A defender’s guide to crypters and loaders

The threat landscape is becoming increasingly commoditized. Almost any phase in the intrusion lifecycle can be farmed out, allowing adversaries to specialize and remain focused on the stage of an attack they know best. Two tools are essential to this ecosystem: crypters, which work to make malware more difficult to detect, and loaders, which adversaries can leverage to deliver separate follow-on payloads.

In the latest Detection Series webinar, SentinelOne’s Alex Delamotte and Joe Slowik from MITRE ATT&CK® joined Red Canary Senior Malware Analyst Tony Lambert to discuss the crucial role that crypters and loaders play in enabling a wide range of costly threats ranging from remote access trojans to ransomware and almost everything in between. Along with sharing some in-the-wild examples, the panel dives into how these tools vary across operating systems and ends by offering detection guidance.

You can watch the full recording here or check out the clips below.

What is a crypter? What is a loader?

Crypters are tools, techniques, or methods that adversaries leverage to encrypt, obfuscate, or otherwise modify malicious code to evade detection technologies.

Loaders are a type of malware intended specifically to deliver additional payloads, like stealers, cryptominers, or ransomware.

Alex and Joe explain how adversaries use crypters and loaders, respectively.

Why should you care about crypters and loaders?

Joe explains how crypters and loaders are critical support mechanisms in the threat landscape, enabling adversaries to distribute malware more widely and with more discretion. The more tools become commoditized, the lower the barrier of entry is for aspiring attackers.

How do these tools map to ATT&CK?

While in past Detection Series webinars we’ve focused on a single ATT&CK technique, this time around we decided to highlight a category of tools that are incorporated into several common defense evasion and obfuscation techniques. Joe pinpoints where this activity fails on the ATT&CK matrix, the first step toward detection.

What do crypters look like on Windows?

Zooming in on crypters first, Tony shares actual EDR telemetry from CypherIT delivering Luma Stealer and NetSupport Manager, as well as a Scrubcrypt sample with a BAT script masquerading as tax document.

What do crypters look like on Linux?

Tony sheds light on why crypters are not as commonly seen on macOS environments before passing the mic to Alex, who presents on the Linux side of things. Alex details how Mirai operators have removed UPX magic bytes to modify encryption. She then showcases AlienFox, a cloud infostealer encrypted to prevent source code distribution.

What do loaders look like on Windows?

Switching to loaders, Tony shares EDR telemetry from Oyster/CleanUp Loader activity as well as Koi Loader, both of which leverage PowerShell to deliver their final payloads.

What do loaders look like on Linux?

Alex takes over to explain how loaders use living-off-the-land techniques in Linux environments, leveraging shell scripts and Golang binaries. She then highlights activity from YARN and TeamTNT as examples.

How do I detect crypters and loaders?

Several times throughout the webinar, Tony compares various crypters and loaders to a Rube Goldberg machine, due to their many corresponding parts. This cobbled-together quality is actually a plus for defenders, as each component presents a new opportunity for detection.

What else should I know about crypters and loaders?

This webinar set a record for audience participation! The panelists paused to answer live questions throughout, and left extra time at the end to continue the conversation around crypters and loaders.