ACCE Release Notes v2.4.20240111

Release Notes

This release consists of the following:

  • NineRAT malware
  • BottomLoader Downloader
  • DLRAT malware
  • HazyLoad malware
  • Babel-obfuscated variant of Laplas Clipper
  • OracleIV malware
  • Dave Crypter variant
  • QakBot variant which uses AES-CBC
  • Brute Ratel C4 Injector variant
  • PikaBot Injector variant
  • TitanLdr open-source loader
  • NextCry ransomware
  • Black KingDom ransomware
  • SugarGh0st implant
  • onJS malware (CT-named malware)

Lazarus DLang malware

Cisco Talos published research on Operation Blacksmith, performed by the Lazarus threat actor and involving malware written in DLang. The operation included malware families NineRAT, BottomLoader, DLRAT, and HazyLoad.

Support was added for all identified components:

OracleIV

Cado Security reported on Python malware compiled as an ELF executable being distributed in malicious Docker containers. We added an ACCE module to report the User-Agent string and obtain/report the c2 socket address.

  • OracleIV: 14b2f5f81e2542fdcc059f690e25c279

QakBot

In late December 2023, Intrinsec tweeted about a QakBot variant being distributed using a Dave Crypter variant. While previous variants of QakBot encrypted the configuration using the RC4 algorithm (with a SHA1 verification hash), the new variant was observed to use AES-CBC encryption with a SHA256 verification hash.

Unlike in previous versions, the Dave Crypter variant was observed to construct the XOR key for loader decryption on the stack. While researching additional samples of this variant we identified a Brute Ratel C4 variant and a PikaBot injector variant.

In previous versions of the PikaBot injector, the resources containing PNG images with encrypted chunks were contiguous, enabling easy reconstruction of the encrypted binary for RC4 or AES decryption. The observed variant does NOT use contiguous resources, which forces determining the appropriate order from the obfuscated code.

SugarGh0st

Cisco Talos published research on a Gh0st variant they refer to as SugarGh0st, being delivered using two different infection chains. In each infection chain, a Windows Shortcut file runs embedded JavaScript (obfuscated using javascript-obfuscator) to run DllToShellcode shellcode that loads the SugarGh0st payload.

The infection chain, including the Windows Shortcut file, JavaScript, and side-loader were unnamed in reporting, and we refer to it as onJS, based upon both variable names in, and the usage of, JavaScript.

Cipher Tech has an internal multi-language deobfuscation tool dubbed ctdeob (full source code available to customers with a Tier 3 ACCE subscription), which currently supports JavaScript, PowerShell, and xl4 macros, and has additional modules in development. In addition to general deobfuscation, ctdeob converts input scripts to an abstract syntax tree (AST), which enables querying and more complex deobfuscation operations (such as handling javascript-obfuscator).

Leveraging this tooling, we wrote an ACCE module to handle javascript-obfuscator in general, and to additionally process the onJS JavaScript dropper component. ACCE modules were added to support the entire infection chain, from the Windows Shortcut to the SugarGh0st payload.

Posted in Uncategorized and tagged , .