This release consists of the following:
- XWorm V5.6 variant
- Mint malware
- RedRose Crypter
- xorto Stealer
- Duvet Stealer
- Try Stealer
- Update Waltuhium Stealer to identify the derivative work Hellion KeyLogger
- Hawkish-Eyes Grabber
- GrMsk variant (referred to as Acrid Stealer by Kaspersky)
- Scarlet Stealer
- EAZfuscator obfuscated version of DcRat
- Obj3ctivity malware (Downloader and Stealer), which are obfuscated using UnseeSharp
- Shiraza Crypter (CT named malware)
- AgentMask Crypter
- ShellcodeEncryptor Injector
- Roosevelt Clipper
- EclipseRAT
- Hex and Base64 encoded variants of Poseidon Loader
- DBatLoader Steganography Crypter variants
- Hex and Base64 encoded variants of Poseidon Loader
- Candy Grabber, and derivative Grabbers Papu, YumaClicker, and Goofed
- Alientech Stealer
- LERY Stealer
- Image Stealer
- Kematian Stealer
xorto Stealer
xorto is a stealer written in JavaScript which was posted about on X by users @suyog41 and @sarfraz432. As @sarfraz432 noted, xorto has been distributed using the Electron Packager, and is obfuscated using the open-source RedRose Crypter.
The RedRose Crypter uses scrypt to derive an AES-GCM key and decrypt the embedded JavaScript component. Using VirusTotal (VT) to identify additional RedRose Crypter samples, we found Duvet Stealer and Try Stealer (the malware’s internal name) as payloads.
- RedRose + xorto: 1d1f96bcdc4e828be2b6b1b924776e43
- RedRose + Duvet: 469c7d2dc40ae985c53c054928b78d3f
- RedRose + Try: a856d5c5e0e1609efc0a4aa9c224e921
Obj3ctivity Stealer
Obj3ctivity (aka PXRECVOWEIWOEI) is a .NET based Stealer which has been researched by CERT-AGID and described by X user @suyog41. The latest research by CERT-AGID introduced a downloader component to Obj3ctivity, which downloads a gzip compressed and Base64 encoded component to decode/decompress and execute in memory.
Both the downloader and Stealer components are obfuscated using the open-source UnseeSharp obfuscator, which protects strings using native code and/or base64 encoding. The obfuscator can also AES encrypt strings, but this was not observed during research. In addition to using UnseeSharp, the Obj3ctivity components decode strings using a subtraction operation, distinguishing Obj3ctivity samples from other UnseeSharp obfuscated malware.
Research into UnseeSharp led to the discovery of Shiraza Crypter (named for its namespace) and AgentMask Crypter.
Shiraza Crypter contains AES-CBC encrypted payloads in its resources, which include BlankGrabber, Obj3ctivity Downloader, WarzoneRAT, and QuasarRAT.
AgentMask Crypter contains AES-ECB encrypted component(s) in its resources, and also has an internal configuration which consists of a mutex and installation parameters (an installation path and scheduled task). Payloads for AgentMask include DcRat, XWorm, and 44 Caliber Stealer.
Projects containing the same code base as AgentMask were also identified, including Eclipse-RAT and Roosevelt Clipper. In addition to the configuration parameters in AgentMask, Eclipse-RAT contains a Telegram URL, while Roosevelt Clipper contains a Telegram URL and CryptoCurrency wallet addresses. Eclipse-RAT payloads include Phoenix Clipper, XWorm, and DcRat, while Roosevelt Clipper payloads include XWorm.
- Obj3ctivity Stealer: ab5ba271daa916ae539e8f9a4afca9bc
- Shiraza + Obj3ctivity Downloader: 0b40ca11733a660ffef6bcd024f7dc60
- AgentMask Crypter + Donut + XWorm: 5e8ba81fc6966dd2ed504d43ea82a5be
- Eclipse-RAT + Phoenix + XWorm + DcRat: 2c180678f2e7b756dbf4df6b71c1878e
- Roosevelt Clipper + XWorm: 9d34767c25d0c3e9a46b65ec68dcdbb5