This release consists of the following:
- Exos Stealer, a derivative of 44 Caliber Stealer
- Vega Stealer, a derivative of Reborn Stealer
- Odin Stealer, named based upon internal strings
- Crystal Stealer (Rage Variant)
- AutoColor Backdoor
- Squidoor Backdoor
- wdsToShellcode Loader
- Loader + Squidoor: 0054fd52962e55348f16cccaa6c12902
- RustySpy Stealer
- SnowLight Downloader
- Clean Crypter variant
- VenomRAT variant with Clipper capabilities
- SmokeLoader variant which uses a 4-byte key for function decryption
- 64-bit Stealc variant
- Violet Stealer, named based on its .NET assembly name
- ZeroTrace Stealer, named based on its .NET namespaces
- ObfaBot malware (CT-named malware)
- ArrowRAT malware
- Millenium RAT variant
- Recategorize Lemon Clipper as Shinobu Clipper
Clean Crypter
Since we originally labelled Clean Crypter, we have observed a shift from using XOR/ADD/SUB decoding for the embedded component to using the RC4 cipher. When analyzing Lumma samples reported by KrakenLabs, we observed two of the samples were crypted using a new Clean RC4 variant. In the new variant, the payload is stored in an encrypted PE segment that is commonly observed as “.cSs”.
During our investigation we identified more than 1500 Clean Crypter samples, with 87% of the payloads being Lumma Crypter, but also including Agent Tesla, Amadey Stealer, ArrowRAT, BlueStealer, DarkCloud Stealer, DarkCrystalRAT, DcRat, Millenium RAT, njRAT, ObfaBot, Poverty Stealer, QuasarRAT Stealer, RedLine Stealer, Rhadamanthys, SectopRAT, Shinobu Clipper, SilentCryptoMiner, SmoeLoader, Stealc, StormKitty Stealer, VenomRAT, Vidar Stealer, Violet Stealer, Xeno RAT, XWorm RAT, and ZeroTrace Stealer.
- Clean + VenomRAT: 4f1b02a7415709b8ad6d2a80b5d00b82
- Clean + ObfaBot: 829f89d580f16f767a7771f59232caa3
- Clean + Millenium RAT: 021b988e343eb44a535f55578a81138d
- Clean + ZeroTrace: d9fddc1812cdbaf8197b0bbdd7d4f889
- Clean + ArrowRAT: d0a46c02106cfd775695f53de6a3ab66
- Clean + Lumma: 4c93abf5bc698eda053389652431c7ee
- Clean + Shinobu and Lumma: 0f64a529c5fe326c57acdb984495192c
- Clean + SmokeLoader: 941e2a9b159910cde6c3738fa90657dd
- Clean + Violet: cd23af28fe42d88725e40cc58897eaef
- Clean + Stealc: edbab6a40feae07c324847e3365bcdc1