This release consists of the following:
- ShadowStealer (open-source project), including derivative stealers SamsStealer and XDdox
- SideLang variants (aka NSIXloader)
- DinodasRAT (aka Linodas, XDealer)
- WarmCookie Backdoor
- CSharp-Streamer RAT (aka eightpod)
- Release Crypter (CT named malware)
- Ghostlord Stealer
- Captian Stealer
- BlankOBFv2
- Luna Grabber Nuitka-compiled and Python code variants
- Enviar Stealer
- ZouZouZi Crypter and Stealer (CT named malware)
- GlorySprout malware
- Taurus Stealer
- Baxxxlock Locker and Downloader
- W4SP Stealer
- NerbianRAT and MiniNerbian
- WarpWire Stealer
- PieHop / LightWork malware
- Poseidon Loader and Stealer
- Niki malware
ShadowStealer
In mid-June, X user @crep1x posted about XDdox v2 Stealer (by YASH Hacking Team), which they identified was previously analyzed as SamsStealer by Cyfirma. Further research into XDdox and SamsStealer revealed that both are derivative works of the open source ShadowStealer. Additional samples of ShadowStealer revealed reported authors TWD-Officials, webcarding, @Hackster_OP, and “ARMAN X ALAMIN” (Telegram Channel @TEAMBLACKBERRY).
The ACCE ShadowStealer module reports the Telegram URL and the author and Telegram channel, when available.
- ShadowStealer (XDdox): 1f913f8d71f0f4d65858b5ba0ea94a9c
- ShadowStealer (SamsStealer): 02fe599ed41cc4bd54a1d6a3cc2d830a
- ShadowStealer (TWD-Officials): 2567ab5b93f1adc9ea9835bb3f25e081
- ShadowStealer (webcarding): 2fb6fb67069fb5d69425450d0ae6db25
- ShadowStealer (@Hackster_OP): 8a1d5d4b73c12f357b1e8701fbfe994a
- ShadowStealer (ARMAN X ALAMIN): 9442c83d6f63563ce5f9e124e7754354
Ghostlord
X user @suyog41 has previously posted information about Ghostly Stealer (see blog post from April), and identified that Ghostly has since been rebranded as Ghostlord.
Research on the initial sample from @suyog41’s post revealed the usage of BlankOBFv2, an updated version of an open-source Python obfuscator we observed in March. BlankOBFv2 has three possible Crypter layers in addition to variable and integer obfuscation (though binary operations):
- zlib compression and XOR encoding
- zlib compression, Base64 encoding, and converting the result to a series of “IP addresses”
- zlib compression, Base64 encoding, data splitting, and appending/prepending erroneous data to each split buffer
We identified numerous usages of BlankOBFv2, including PyInstaller compiled, Nuitka compiled, Python scripts, and PYC samples. The payloads varied and included Ghostly, Ghostlord, Captian Stealer, Luna Grabber, Enviar Stealer, and a Crypter and Grabber for malware we are referring to as ZouZouZi based on the uploaded filename and copyright for multiple samples.
- BlankOBFv2 + Ghostlord: b4b3d315a0cec4781a58ec363147271a
- BlankOBFv2 + Captian: 074b9defbe2336c703b07c8313699884
- BlankOBFv2 + Enviar: 0ede6d87ea4980bcdb07179f4134d519
- BlankOBFv2 + ZouZouZi: be13775b17761eb7827609211c670158
WarmCookie
Elastic Security Labs and eSentire published reporting on a backdoor named WarmCookie which contains RC4 encrypted strings stored in buffers consisting of a 32-bit data size, 4 byte RC4 key, and the encrypted data. Elastic additionally released an IDAPython script for decrypting WarmCookie strings.
We added a WarmCookie ACCE module leveraging Dragodis and Rugosa, which is compatible with both IDA and Ghidra, and have additionally added it to our open-source ACCE parsers.
- WarmCookie: 0bf248f5b73ec79d2466a0849ff15cf1