Abstract:Crypters are pieces of software whose main goal is to transform a target binary so it can avoid detection from Anti Viruses (AVs from now on) applications. They work similar to packers, by taking a malware binary and applying a series of modifications, obfuscations and encryptions to output a binary that evades one or more AVs. The goal is to remain fully undetected, or FUD in the hacking jargon, while maintaining its (often malicious) functionality. In line to the growth of commoditization in cybercrime, the crypter-as-a-service model has gained popularity, in response to the increased sophistication of detection mechanisms. In this business model, customers receive an initial crypter which is soon updated once becomes detected by anti-viruses. This paper provides the first study on an online underground market dedicated to crypter-as-a-service. We compare the most relevant products in sale, analyzing the existent social network on the platform and comparing the different features that they provide. We also conduct an experiment as a case study, to validate the usage of one of the most popular crypters sold in the market, and compare the results before and after crypting binaries (both benign and malware), to show its effectiveness when evading antivirus engines.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is to understand and analyze the operating mechanism and its impact of the Crypter - as - a - Service (CaaS) model in the underground market. Specifically, the research objectives include: 1. **Analyze the CaaS Ecosystem**: Conduct a quantitative analysis of the Crypter market in a popular English - language underground forum (HackForums) to understand its product features, market activities, and user behaviors. 2. **Study the Characteristics and Advertising Strategies of CaaS Products**: Analyze the most common and popular Crypter products on the market, explore how they attract new customers, and compare the functions and services of different products. 3. **Evaluate the Actual Effect of Crypter**: Verify the effectiveness of one popular Crypter product through experiments, and compare the ability of binary files before and after encryption to bypass antivirus software detection. ### Main Contributions of the Paper 1. **The First Quantitative Analysis of the CaaS Ecosystem**: Studied the long - term activities of the Crypter market in HackForums and conducted an in - depth analysis of the products sold and market dynamics. 2. **Description of the Data Collection Method**: Developed a custom crawler tool for scraping data from HackForums, including 1,492 posts and 128,384 comments, involving 17,751 users. 3. **Data Analysis and Social Network Analysis**: Through the analysis of the collected data, identify market segments, key users, and differences between different products. At the same time, social network analysis was carried out to reveal the interaction relationships between Crypter producers and consumers. 4. **Case Study**: Through empirical research, verified the usage effect of the top - level Crypter product, and showed the performance of binary files before and after encryption in bypassing antivirus software. ### Research Background In recent years, with the continuous upgrading of network security defense systems, especially the introduction of artificial intelligence and crowdsourcing projects, malware developers are also constantly evolving, adopting binary obfuscation techniques to evade detection. Crypter, as a special packaging tool, encrypts and obfuscates binary files, enabling malware to evade antivirus software detection. Since building customized Crypter requires a relatively high level of technology, these tools are usually traded in the underground market, forming the so - called "Crypter - as - a - Service" (CaaS) business model. ### Working Principle of the CaaS Model Crypter usually consists of two parts: Builder and Stub. The Builder is responsible for encrypting and obfuscating binary files and providing some personalized settings. The Stub is the output file, responsible for decrypting and executing the original malware. In order to maintain "Fully Undetected" (FUD), Crypter providers need to continuously update the Stub to respond to antivirus software updates. ### Data Collection and Analysis The research team developed a custom crawler for scraping Crypter market data in HackForums. Through the analysis of these data, the research team revealed the activity trends, user behaviors, and social network structures of the Crypter market. In addition, the actual effect of the top - level Crypter product was also verified through experiments. ### Conclusion This research fills the research gap in the CaaS ecosystem from the marketing and operation perspectives, and provides an important reference for understanding and dealing with Cybercrime.

Understanding crypter-as-a-service in a popular underground marketplace

You Can Tell a Cybercriminal by the Company they Keep: A Framework to Infer the Relevance of Underground Communities to the Threat Landscape

Camouflage is NOT Easy: Uncovering Adversarial Fraudsters in Large Online App Review Platform

The Cynicism of Modern Cybercrime: Automating the Analysis of Surface Web Marketplaces

Chinese underground market jargon analysis based on unsupervised learning

A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth

Understanding and Predicting Private Interactions in Underground Forums

Lifting The Grey Curtain: A First Look at the Ecosystem of CULPRITWARE

Malware Finances and Operations: a Data-Driven Study of the Value Chain for Infections and Compromised Access

Know Your Cybercriminal: Evaluating Attacker Preferences by Measuring Profile Sales on an Active, Leading Criminal Market for User Impersonation at Scale

Beneath the radar: Exploring the economics of business fraud via underground markets

Behind Closed Doors: Measurement and Analysis of Cryptolocker Ransoms in Bitcoin

Crypto-Ransomware and Their Defenses: In-depth Behavioral Characterization, Discussion of Deployability, and New Insights

Conti Inc.: Understanding the Internal Discussions of a large Ransomware-as-a-Service Operator with Machine Learning

A Market in Dream: the Rapid Development of Anonymous Cybercrime

Watch Your Back: Identifying Cybercrime Financial Relationships in Bitcoin through Back-and-Forth Exploration

What they do in shadows: Twitter underground follower market

Entanglement: Cybercrime Connections of an Internet Marketing Forum Population

Where is Dmitry going? Framing 'migratory' decisions in the criminal underground

Plunge into the Underworld: A Survey on Emergence of Darknet

Cryptographic ransomware encryption detection: Survey