ACCE Release Notes v2.5.20240201 – Cipher Tech Solutions, Inc.

Release Notes

This release consists of the following:

OceanMap malware
MasePie malware
GuLoader packer variant
Medusa gaze ransomware
PyInstaller malware support
- Cryptonite ransomware
- Shellcode_Loader malware
- Luna Grabber malware
- pyImpossibleObf Python Obfuscator
- Vare Loader and Stealer
- SmallSieve Backdoor
LodeInfo Macros and Downloader
RisePro Stealer (C#)
RoboSki Crypter (Split-Param Variant)
Hornet Stealer
AllaKore Implant configured with multiple addresses
Kaje Downloader (CT named malware)
DarkGate MSI+AutoIt Loader and v6.1.6 implant
DBatLoader Packer and Downloader variants

APT28 Malware

CERT-UA published research on an APT28 attack from mid-December 2023, including the MasePie downloader and implant, and the OceanMap backdoor (written in C#).

The ACCE modules for MasePie support extracting the download URLs from the LNK downloader, and the C2 socket address from the Python implant.

The OceanMap backdoor module obtains and reports the C2 socket addresses and network credentials.

MasePie Downloader: 75acdddd5ccc7fce5133b12b4140ee15
MasePie Implant: 47f4b4d8f95a7e842691120c66309d5b
OceanMap Backdoor: 5db75e816b4cef5cc457f0c9e3fc4100

Medusa gaze Ransomware

Palo Alto’s Unit 42 published an article on Medusa gaze Ransomware earlier this month, describing an escalation in activity observed by the threat actor. As their reporting denoted, strings are XOR decrypted after being loaded onto the stack from a separate function, which can make decryption of the strings tedious. The ACCE module for the ransomware decrypts all strings using DC3’s Dragodis framework and rugosa library. It additionally decrypts the ransom note, reporting embedded information including URLs, email addresses, and the Tox ID.

Medusa gaze: 8cd11f34d817a99e4972641caf07951e

PyInstaller Malware

Continuing from our last update, we added additional modules for various PyInstaller malware as denoted above. The usage of pyImpossibleObf to protect the Vare malware resulted in the addition of a few modules to support the obfuscation. Research on Luna Grabber revealed widespread usage and recent uploads to VirusTotal; starting from the one sample reported by ReversingLabs, we identified a few hundred additional samples.

pyImpossibleObf + Vare: 58c3b9974a9e8fc06db3404bdf0ac200
Luna Grabber: 78edf6b1eab9b2648eac0f1980f0c052
Small Sieve: 5763530f25ed0ec08fb26a30c04009f1

LodeInfo

ITOCHU published research on file-less malware LodeInfo versions from 2023 into 2024, including information about updated Macro deployments, downloaders, and DLL side-loading of the backdoor.

The MSO Macros contain 32 and 64-bit versions of the downloader shellcode, and the reported variants decode the shellcode using either Base64 or XOR algorithms. In both variants, the encoded shellcode is split among numerous functions, either as an array of bytes or as a string, and combined in a reference function prior to decoding and execution in memory. Support was added for both variants.

As reported by ITOCHU, some variants of the downloader derive an AES-CBC key for decryption of the downloaded component. For those variants, the ACCE module derives the key, and for all variants the download URL(s) are XOR decrypted for reporting.

The LodeInfo backdoor functions similarly to already supported variants, the major differences being the change in the API hashing algorithm (from CRC32 to the custom algorithm described by ITOCHU), and the usage of a Vigenere cipher for network decryption. The LodeInfo backdoor module was updated to report the network decryption parameters.

MSO (XOR) + LodeInfo Downloader: 69dd7fd355d79db0325816569ae2129a
MSO (Base64) + LodeInfo Downloader: 9598b2af9dd1493dd213dbca56912af4
XOR Encrypted LodeInfo Backdoor: 60dea5b5f889f37f5a9196e040bce0eb

RisePro Stealer (C#)

After adding support for RisePro loader in October, we saw that Any.Run published research on additional RisePro modules, including a stealer written in C# and obfuscated using ConfuserEx. Interestingly, the configuration parameters are Base64 encoded and stored in a PE resource (as opposed to a .NET resource) and loaded during runtime. The ACCE module decodes and reports the configuration, then identifies where the default configuration settings are stored to report the RisePro version.

