A new malware-as-a-service (MaaS) platform named FUD Crypt is significantly lowering the barrier to entry for sophisticated cyberattacks. By allowing users to upload any Windows executable and receive a fully packaged, polymorphic malware payload, FUD Crypt offers attackers potent tools with built-in persistence and command-and-control (C2) capabilities for a monthly fee.
Operating from fudcrypt.net, the platform streamlines the creation of malicious software, even enabling the use of Microsoft-signed certificates to bypass security measures. This development means that individuals with limited technical expertise can now deploy advanced malware, posing a considerable threat to Windows users and organizations worldwide. Researchers have identified hundreds of registered users and numerous confirmed malware builds generated by the platform.
FUD Crypt: Lowering the Bar for Sophisticated Malware Deployment
FUD Crypt operates on a subscription model, with pricing tiers ranging from $800 to $2,000 per month. The service provides subscribers with malware that is not only capable of evading detection by antivirus and endpoint detection and response (EDR) solutions but also includes mechanisms for automatic persistence and a live C2 channel. This comprehensive offering means attackers can launch attacks with pre-configured, polished malware without needing to develop these functionalities themselves.
The platform offers different service levels. The Starter plan, at $800 per month, supports basic carriers such as ProtonVPN and Zoom. A step up, the Pro plan at $1,500, expands capabilities to include Discord and OneDrive as carriers, along with implementing anti-virtual machine checks. The most comprehensive offering, the Enterprise plan at $2,000, unlocks all 20 available carrier profiles and includes advanced features like full User Account Control (UAC) bypass and automatic disabling of Microsoft Defender.
According to analysis by Ctrl-Alt-Intel, who recovered the platform’s server infrastructure, FUD Crypt has seen substantial activity. The firm identified 200 registered users, 334 confirmed malware builds, and an impressive 2,093 commands issued to compromised machines within a 38-day period across 32 infected devices. This indicates a rapidly growing and actively utilized service within the cybercriminal underground.
A particularly concerning aspect of FUD Crypt’s operation is its use of Microsoft’s Azure Trusted Signing service. The platform operator reportedly underwent identity verification using real-world credentials and then leveraged this to generate Microsoft-rooted Authenticode signatures for the malware binaries. This allows the malicious executables to appear legitimate to security tools and end-users, as the certificate chain displays “Microsoft Identity Verification Root CA.” Four such signing accounts were cycled within a six-week timeframe, with replacements already in place before previous ones expired, demonstrating a proactive approach by the operators to maintain persistent signing capabilities.
All four Azure Trusted Signing accounts used by FUD Crypt have been reported to Microsoft’s Security Response Center (MSRC) prior to the publication of this information.
DLL Sideloading and the Sophisticated Kill Chain
The core infection vector employed by FUD Crypt relies on DLL sideloading. This technique involves placing a malicious Dynamic Link Library (DLL) alongside a legitimate application. When the legitimate application is executed, it inadvertently loads the malicious DLL, thereby initiating the malware’s execution. The FUD Crypt platform supports an extensive list of 20 carrier profiles, encompassing widely used software such as Zoom, ProtonVPN, Slack, Visual Studio Code, OneDrive, and CCleaner.
Additionally, the platform includes a profile utilizing WindowsDF.exe, which is a renamed wrapper for a Windows Defender component. This specific carrier loads mpclient.dll, the same library that Windows Defender uses for its scanning engine. This clever deception allows the malicious payload to operate discreetly under the guise of a legitimate Windows Defender process, making it extremely difficult to detect in Task Manager.
Once the malicious DLL is loaded, a multi-stage defense evasion stack is activated before the final payload is delivered. FUD Crypt employs two distinct methods to bypass the Windows Antimalware Scan Interface (AMSI). One method involves a direct memory patch that causes `AmsiScanBuffer` to return an immediate error, effectively disabling scanning. The second method utilizes CPU hardware breakpoints and a vectored exception handler, which intercepts execution without altering the `amsi.dll` file directly. Furthermore, Event Tracing for Windows (ETW) telemetry is silenced through a single-byte patch, cutting off user-mode logging.
The process then masks itself as `explorer.exe` by manipulating fields within the Process Environment Block. In parallel, the encrypted payload is fetched from Dropbox, with Catbox.moe serving as a fallback download source. This layered approach to evasion significantly increases the difficulty of detection by traditional security measures.
Persistence is automatically established with each successful connection. The C2 server, identified as mstelemetrycloud.com and deliberately named to mimic legitimate Microsoft infrastructure, deploys a WindowsUpdateSvc registry run key. This key points to the agent binary, ensuring the malware reloads every time the machine starts. In Enterprise builds, further persistence is achieved by registering a scheduled task named MicrosoftEdgeUpdateCore. This task is configured to run with the highest privileges upon every logon, effectively masquerading as a legitimate Microsoft Edge update service.
Security teams are advised to remain vigilant for specific indicators of compromise. These include unusual DLL sideloading activities originating from common software installation directories, registry run key entries referencing `mstelemetry.exe`, scheduled tasks named `MicrosoftEdgeUpdateCore`, and outbound WebSocket connections to `mstelemetrycloud.com`. Behavioral monitoring tools that detect changes in memory protection and process masquerading techniques offer the most effective detection capabilities, as the platform’s polymorphic triple-layer encryption effectively bypasses hash-based detection methods.
The ongoing use of Microsoft-signed binaries by FUD Crypt highlights a critical vulnerability in trust mechanisms. As of publication, Microsoft has been notified of the compromised Azure Trusted Signing accounts. The continued evolution of such MaaS platforms suggests that efforts to secure digital identities and software supply chains will be paramount in combating future sophisticated cyber threats.