This release consists of the following:
- Noodle RAT
- BroomStick Backdoor variant which is configured with c2 addresses instead of urls
- Initial support for JS-Confuser obfuscated scripts
- BugSleep Backdoor and Injector
- BlankGrabber loader variant using different encrypted filename
- Agente Implant
- BlackAngel PyInstaller, Crypter, Loader, and Stealer components (CT named malware)
- Atlantida Stealer
- BadXml Crypter (CT named malware) which loads Donut Shellcode and Atlantida Stealer
- ClientKIT Stealer (CT named malware)
- worldtracker Stealer
- BlackCap Grabber
- Lynx Ransomware
- UnionFiles Dropper
BlackAngel
Threat researcher @suyog41 posted about a new Python stealer they observed which did not contain any internal naming. The sample they referenced, MD5 hash 97d38e2ac6ac6d20f58b31d7fbb06b68, is a PyInstaller compiled binary which contains six (6) Crypter layers before running a loader that loads an embedded stealer assembly.
Each Crypter layer concatenates two (2) decoded/decompressed buffers together before executing the concatenated script. The decoding/decompression options included: base64, base85, gzip, zlib, and fromhex. At the end of each Crypter script was the following text, from which the BlackAngel family name was derived:
# __BlackAngel__
# What are you looking for here?The stealer exfiltrates stolen information via Telegram, and is capable of stealing at least the following information: Discord, passwords, cookies, credit cards, browser data, cryptocurrency wallets, gaming information, screenshots, and file system information.
During research, we identified nine (9) additional PyInstaller compiled samples which resulted in three (3) unique stealer samples.
- BlackAngel PyInstaller: 97d38e2ac6ac6d20f58b31d7fbb06b68
ClientKIT Stealer
Threat researcher @vm001cn posted about what they were calling Heracles malware based upon a sandbox identification. Further research indicated this was not Heracles, but is instead a different implant written in C#. Four (4) samples of this implant were identified, two (2) calling themselves PandaClient and the other two (2) SpiderClient.
There were no observed differences between PandaClient and SpiderClient, and we are referring to this stealer as ClientKIT based upon the shared Client string and the usage of “KIT” in numerous class names.
ClientKIT reads its configuration from the end of the file, reading all data until a 0x0a character is encountered. The data is then decoded using the following algorithm (written in Python) and gzip decompressed to .NET serialized configuration data.
compressed = bytearray()
for i in range(0, len(encoded), 3):
compressed.append(int(encoded[i:i + 3]))
compressed = bytes(compressed)The deserialized configuration was observed to consist of six (6) fields: host, port, serviceName, serviceDesc, remark (a missionid), and startupAsService (a flag if service installation is enabled).
Of note, one string in the (Panda|Spider)Client.Invoker.BaseInvoker.Scanner method, “初始化执行模块->” (which translates to “Initialize execution module->” is detected by Google as simplified Chinese.
After establishing a connection, the ClientKIT malware downloads and executes commands through the System.MethodBase.Invoke interface.
- ClientKIT (PandaClient): 13c60848235eeadb7d87668b18f1defc
- ClientKIT (SpiderClient): 481036847945b8989a1a954aea45ebd1