RisePro Stealer: 4dcab04a5ad3cdf32bc42bf8c49451c8

Hornet Stealer

X (formerly known as Twitter) user @spamhaus started a thread about a Go-based stealer dubbed Hornet, which decrypts strings using the Fernet algorithm. Using the information presented in the thread, we obtained a Hornet sample from VirusTotal and added a module to decrypt strings and report a C2 socket address and AES-GCM network key.

Hornet Stealer: ea11fd0069cd6f0d64c2aae18865dd1b

AllaKore

BlackBerry published research on a modified version of the open-source AllaKore implant being used against Mexican banks, specifically using an MSI to deploy a .NET compiled downloader to retrieve and run the AllaKore implant.

The downloader was unnamed in reporting, and we are calling it Kaje based upon the filename used for the initial downloaded component “Kaje.zip”.

With the exception of one sample, existing ACCE support for AllaKore handled all of the samples from the BlackBerry report. AllaKore is typically configured with a single C2 address and port, while the outlier sample was configured with two C2 addresses. The AllaKore module was updated to support this variant.

MSI + Kaje Downloader: 2a49d542949b12223e3867bc3f75c4c6
AllaKore Implant: e87419ef4cd803d1398207af21b39f0e

DarkGate

Over the past month, various outlets have reported on an updated DarkGate infection chain involving a parent MSI file and AutoIt, including Splunk, VMRay, and S2W Lab. During that time, X user @spamhaus posted that DarkGate had deployed a new version, v6.1.6, which uses a new method of decrypting configuration data. The configuration data is decrypted using a custom XOR algorithm, represented using the Python code below.

def darkgate_xor(data: bytes, key: bytes) -> bytes:
	key_index = 0
	key_size = len(key)
	decrypted = bytearray()
	for datum in data:
		key_byte = key[key_index]
		decrypted.append((datum ^ key_byte) & 0xff)
		key_index = (key_byte + key_index) % key_size
		if not key_index:
			key_index = key_size - 1
	return bytes(decrypted)

The algorithm contains a weakness where it can degenerate into a single-byte XOR algorithm. This occurs when the value of the key at a specific index is a multiple of the length of the key. More complex degenerate cases also exist where the algorithm can iterate through a small subset of the full XOR key.

Following the thread from @spamhaus, we identified a few MSI + AutoIt infection chains which ultimately deployed DarkGate v6.1.6, and we updated ACCE support accordingly.

In addition to a new decryption algorithm, we observed the following changes for the DarkGate configuration:

A list of C2 addresses can now be found directly in the configuration settings. In previous versions the C2 URLs were stored separately.
The usage of each configuration key has changed from what has previously been reported as seen below. Any keys not present were not observed in the analyzed samples.

Key	Description	Type
0	C2 address listing	String
1	Unknown	Boolean
3	Virtual Machine detection	Boolean
4	Minimum disk storage check	Boolean
5	Server detection	Boolean
6	Virtual Machine detection (Same as 3)	Boolean
7	Minimum RAM size check	Boolean
8	Display message box	Boolean
11	Message box caption	String
12	Message box text	String (Base64 encoded)
13	Unknown	Integer
14	Unknown	Boolean
15	Port	Integer
18	Minimum disk storage value	Integer
19	Minimum RAM size value	Integer
21	Unknown	Boolean
22	Unknown	Boolean
23	Unknown	Boolean
24	Unknown	String
25	Unknown	String
26	Unknown	Boolean
27	Stager constant (egg, XOR key)	String
28	Unknown	Boolean
29	Unknown	Integer
tabla	Alphabet for test.txt, used by AutoIt script to run and extract component	String

MSI + AutoIt + DarkGate: 8620964386571932fe13b8eb27644588