ACCE Release Notes v2.3.20231214

Release Notes

This release consists of the following:

  • Dosia Toolkit
  • Saw RAT
  • LambLoad malware
  • BianLian Installer, Backdoor, and Ransomware
  • Mystic Stealer
  • Eternity Miner
  • Clean Crypter (CT-named malware)
  • Argyle Crypter variant
  • Babel Obfuscated variant of Agent Tesla
  • Tofsee Implant
  • RedLine Stealer variant which decrypts strings using the AES-CBC cipher
  • Rhadamanthys Loader variant
  • Agent Racoon malware
  • Ntospy malware

Dosia Toolkit

Dosia, also referred to as DDOSIA, is a toolkit reported to be leveraged by Russian hacktivist(s) called NoName057(16) to conduct DDoS operations. We added ACCE support to handle what we refer to as the AppConfig, BackendLink, and InitConfig variants, of which each store configuration settings differently.

Saw RAT

Cyble recently published research on a new RAT written in Java and distributed as a JAR archive, which they call Saw RAT. All configuration settings, including c2 commands, are stored as constant fields in the saw.chain/utils/MConstants.class file of the JAR archive. The ACCE module for Saw RAT extracts the constants from this file in the JAR archive and reports the configuration accordingly.

  • Saw RAT: 15957e06aead7d907972842d803f6471

LambLoad

Microsoft published research on activity by threat actor Diamond Sleet (ZINC), involving the usage of LambLoad malware, including a “fake” PNG container that contains an encrypted LambLoad implant. Specifically, the last data chunk of the PNG before the IEND chunk is invalid, and all the data from that offset until the IEND chunk is XOR+SUB encrypted.

During execution, the LambLoad downloader will download the PNG and decrypt the LambLoad implant from within it for execution using hard-coded offsets. The ACCE module for the PNG container dynamically determines the offset of the encrypted payload and decrypts it accordingly to extract the LambLoad implant and subsequently report C2 urls.

Mystic Stealer

According to research by ZScaler and InQuest, Mystic Stealer is an information stealer that has been sold in underground markets since April 2023. Configuration data in Mystic Stealer is encrypted using the TEA algorithm in little-endian. Early versions of Mystic stealer stored its configuration as C2 socket addresses, while newer versions store the configuration as URLs.

While researching Mystic Stealer, we identified the usage of a Crypter which uses a varying number of arithmetic operations (add, sub, and XOR), with varying keys, to decrypt an embedded payload and inject it into a newly launched instance of C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe. In the initial set of Crypter samples we analyzed, most contained “Clean.pdb” in their PDB path, and we named it Clean Crypter accordingly.

While early versions of Clean Crypter stored the injection process in plaintext, newer versions are XOR decrypting the string on the stack. Additionally, early versions used the standard MurmurHash2 algorithm for API resolution, while newer versions use MurmurHash2 with a non-standard mixing constant.

Other payloads for Clean Crypter we have observed include BlueStealer, Poverty Stealer, RedLine Stealer, Lumma Stealer, RisePro Loader, SmokeLoader, and Eternity Miner.

We initially discovered Argyle Crypter when researching Rhadamanthys loader in February 2023. The newer version uses a static string as the RC4 key for the embedded payload, while the original samples dynamically loaded the key “ntdll.dll” by iterating imported library names.

Rhadamanthys Loader Variant

When conducting research on HijackLoader (IDAT Loader) in October, we identified some of the payloads as containing a new loading sequence of Rhadamanthys. Most notably, we identified a new FS format (in comparison to research by Hasherezade with CheckPoint Research) which contained the XS formatted data in a segment named 0xbf0e967b.

The encrypted data used to form the FS formatted component was observed to be stored in three separate segments. The first segment is constructed on the stack across multiple functions. The second segment is formed from the hexadecimal characters from GUID strings in the .rdata PE segment. The final segment is deobfuscated from a contiguous buffer.

In addition to the compressed/encrypted XS component, the FS component contains custom bytecode which it uses to perform at least API resolution and decryption/decompression of the component.

Posted in Uncategorized and tagged , .