Release Notes
This release consists of the following:
- ComeBacker malware
- Sapphire open-source Stealer
- FUD open-source Loader
- XRed malware
- SectopRAT malware (ModC-obfuscated)
- ModC-obfuscated Agent Tesla variant
- Cinoshi CryptoMiner (ModC-Obfuscated)
- ModC-Obfuscated DiscordRAT variant
- Lime-Loader (including ModC-Obfuscated variant)
- VanillaRAT (including ModC-Obfuscated variant)
- ModC-Obfuscated XWorm variant
- DevXStudio’s Phoenix Clipper (including ModC-Obfuscated variant)
- Solan Stealer
- pycrypt Python Crypter
- FBTin Steamer (CT named malware)
ComeBacker
JPCert published research on a new campaign by the Lazarus threat actor, leveraging compromised PyPI packages to deliver malware, including ComeBacker.
The research described two different side-loaders, one which uses XOR and zlib decompression, and another which uses a decoding algorithm that we identified as HC-256, a software-efficient stream cipher developed in 2004.
Support was added in ACCE for the initial loader, each side-loader, and the installer. Support was also added to extract the c2 urls in the implant.
- ComeBacker Loader: 46127a35b73b714a9c5c58aaa43cb51f
- ComeBacker Loader: a6e7c231a699d4efe85080ce5fb36dfb
SectopRAT
SectopRAT, aka ArechClient2, is a .NET compiled RAT that was first reported on in 2019 and we first saw a sample when researching HijackLoader (IDAT Loader). As noted by researcher dr4k0nia, newer versions of SectopRAT are highly obfuscated, and also employ a unique algorithm for decrypting strings from a .NET resource named “resource”.
However, this obfuscation is not unique to SectopRAT, and has been documented by at least Cisco Talos with Dark Test Cryptomining Malware. We conducted further research into usage of the obfuscator and identified it being leveraged with at least the following malware families: Agent Tesla, Cinoshi CryptoMiner, DiscordRAT, Lime-Loader, VanillaRAT, XWorm, and DevXStudio’s Phoenix Clipper.
Despite the seemingly widespread usage of the obfuscator, we were unable to identify a name, and are calling the obfuscator ModC. Support was added for SectopRAT and each of the malware families described.
- SectopRAT: 471ff5b1235a7b3951b39d02e31063fa
- Cinoshi CryptoMiner: 7290a909e67073c3f8df1c05bfd252d9
- Agent Tesla: ae37c86b8e699286f1c44bc9541b06af
- VanillaRAT: c75109d8c7e0d7a317630cf2fab978a7
- Phoenix Clipper: 1f59169c75db82aa340386c9f461da2c
Solan Stealer
Solan Stealer is a Python stealer, identified by researcher @suyog41, which steals Facebook information and exfils it using Telegram. The initial sample from the post is a Nuitka-compiled OneFile binary, and we added initial Nuitka unpackaging support to ACCE to support this workflow. From within the Nuitka-compiled binary we extracted constants for a pycrypt protected module which contains an XOR encoded payload. The payload was the full Solan Stealer Python script, form which we report urls and a mission id.
From that initial post, @suyog41 had a series of references for related samples, all compiled using Nuitka. We identified that the payloads for each of the samples was a Facebook stealer, and are referring to them as FBTin. One of the samples had an obfuscated loader layer for an embedded FBTin pyc, while the other loaded the FBTin payload directly. The ACCE modules for the FBTin samples report urls, Google IAM account parameters, and a spreadsheet ID.
- pycrypt + Solan: 7aaa2270c6044527c0e373648ca6d350
- FBTin: 5272daca12ee17be3edded2adee88485
- FBTin: cd48e1a4caceea0474973a75582f18ee