"A new threat has emerged in the form of FUD Crypt, a malware-as-a-service platform that simplifies the creation of sophisticated Windows malware. This platform allows cybercriminals to build malware without any coding skills, significantly lowering the entry barrier for conducting serious cyberattacks. Operating from the website fudcrypt.net, FUD Crypt provides users with a fully packaged deployment bundle for a monthly fee, complete with Microsoft-signed certificates and a live command-and-control channel.
FUD Crypt offers three subscription tiers, ranging from $800 to $2,000 per month. The Starter plan includes basic carriers like ProtonVPN and Zoom, while the Pro plan expands to include Discord and OneDrive with additional anti-virtual machine checks. The Enterprise plan provides access to all 20 carrier profiles, full user account control bypass, and automatic disabling of Windows Defender. The platform's ease of use and comprehensive features make it a potent tool for cybercriminals.
The technical workings of FUD Crypt involve DLL sideloading, where a malicious DLL is placed alongside a legitimate application to execute automatically. The platform supports popular software such as Zoom, Slack, and Visual Studio Code, among others. It employs advanced techniques to disable Windows security features, such as the Windows Antimalware Scan Interface and Event Tracing for Windows, ensuring the malware remains undetected.
The impact of FUD Crypt is significant, with 200 registered users and over 300 confirmed malware builds in just over a month. The platform’s use of Microsoft-rooted Authenticode signatures means that security tools and end users may not recognize the threat, as the signed binaries appear legitimate. This poses a serious risk to organizations relying on traditional security measures.
To mitigate the threat posed by FUD Crypt, security teams should focus on behavioral monitoring rather than hash-based detection. Monitoring for unusual DLL sideloading, suspicious registry run key entries, and outbound WebSocket connections can help identify potential infections. Additionally, tracking memory protection changes and process masquerading can provide strong detection opportunities against this sophisticated threat.”
Source: https://ctrlaltintel.com/research/FudCrypt-analysis-1/