recent times, former ITG23 actors have also exploited CryptOne to crypt malware other than Qakbot, including an attack in the fall involving NetSupport and a Vidar infostealer incident from March 2023. The wide range of different malware families using CryptOne indicates its versatility and adaptability in the realm of cyber threats. It can infect systems through suspicious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The Indicators of Compromise (IoCs) related to CryptOne are specifically associated with its use by Evil Corp. A sample crypted by CryptOne, as used by WastedLocker, has been discovered. WastedLocker itself is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. Given the broad application of CryptOne across multiple malware families, it's imperative for cybersecurity measures to be updated and reinforced against this persistent threat.