This release consists of the following:
- HeavyLift Loader JavaScript
- MoonPeak implant (including Babel-obfuscated variant)
- WSHRAT loader and implant variants
- Cronos Crypter
- Obfuscated Umbral variant
- AgentMask Crypter variant with inlined configuration
- Obfuscated AgentMask and Eclipse RAT variants
- Kematian shellcode loader
- Patchwork group’s Spyder malware
- NOTE: The parser grouping is called PatchSpyder to differentiate from Winnti Spyder malware
- Beast Ransomware
- Warlock loader
- CobaltStrike shellcode packer with 4-byte key
- IceNova variant using AES-CTR string encryption
- SystemD Loader (CT named malware), seen by Rapid7
- Initial support for 64-bit Sliver implants
- PyFuscate script
- VCURMS RAT
- Trower Downloader (branchlock obfuscated)
- SessionBot malware (branchlock obfuscated)
- BlueBanana RAT
MoonPeak Implant
Cisco Talos reported on UAT-5394 activity involving a modified XenoRAT implant they refer to as MoonPeak. We added ACCE support to report the AES-CBC network key, mutex, and a c2 socket address. When adding support for “v2”, we observed the usage of Babel obfuscator.
- MoonPeak: a470afe2f7176694553158bcd3decb53
- MoonPeak (Babel Obfuscated): 571c577595223518fd5a3ee8b36928d7
Beast Ransomware
Researcher RakeshKrish posted IOCs for Beast Ransomware, indicating that it has been active since October 2023. We found 18 total samples and observed two distinct variants of the ransomware. Both variants use the ChaCha cipher to decrypt configuration data, but while one uses standard ChaCha parameters, the other uses a modified constant 0x00000000000000000000000000000000 and 8 rounds.
The configuration data consists of whitelisted filenames and extensions; folders, services, and processes to kill; the ransom note, a file extension, and a URL. In addition to the standard “.BEAST” file extension, we observed the following extensions:
- .Shangyou
- .Cooseagroup
- .NJUnju
- .moon
- .scr
- .Grounding Conductor
- .moneyistime
- .lostinfo
- .pwn3d
- .Anyv
- .orbit
- .cris
- .FLYTECH
The ransom notes also varied slightly and were observed to contain an email address, a Telegram username, a Session Messenger ID, and/or a Tox chat ID.
- Beast (Standard): 00dae77adbe4c46d1cdf2e8309652545
- Beast (Custom): 5679c70050aac4050018f9899cf6e230
IceNova AES-CTR
VMRay posted about an updated Latrodectus (IceNova) variant which uses AES-256 string encryption, specifically in CTR mode. While adding support for the variant, we also saw a post from Cyble about a loader containing both IceNova and ACR Stealer, which our friends at IBM informed us they track as Warlock.
As described by Cyble, the loader AES-CBC decrypts components from its resources and may include a plaintext decoy component (observed as a PE file, PDF, or MS Office file). In addition to IceNova, we observed payloads including Cobalt Strike BEACON and Sliver implant.
The Sliver Beacon samples were packaged using a Python delivery mechanism we are referring to as SystemD, which was reported on by Rapid7. The SystemD archive contains an AES-CBC encrypted component (named data.aes), which is decrypted by a side-loader component and executed. The side-loader component is itself Base64-decoded and AES-CBC decrypted by the initially executed loader Python script. In some instances the usage of PyFuscate Crypter was observed between the loader and side-loader layers.
- IceNova (AES-CTR): 58e3fdda803852666f535b132e6a8160
- Warlock + IceNova: e1a8ca0eb72cbdd2a372c69a355d42be
- Warlock + SystemD + Sliver: 059879c5f6fd81861787e2f44c1da283
- Warlock + SystemD + PyFuscate + Sliver: 2d6fd252249c2c456acf62261f91eaec