The malware encryption service run by a Romanian duo helped hackers embed malicious code in legit software to bypass antivirus tools.
In a press release, the European law enforcement agency Europol shared details of the arrest of a pair of malware encryption services operators based in Craiova and Bucharest, Romania.
The pair ran online malware encryption services, aka crypting services dubbed CyberSeal and Dataprotector. These services were offered to cybercriminals to encrypt the computer code in malware, including information stealers, Remote Access Trojans, and ransomware, to help cyber criminals launch attacks successfully.
The pair also offered the Cyberscan service through which their cybercriminal clients could test their malware against antivirus (AV) programs. Malware authors used these services to wrap their payloads in encryption shells to bypass most of the AV tools.
According to Europol, over 1,560 cybercriminals purchased these services for creating different types of malware, and in total, they managed to improve 3,000 malware strains. These strains were later used to launch cyberattacks around the globe. Hence, the duo was a key player in many successful malware attacks.
In exchange for their services, the Romanian operators received significant amounts of money. For testing samples against AV scanners, the operators demanded $7 to $40, and for the actual crypting services, they asked for $40 to $300.
Their rates varied according to the license conditions and the client’s demands as some asked for ongoing support and practical help.
Cybercriminals could embed and hide their malware in legitimate software by purchasing these services and circulated them to unsuspecting users. Cyberscan allowed attackers to test their malware strains against AV tools.
The duo had been offering crypting services since 2010. They launched the CyberSeal service in 2014 and Dataprotector in 2015. The Cyberscan service was comparatively new, as it was launched in 2019.
European law enforcement agencies and the FBI collaborated to hunt down the service operators. Resultantly, the CyberSeal (cyber-seal.org) and Cyberscan (cyberscan.org) websites are now offline. These services were very well-networked on the dark web.
Romanian police obtained search warrants for locating the suspects. The police raided four homes, including the suspects’ houses in Craiova and Bucharest, and discovered back-end servers in Romania, the USA, and Norway.
The law enforcement agencies that joined hands for this operation include Europol, the FBI, Poliția Română, the Australian Federal Police, and the Norwegian National Criminal Investigation Service.