Happy New Year! Please find our first release notes of the year below, with much more to come in 2023!
As a reminder, you can create an account on our Research ACCE instance to view the examples provided in the links.
Release Notes
This release consists of the following:
- Added support for AcridRain Stealer
- Added support for LowZero malware
- Added support for Snow loader
- Added support for AESRT ransomware
- Added support for Vohuk ransomware
- Continued kordesii conversions to dragodis/rugosa
AcridRain Stealer
SEKOIA.IO recently tweeted about an updated version of the AcridRain stealer being “advertised by SheldIO on underground forums and sold for $300 a month”.
AcridRain employs a commonly observed mechanism for XOR decrypting strings constructed on the stack, support was added to report the configured C2 socket address and targeted filenames (which contain wildcards).
Example for AcridRain:
- Burix Packer loading AcridRain: d8b21932fd97df691e43a9404d5715dc
LowZero
Recorded Future has reported on likely TA413 activity, including the custom LowZero backdoor being deployed via Royal Road weaponized documents.
The Royal Road weaponized document decrypts and executes a LowZero loader component that LZF decompresses, XOR decrypts and loads an injector component – which subsequently runs the LowZero backdoor. Support was added to extract these components and report the LowZero configuration described in the referenced Recorded Future article.
Example for LowZero:
- Royal Road weaponized MalDoc deploying LowZero: 341b5b4c5250098421d16030386caf98
Snow Loader
While researching new reporting for IcedID, we analyzed a delivery mechanism leveraging MSI installers. The installers utilize a CustomAction to ultimately drop and execute an additional Binary from the MSI installer which is named calc (MD5: eaf85e9f10d0e3079484391d29307ae9) in the linked instance.
calc is a loader that decrypts and executes IcedID in memory. Analysis of the loader revealed similarities to Hexa, including its usage of an XOR-sub decryption algorithm and QuickLZ decompression, and after speaking with our friends at IBM this loader will be referred to as Snow. Support was added to extract embedded components from the Snow loader.
Example for Snow:
- MSI deploying Snow loader: eb93a0d10c8b95407415ddbfdb98e1b9
AESRT and Vohuk Ransomware
In one of their Ransomware Roundups, Fortinet detailed a new ransomware AESRT and a new variant of Vohuk ransomware.
AESRT AES-CBC encrypts files on disk using a key and IV derived from a hard-coded password, as described by Lab52. AESRT also provides an email address to contact for paying the ransom and retrieving a key (ransom password) to unlock their files, which is interestingly stored in plaintext in the AESRT binary. The AESRT module reports the AES-CBC file encryption parameters, the ransom password, and the contact email address.
Example for AESRT:
- AESRT ransomware: 0ada88218b67a313a4f5ab0062fbc4e6
Vohuk writes a ransom note to disk, which includes its version number, contact email addresses, and a unique-id to include in the email. The Vohuk module reports all of this information, including the ransom note filename, and outputs the ransom note.
Example for Vohuk:
- Vohuk ransomware: 428e2d6500b98a6059153e4a99bee22c
Dragodis Conversions
The following is a list of conversions in this release to leverage the Dragodis framework, rugosa library, and currently supported disassembler(s) (IDA and/or Ghidra):
- Denis (IDA/Ghidra)
- dneSpy (IDA)
- ELECTRICFISH (IDA)
- Evora (IDA)
- FunnyDream.Backdoor (IDA)
- FunnyDream.TcpTransfer (IDA)
- FunnyDream.MD_Client (IDA)
- joanap (IDA)
- Kobalos (IDA/Ghidra)
- LookBack (IDA)
- Matanbuchus (IDA/Ghidra)
- Mikroceen (IDA/Ghidra)
- Mirai (IDA)
- ncc (IDA)
- Neshta (IDA/Ghidra)
- NimzaLoader (IDA/Ghidra)
- OceanLotus.Downloader (IDA)
- OceanLotus.Dropper (IDA)
- OceanLotus.Shellcode (IDA)
- Okrum (IDA)