In this article, we will look at the fully undetectable (FUD) cryptography and encryption market, which is frequently used by cybercriminals to enable malware to evade common endpoint and antivirus solutions.

A cybercriminal will almost certainly face the challenge of concealing their malicious software to avoid detection by antivirus and security systems at some point during their activities. Making malware appear benign is a difficult task that necessitates a significant amount of time and expertise.

As a result, many experienced cybercriminals prefer to delegate this task to trustworthy experts in the field. This article delves into the world of these specialized services, explaining how they work and their significance in cybercrime.

By going to the cryptography and encryption market section on one popular forum associated with cybercrime, it is possible to find over 61 pages of threads dedicated to the sale of software that aids cybercriminals in creating malware that evades common antivirus solutions.

With over 219,000 views and 3,449 replies, the most active thread in the section is for a runtime crypter called Byte Crypter. By clicking on this thread, we can see all of the details about this specific piece of software.

Some of the most prominent features that Byte Crypter offers include enabling automatic startup, enabling message boxes, file binding, including a built-in antivirus detection scanner, icon injection, and file pumping.

The startup feature likely ensures that the obfuscated or “crypted” malware starts up with the computer’s boot sequence, providing persistence on the victim’s machine even after a restart. The message box feature allows displaying a message box to the user, which can be used to deceive victims with fake error messages or notify the attacker of execution.

File binding combines malicious and legitimate files into a single executable to trick victims. The detection scanner checks the “crypted” file against antiviruses to ensure it isn’t detectable before deployment. Icon injection and file pumping aim to make the malicious file appear more legitimate to bypass detection by changing the icon to mimic trusted software or inflating the file size.

After you purchase Byte Crypter, you’ll get a download link to install it on your own computer. The software uses something called a HWID lock that ties it specifically to your device. This is something malware creators often do so users can’t just buy one copy of the software and then distribute it illegally.

The HWID lock prevents the Byte Crypter licence from being shared or used on any other devices after you install it. So if you want to use Byte Crypter on multiple computers, you’ll have to buy a separate lifetime license for each one.

In the cryptography and encryption market, you will find both crypters that require downloading software to your device and cloud-hosted crypter services. https://cryptor.biz, also known as https://crypt.guru, is a good example of a cloud-hosted crypter service. This service requires registration with a Jabber ID and a minimum payment of $40 in Bitcoin or Litecoin. Once registered and funded, it provides automatic crypting and re-crypting of files within paid subscription periods if detected by popular antiviruses.

Subscriptions start at $40 for one day access to one file and go up to $1000 for 30 days access to one file with up to three daily replacements. Additional concurrent files cost $10 per day.

While https://crypt.guru is hosted in the cloud and does not require a local software download to access the crypting services, registration and payment are still required. It differs from other crypter-as-a-service models in the sense that it allows you to pay per individual file crypt. Overall, https://crypt.guru employs a subscription-based payment model as opposed to a pay-per-file approach.

One final observation is the existence of private crypter services. Individuals tend to offer private crypting services on many of the platforms and forums that we monitor, where the customer will manually add a service provider’s Telegram or Jabber and send the file to them, and manually crypt the file in exchange for a payment in cryptocurrency.

However, private crypting services have some drawbacks and risks when compared to reputable cloud-based services. There is usually no refund policy, service level agreement, or guarantee of uptime. Customers have few options if a crypt fails or the provider disappears with their payment. Without continuous crypt updates, protection against antivirus detection is also reduced.

While some private providers have built experience and trust within communities over time, customers usually have far less transparency into the crypting techniques and abilities of ad hoc private services. Overall, private options are riskier, but they may provide lighter footprint services to the most security-conscious users.

A new reality that has emerged shows that we have entered an era where cybercriminals have increasingly adopted the ‘as-a-service‘ business model. Unfortunately, this development presents disadvantages for those working in the fight against cybercrime, as the ‘as-a-service’ model provides a new level of accessibility that enables nearly anyone to gain relatively easy access to criminal services and tools, provided they have cryptocurrency available.

It’s important to note that claims of ‘fully undetectable’ or ‘FUD’ malware are generally overstated. When malware is processed through these criminal services, its effectiveness is often measured by how many popular antivirus programs it can initially evade.