ACCE Release Notes v2.5.20240611

This release consists of the following:

  • Stink Stealer
  • Bunny Loader (v2.X and v3.X)
  • PureCrypter SmartAssembly + Babel obfuscated Loader/Injector variants
  • Jlaive variants (recategorized from Infinity)
  • SilentCryptoMiner C++ Dropper Variant
  • ComeBacker loader variant (aka SplitLoader)
  • Observer Stealer
  • Asuka Stealer
  • RecordBreaker Loader variants for multi-operation and XOR-reverse
  • Tipper Crypter (CT named malware)
  • Alien Crypter
  • Asemble Crypter (CT named malware)
  • Nightingale Stealer
  • NullX Stealer
  • TunnelSpecter
  • SweetSpecter
  • DarkGate Dropper for AutoIt
  • NestDoor malware
  • Armageddon Stealer
  • BTC-azadi ransomware, including variants referred to as:
    • Havoc, Merlin, FAST, Alvaro, etc.
  • DeepSea v4.1 obfuscated RoboSki Packer
  • ZIZI Stealer
  • Chalubo malware

Bunny Loader

As detailed by Unit 42, Bunny Loader is a malware-as-a-service (MaaS) product which is being consistently updated by its authors. In addition to adding support for Bunny Loader versions 2 and 3, we also added support for the PureCrypter variants from Unit 42 reporting, which were obfuscated using both SmartAssembly and Babel v7.

While reviewing the reported “.cmd script” containing a Bunny Loader payload, we identified it as a Jlaive Loader variant, which is itself a fork of Crybat (a closed project). During analysis, we identified a correlation with what we previously described as Infinity malware, leading to its recategorization as Jlaive.

This Jlaive variant contains a payload, a .NET loader, and an embedded PowerShell injector that it executes in memory. The PowerShell injector Base64 decodes, AES-CBC decrypts, and Gzip decompresses the payload and loader for execution.

During research we identified 38 samples of this Jlaive variant with payloads including Remcos, AsyncRAT, SilentCryptoMiner, XWorm, and CobaltStrike BEACON in addition to Bunny Loader.

Asuka Stealer

In mid-March Any.RUN published research on Asuka Stealer, a successor to the unsuccessful Observer Stealer. Asuka and Observer contain minor differences which were outlined by Any.RUN, but are functionally equivalent from a configuration parsing perspective.

While researching these stealers, we found an article from researcher Taisiia G. on Observer Stealer, including an uncategorized list of hashes. While evaluating these samples we observed two new .NET Crypters we had not previously seen and are naming them Tipper (for an original filename) and Asemble (based on a directory and file name).

Tipper XOR decrypts a payload from a byte array while Asemble uses an XOR + rolling-Subtraction algorithm on a resource, which may be performed multiple times over a buffer. We identified more than 1500 Tipper samples using a VT Retrohunt with payloads including Amadey and RedLine Stealers. Of the 10 Asemble Crypter samples we obtained, payloads included Remcos, SmokeLoader, BitRAT, QuasarRAT, AsyncRAT, and Observer Stealer.

ZIZI Stealer

ZIZI Stealer was originally analyzed by Checkmarx, and a later version reported by Twitter user @naumovax. While the original version had five initial configuration settings (an RC4 key, an XOR key, a c2 url, a scheduled task name, and a missionid), the updated version added a version field that is included in network activity following the field name “ZIZI_VERSION”, from which the ZIZI Stealer name was derived.

The configuration data is Base64 decoded and AES-CBC decrypted using a hard-coded IV and a key derived using PBKDF2. The configuration can also contain lists of anti-analysis settings including lists of usernames, machine names, processes, module names, and MAC addresses to compare against; but, given the inconsistency in their presence/content they are not reported by the ACCE module.

Posted in Uncategorized and tagged , .