Release Notes
This release consists of the following:
- KamiKakaBot Malware
- Kraken Keylogger
- Snake Crypter
- Dm8Media Dropper
- FormBook Loader variant
- Ransomware support:
- Akira
- Babuk
- BlackHunt
- BlackSuit
- CrossLock
- LockBit 3.0 (Black) and ESXi variants
- Uniza
KamiKakaBot
EclecticIQ and Group-IB posted research about Dark Pink APT attacks in early 2023, specifically about the usage of a custom implant dubbed “KamiKakaBot”. We built support for the reported side-loader, loader, and implant variants, enabling a user to upload the ISO Image container and extract/report information down the chain of components.
- KamiKakaBot ISO Image Carrier: 98beb20ef1e4d629965c9132be8feb07
- KamiKakaBot ISO Image Carrier: 836184b7387b212f8b7f064d5e60f587
Kraken Keylogger and Snake Crypter
Researcher 0xToxin posted about Kraken Keylogger, including analysis about the malware and associated threat hunting research. Our Kraken Keylogger support includes reporting of the communications type (FTP, SMTP, or Telegram), and based upon that communications type the associated configuration.
Our analysis of the reported “Stage 1 Loader” and its unique usage of System.Text.Encoding.get_BigEndianUnicode to derive an RC2 key led us to discover ~250 samples of the Crypter on VirusTotal.
One of the samples, MD5 001624ff45fdeedb1e5a52bbcefa4984, has the original filename SnakeCrypter.exe, which we believe is a residual artifact of the SnakeCrypter tool sold by the creators of Snake Keylogger. Based on this analysis, we refer to the “Stage 1 Loader” as Snake Crypter and the “Stage 2” as Snake Loader. Our research revealed numerous payloads being protected using Snake Crypter, including 44 Caliber Stealer, Agent Tesla, BluStealer, DcRat, FormBook, HawkEye Keylogger, Kraken Keylogger, LokiBot, NanoCore, QuasarRAT, RedLine Stealer and Clipper, Snake Keylogger, Stealc, WarzoneRAT, and XWorm.
When running the Snake Crypter capability against the downloaded samples, we observed that our FormBook loader support was failing against two (2) of payloads. Analysis of those samples indicated a new variant which uses a second RC4 cipher for decrypting the embedded payload in 256-byte blocks. And additional FormBook module was added to support this variant.
In addition to the malware families listed above, the Snake Crypter payloads included some generic .NET Crypters which used Gzip compression, and a dropper we are calling Dm8Media.
Dm8Media contains AES-CBC encrypted and Base64 encoded components in its .NET resources, which are written to disk during runtime and subsequently read back in for decoding/decryption. The dropper contains a mix of publicly available code and was named based upon the AES-CBC derivation password and one of the payload filenames.
- Snake Crypter + Kraken Keylogger: 29531f95f2ffc356c67975a60effa857
- Snake Crypter + FormBook Loader Variant: 6ab9f2db2c24194ed50286d6c40a6ad0
- Snake Crypter + Dm8Media Dropper: 11669bb2672f587935aa99d9cfda1ef7
Ransomware
With this release we specifically wanted to add modules supporting recently observed ransomware in the wild. We used a combination of recent ransomware uploads to Malware Bazaar, articles on Ransomware BlogSpot, and the ransomware tag on Valhalla to add support for the following ransomware families:
- Akira: af95fbcf9da33352655f3c2bab3397e2
- Babuk (ESXi): d95dd99b3228b31ed17f9b467b9381c4
- Babuk (Windows): 15b1147bcc846fe5dd750a3b02b8e552
- BlackHunt: ce26954ce288e7647fb194d52e95a660
- BlackSuit (Linux): 9656cd12e3a85b869ad90a0528ca026e
- BlackSuit (Windows): 748de52961d2f182d47e88d736f6c835
- CrossLock: 9756b1c7d0001100fdde3efefb7e086f
- LockBit 3.0 (Black): 05e1d9a79cbf7efdab7aaacf74290e27
- LockBit (MachO): 8facf23309fde7100ea0969238bd6a3e
- LockBit (MIPS): 779093f9a6572b03e6d82d17ca4078ab
- Uniza: 13b929afb57a36f9c35e15aca70b75a7