Release Notes
This release consists of the following:
- Freeze Crypter
- Donut shellcode variants including Cruller (v1.0), Bear Claw (v0.9.2) and v0.9.3 releases
- Covenant Grunt-HTTP Stager
- DcRat variant with reported version “-3.0listener:”
- Apollo Agent
- ValleyFall Implant
- GobypassAV loader
- DllToShellcode loader
- Http Malleable module in Empire post-exploitation framework
- PoshC2 framework modules including: FComm, Dropper.XOR, Implant-Core (PowerShell), SharpDll, and DropperCS
- Stager module in NorthStarC2 framework
- ClientWS implant
- DogCheck Watchdog
- RedFlag downloader
- Gh0stCringe malware
- 3rd party agent for Havoc that CT is calling HavocAgent
- GoexeDumpFile loader
- Orca Puppet module in OrcaC2 framework
- Sality-infected files
- ReZer0 XOR-Sub loader variants using ConfuserEx obfuscation and ConfuserEx + .NET Reactor obfuscation
- FormBook Loader variant which XOR decrypts RC4 keys
- Dark Angels Team Ransomware
- Mirai variant which does not have a branch name
- Phemedrone Stealer
Freeze Crypter
Researcher gi7w0rm posted research on DDGroup, which involved the usage of the open-source Freeze Crypter, specifically with sample MD5 6f987e223d5e14f3119c0f51b0fdcc4c.
While developing an ACCE module for the Freeze Crypter, we identified its usage of embedded shellcode to decrypt, decompress, and load the final XWorm RAT payload. The shellcode was identified as open-source Donut Shellcode, specifically the Bear Claw (v0.9.2) release.
A VirusTotal RetroHunt with rules we developed for Freeze yielded 47 additional samples, 46 of which contained the Bear Claw version of Donut before a final payload of XWorm, QuasarRAT, or AsyncRAT.
Our RetroHunt for Donut yielded nearly 200 samples, which spanned various Donut releases including Cruller (v1.0), v0.9.3, and what appeared to be a version between v0.9.3 and Cruller. There were numerous open-source payloads within that sample set, such as Apollo Agent, PoshC2 modules, and NorthStarC2. We additionally identified malware including Gh0stCringe and ValleyFall.
Support was updated or added for identified payloads, and examples can be observed below:
- Freeze + Donut + AsyncRAT: 03d10de6e05619a2f9521577f4fd574f
- Donut + Apollo: fd85d11930c40b8ff0622967e65f0cc3
- Donut + ValleyFall: 3d56a14a4832b271137a0d3f4b2f4081
Sality
Observed since at least 2003, Sality is a virus which typically infects local or remote binaries on a compromised system. Sality adds a PE segment to the end of an infected file, which contains decryption code for the embedded Sality Virus. The ACCE module for Sality decrypts the Sality Virus and reports on embedded configuration including the C2 URLs.
- Sality Infected File: 3e6385ce5f06595a265eebb6a6e63f80
Dark Angels Team Ransomware
Bleeping Computer posted on 27 September about Johnson Controls being the target of a ransomware attack by Dark Angels Team, specifically using the VMWare ESXi encryptor variant. After obtaining samples from posts by Gameel Ali and Uptycs, we added detection and support for Dark Angels ransomware to extract the ransom note and report the evidence, live-chat, and publication site URLs.
- Dark Angels ransomware: 5cc2306e9e0aa8d1cb095791febf89b3