ACCE Release Notes v2.7.20241009

This release consists of the following:

Added

  • Poseidon Loader variants
    • Base64 (custom alphabet) + Subtraction + Hex-decode
    • Hex-decode + RC4
    • Variant where configuration is stored in the Loader instead of the Stealer
  • BeznoGym side-loader (CT named malware)
  • Differentiate Amnesia Stealer from Blank Grabber (Amnesia is a direct copy)
  • Gleaming Pisces malware PoolRAT and PondRAT
  • Sepand ransomware (aka S3P4ND)
  • PeakLight/Mustard Sandwich related malware:
    • YASS malware (stealer and clipper)
    • HijackLoader ISO container
    • PeakLight malware (loader and downloader)
  • SambaSpy malware (downloader, dropper, and implant)
  • Sparkling Pisces malware:
    • KLogEXE keylogger
    • FPSpy malware (dropper and implant)
  • CeranaKeeper malware:
    • DropboxFlop backdoor
    • WavyExfiller stealer
    • YK0130 reverse shell
  • Vidar Base64 + RC4-SkipKey variant
  • Iranian malware:
    • Veaty backdoor
    • Spearal backdoor
    • FortiVee dropper (CT named malware) observed installing Veaty and Spearal
    • Hawking listener

Updated

  • PLEAD ELF Implant (RC4) support
  • IceNova (AES-CTR) support
  • Warlock Loader (add decryption variance)
  • Tighten SystemD archive extraction of payload script
  • Remcos
    • Remove false-positive on version 1
    • Add identification of version 5.*
  • Akira Ransomware support
  • Burix support
  • GCleaner detection
  • Stealc support

Poseidon Loader

The loader component of Poseidon Stealer continues to see updates to the stealer decryption mechanism, including usage of Base64 (custom alphabet) + Subtraction + Hex-decode (as observed by researcher @MalGamy12) and Hex-decode + RC4 (as observed by researcher @osint_barbie).

While updating loader support, we observed a variant where the configuration was provided to the stealer during runtime; specifically, the c2 address, mission id, username, and filepath.

While we anticipate additional variances for decoding/decryption of the stealer component, minimal changes have been observed with the underlying Poseidon Stealer aside from the external configuration variant.

Amnesia Stealer

Researcher @suyog41 posted about a sample of Amnesia Stealer, which analysis indicates is a port of the open-source Blank Grabber. Most observed Amnesia Stealer execution sequences additionally included layers of BlankOBF.

During research, we observed a PyInstaller based side-loader where the embedded Python assembly script would run a Rar-SFX executable, providing a password on the command line. While not always leveraged, this password was always “beznogym” from which we derived the BeznoGym side-loader name. In addition to Amnesia Stealer payloads from the BeznoGym PyInstaller, we also observed Blank Grabber and Millenium RAT.

Posted in Uncategorized and tagged , .