ACCE Release Notes v2.5.20240520

This release consists of the following:

  • ModC-Obfuscated njRAT variant
  • Clean Crypter variant
  • Cuttlefish malware
  • JCrypt ransomware
  • BSR (Binary Stub Replacer) Crypter
  • Condor open-source injector
  • Divinity Protector open-source injector
  • Mario Loader and Seed Hunter
  • ABD Downloader and Implant (CT named malware)
  • PyFuscate open-source Crypter
  • PyObfuscate Crypter
  • RubyRAT open-source Crypter
  • Waltuhium open-source Obfuscator and Grabber
  • ARCrypt Ransomware

BSR (Binary Stub Replacer) Crypter

Cisco Talos recently published research on suspected CoralRaider activity. Their research included a Python-based Crypter compiled using PyInstaller that ultimately contained a Rhadamanthys payload. We honed in on this Crypter, which was named BSR.py, and found additional versions named Binary_Stub_Replacer.py. Based upon this naming we refer to the Crypter as Binary Stub Replacer, or BSR for short. Using VirusTotal, we ultimately identified 73 BSR PyInstaller samples consisting of 32 unique BSR Crypters.

For the next stage loader/injector, we identified that the sample observed in reporting is based on code in the open-source Condor project. Most of the BSR samples we observed used this Condor variant; however, some used a loader/injector based upon the open-source Divinity Protector, and two contained a Python downloader that we could not link to any open-source project.

The payloads for BSR included Rhadamanthys, Lumma Stealer, Mario Loader, a Mario variant self-described as Mario Seed Hunter, RedLine Stealer, and a new malware family we call ABD based upon a string observed in URL paths.

We observed two different ABD components, the first being a downloader which uses a dead-drop resolver for further configuration and download addresses, and writes the AES-CBC encrypted configuration to disk. In the other component, an implant reads the configuration from disk and otherwise does not contain any embedded c2 configuration.

Waltuhium Malware

Waltuhium is an open-source Obfuscator and Grabber that has been observed in the wild, as posted on Twitter by @suyog41. While adding support for Waltuhium, we observed the usage of various Crypters including the open-source PyFuscate and RubyRAT, as well as PyObfuscate, an online Python Crypter.

In the samples we collected, whenever RubyRAT Crypter or PyObfuscate was used the Waltuhium Grabber payload was not configured, which may indicate these Crypters were being used for testing purposes.

ARCrypt Ransomware

On May 14th, @MalwareHunterTeam posted that they observed an ELF binary of ARCrypt Ransomware. Unlike Windows versions of ARCrypt, such as those analyzed by Cyble, the ransom note is encrypted; specifically, the ransom note is encrypted using XTEA in little-endian using 32 rounds (instead of the standard 64).

Posted in Uncategorized and tagged , .