Release Notes
This release consists of the following:
- 44 Caliber Stealer “RL” variant
- RevengeRAT variant
- Royal Road Downloader variants
- InvalidPrinter (in2al5d p3in4er) Loader
- Snow Downloader
- TrueBot Downloader variants
- PingPull Linux variant
- Sword2033 backdoor
- ImBetter Stealer
- ibFun Dropper
- Open-source Lime Crypter and Installer variant
- ScrubCrypt variant
- njRAT variant
- SarinLocker ransomware
44 Caliber Stealer “RL” and RevengeRAT variants
Following on from our research into XWorm and Razor Crypter, we further analyzed two of the payloads extracted from Razor Crypter samples and determined them to be a variant of the open-source 44 Caliber Stealer and a variant of the open-source RevengeRAT.
While the original code base for 44 Caliber leverages a Discord webhook for exfil, the observed variant instead uses Telegram. The variant additionally leveraged the StringsCrypt module, observed in stealers like StormKitty, Stealerium, and WorldWind.
- Razor Crypter + 44 Caliber Stealer: b9c45a591e76542c29df77cd6d02daea
- Razor Crypter + RevengeRAT: c20eb4cffa18560a5c574d531d7b34d3
InvalidPrinter (in2al5d p3in4er) Loader
Morphisec recently posted about the InvalidPrinter loader, which they observed being used to deliver Aurora Stealer. Support was added to extract and decrypt the payload from InvalidPrinter.
- InvalidPrinter Loader: 70f94249a7323d9711488e6d4e69ab38
PingPull / Sword2033
Unit42 at Palo Alto posted an update to their previous research on PingPull malware, indicating they identified a Linux variant and another backdoor they call Sword2033.
The PingPull module was updated to enable support for the Linux variant, and a Sword2033 module was added to support extraction and reporting of network passwords and c2 socket addresses.
- PingPull Linux Variant: 94c3cfc9e057c068c8b7c9582f719699
- Sword2033 Backdoor: 63a2d0e77e1ccf1cde295862457d3a1b
ibFun Dropper
In addition to the 44 Caliber / RevengeRAT variants described above, our Razor Crypter research yielded a dropper which AES-CBC decrypts a payload from its resources, writes it to disk, and executes it. The dropper leverages the same cipher for string decryption after Base64 decoding a value.
A VirusTotal RetroHunt yielded 25 additional samples of the dropper, which we are calling ibFun based upon the salt used to derive the AES-CBC parameters in our original sample.
The payloads from the RetroHunt additionally yielded the open-source Lime Crypter and a variant we are calling an Installer, a ScrubCrypt Batch script variant which loads the key/IV in the PowerShell code directly instead of in an array with the encrypted components, an njRAT variant, and SarinLocker ransomware. Modules were added/updated for each of these payloads.
- ibFun + Lime: 2f6f8b805100f71beaff02146b2c7c2f
- ibFun + SarinLocker: 6737e32363919646766043f9d4538ee1