ACCE Release Notes v2.8.20241104

This release consists of the following:

Added:

Updated:

  • Modify detection of BroomStick loader/backdoor in parsers
  • Clean Crypter RC4 variant (aka QuartzBegonia)
  • Vidar Stealer support
  • RisePro Loader support
  • RedLine Stealer detection

Crystal Stealer

In late September, researcher @suyog41 posted about Crystal Stealer, which is being sold through Telegram channels.

The hashes from the X post are for a Crypter we call UnderScored (observed as far back as 2021), based upon the usage of underscores in the resources and assembly name of the underlying loader component. UnderScored uses a custom stream cipher to decrypt and then zlib-decompress a loader component from the resources. The .NET compiled loader contains the next stage in plaintext in its resources.

The next stage component is itself a loader which gzip-decompresses the Crystal Stealer from its resources. This loader notably contains methods previously observed in EvilCoder’s XBinder, though they are not used, and may be a modified version.

Crystal Stealer is a .NET-compiled stealer that is built upon the open-source AsyncRAT and specifically uses Telegram for exfiltration.

JPHP Compiled Archives

JPHP is an open-source “implementation for PHP which uses the Java VM.” Initially observed in 2020 with IceRat, threat actors have increasingly been leveraging JPHP as evidenced by D3Fack loader and ZaeCrypt downloader (linked above).

Last month, we released a library called CTJava to our customers which is a pure Python library for processing Java ARchive (JAR) files. CTJava reads and processes JAR archives, parsing class files for attributes, methods, and fields, including processing of instructions within each method, contains light emulation capability, and supports the Allatori, BranchLock, and Zelix obfuscators.

This month we extended CTJava‘s capabilities to support JPHP archives, including processing of the configuration and information files and parsing of all PHB modules to include embedded constants and the class files themselves.

For D3Fack loader, this enables extraction and reporting of the event_srv variable containing the domain, in addition to reporting of the Base64-encoded download URLs embedded in the classes.

Interestingly, the IceRat, D3Fack Loader, and ZaeCrypt downloader JPHP samples were all compiled using JPHP 0.9.0, despite the latest version available being 1.0.3.

DarkCrystalRAT

While adding support for the JPHP malware described above, we observed that the Crypter described by researcher 0x1c as QuartzBegonia is what we refer to as Clean Crypter, based upon the PDB path of a number of observed samples such as MD5 4b493ea278ff3f969d89dc1bfff0804a. We first observed Clean Crypter while researching Mystic Stealer in late 2023.

During research into the Clean Crypter variant, we identified 37 total samples dropping payloads including Lumma, Vidar, RedLine, and Stealc Stealers, RisePro Loader, and a new DarkCrystalRAT variant.

While previous DarkCrystalRAT variants decoded their configuration using Base64 + gzip + string-reverse + Base64, the new variant uses Base64 + AES-CBC with key parameters derived using PBKDF2 and a non-standard 1024 iterations. The configuration data is stored in three main blocks which all use the same salt for AES-CBC parameter derivation. After Base64 decoding the data buffer, the contents are structured as follows:

OffsetSize (in bytes)Usage
032HMAC key
3216AES-CBC IV
48UndefinedAES-CBC encrypted data
Encrypted Data Format

Each configuration buffer can be JSON-decoded to a list of elements, whereas previous variants contained a defined dictionary of configuration entries. An exemplar for each configuration buffer is provided below (formatted for readability), followed by a table defining the elements by index.

General Configuration (First Buffer)

