An international law enforcement operation shut down a cybercriminal services designed to encrypt and test their malware to ensure that their malware could not be detected by antivirus or other cybersecurity tools.
Agencies from the United States, the Netherlands, and Finland seized the domain for AVCheck, a major counter antivirus (CAV) service that was used by threat groups to test if their malware could be detected by antivirus programs before they deployed it in the wild.
At the same time, the U.S. Justice Department seized four domains and their associated server that was used to provide crypting services – including CAV tools – which enable bad actors to make it more difficult for antivirus programs to detect.
When used together, CAV and crypting services not only allow hackers to obfuscate their malware, but also make sure its undetectable, according to the FBI.
“A good CAV service is essential for carrying out malware attacks, as it allows criminals to access the networks of their victims undetected,” the Dutch police said in a statement. “Cybercriminals want to know if their malware will be detected by virus scanners so they know if they can catch their victims unawares. This means that CAV services such as AVCheck play a vital facilitating role in cybercriminal ecosystems.”
‘An Important Step’
The domains not only of AVCheck but also crypting services Cryptor.biz and Crypt.guru now display a message from U.S. and Dutch authorities notifying visitors to the seizure of the sites.
“Taking AVCheck offline is an important step in the fight against organized cybercrime,” Matthijs Jaspers, team lead of the High Tech Crime Team of the Netherlands Police’s National Investigations and Special Operations, said in a statement. “It disrupts the activities of cybercriminals in the earliest stages and prevents victims.”
According to DOJ investigators, undercover agents made purchases from the websites, which allowed them to analyze the services. They also were able to look at linked email addresses and other data that investigators said connected the services to known ransomware groups that have attacked victims in the United States and around the world.
Perfecting Malware
“Cybercriminals don’t just create malware; they perfect it for maximum destruction,” Douglas Williams, FBI Houston special agent in charge, said in a statement. “By leveraging counter antivirus services, malicious actors refine their weapons against the world’s toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims’ systems.”
The takedown of AVCheck and the crypting services was linked to Operation Endgame, an international effort that has shut down a number of high-profile cybercriminal operations around the world. Most recently, a law enforcement initiative disrupted the infrastructure of the Russian-linked DanaBot, a malware-as-a-service operation that allegedly infected more than 300,000 systems and caused more than $50 million in damages. The DOJ also indicted 16 people suspected of being part of the DanaBot operation.
Services Help Ransomware, Other Attacks
The Dutch police’s Jaspers noted the tight link between CAV and crypter services and threat groups running various cybercriminal campaigns – including ransomware – and said that Dutch police have worked closely with Project Melissa, a private-public partnership launched in2022 to combat ransomware.
“The joint goal is to make the Netherlands an unattractive target for ransomware criminals,” the Dutch police said in 2023.
“Within Melissa, parties aim to systematically exchange knowledge and information and collaborate occasionally on specific investigations to collectively contribute to making Dutch public and private organizations less attractive targets for ransomware attacks,” the Netherlands’ Leiden University wrote in a report earlier this year.