[
"bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF",
"DCR_MUTEX-WEHfwOpbOUTnlxCjHfKA",
"0",
"",
"",
"5",
"2",
"WyIwIiwiIiwiNSJd",
"WyIxIiwiV3lJaUxDSXhJaXdpWlhsSmQwbHFiMmxsTVU1YVZURlNSbFJWVWxOVFZscEdabE01Vm1NeVZubGplVGhwVEVOSmVFbHFiMmxhYlVaell6SlZhVXhEU1hsSmFtOXBXbTFHYzJNeVZXbE1RMGw2U1dwdmFWcHRSbk5qTWxWcFRFTkpNRWxxYjJsYWJVWnpZekpWYVV4RFNURkphbTlwV20xR2MyTXlWV2xNUTBreVNXcHZhVnB0Um5Oak1sVnBURU5KTTBscWIybGFiVVp6WXpKVmFVeERTVFJKYW05cFpFaEtNVnBUU1hOSmFtdHBUMmxLYlZsWGVIcGFVMGx6U1dwRmQwbHFiMmxhYlVaell6SlZhVXhEU1hoTlUwazJTVzFhYUdKSVRteEphWGRwVFZSSmFVOXBTakJqYmxac1NXbDNhVTFVVFdsUGFVb3dZMjVXYkVscGQybE5WRkZwVDJsS2JWbFhlSHBhVTBvNUlsMD0iXQ=="
]
IndexValueUsage
0bj0UKX3O1f...Password for deriving AES-CBC key for Base C2 configuration
1DCR_MUTEX-WEHfwOpbOUTnlxCjHfKAMutex
20Enumeration for where installation information is written, 0 for registry, 1 for file system
3Group name
4Debug mode
55Interval
62Max runtime
7WyIwIiwiIiwiNSJdBase64 encoded list associated with installation
8WyIxIiwiV3lJaUxDSXBase64 encoded dictionary, the full usage of which is undetermined at this time. Formatting looks similar to the PluginConfigs described by Cisco Talos.
Base Configuration Usage

Base URL Configuration (Second Buffer)

[
    "0",
    "XPkWC3v1QKzwU0J5dAKeTsPBsYp18q5mbMsCqw5G1NTNQgIkoqWSj2GpAinnN33kONVHHGPqEEnGZBvMQFMRTmCiGDCHIS37Ts8DKAchbqOfP9P8xbXIqlQlKxBEEHhv"
]
IndexValueUsage
00Enumeration for type of URLs stored in the URL configuration, 0 for c2, 1 for dead-drop
1XPkWC3v1QKzwU...Password for deriving AES-CBC key for URL configuration
Base URL Configuration Usage

URL Configuration

The URL configuration is a list of urls (defanged) and urlpaths:

[
    [
        "hxxp[:]//005514cm.n9shteam1[.]top/",
        "pythontrack"
    ]
]

Plugins

Plugin information is stored in a three (3) element array such as the following, which was truncated for brevity:

string[] array = new string[] { "371840", "H4sIAAAAAAAEAAHvAB...", "H4sIAAAAAAAEADSbx3KDyhZF..."};
IndexValueUsage
0371840Seed used to XOR decode the Base64 decoded and gzip decompressed data at index 1.
1H4sIAAAAAAAEAAHvAB...XOR encoded, gzip compressed, and Base64 encoded plugin configuration
2H4sIAAAAAAAEADSbx3KDyhZF...gzip compressed and Base64 encoded list of plugins. Each entry in the list consists of two (2) elements. The first is a gzip compressed and Base64 encoded plugin, and the second is formatted as a SHA1 hash that has an unknown usage.
Plugin Information

Once decoded and decompressed, the plugin configuration contains a dictionary of entries which provide configuration for the embedded plugins (each plugin was observed to be obfuscated using SmartAssembly). The key for each plugin is a GUID value that is referenced from within the plugin. For example, the message box plugin (further usage undetermined) with MD5 1dcde09c6a8ce8f5179fb24d0c5a740d, uses GUID “75400db8-4680-4af7-97bd-c8a76b65b9c4” and contained the following configuration, further defined below:

{"_0":"aaGghilqxrRBuGIJTcePrQqkMGVlYAWr","_1":"Applocation Error","_2":"The application was unable to start correctly (0xc000007b). Click OK to close the application.","_3":"Error","_4":"OK"}

KeyValueUsage
_0aaGghilqxrRBuGIJTcePrQqkMGVlYAWrRegistry value
_1Applocation ErrorMessage Box Caption
_2The application was unable to start correctly (0xc000007b). Click OK to close the application.Message Box Text
_3ErrorMessage Box Icon
_4OKMessage Box Buttons
Message Box Plugin Configuration
Posted in Uncategorized and tagged , .