This release consists of the following:
- BumbleBee Loader DGA variant
- Armillaria Loader, including Donut Shellcode variant
- ChuChuka Implant (CT-named malware)
- WHT Downloader (CT-named malware)
- Hasherezade’s open-source tools for Thread Name-Calling Injector and PE Loader
- ToneShell malware family variants/forks including v8, ToneDrop, and ToneDrive
- Gremlin Stealer: 1f397ce6af659a6c44e89b4f38edce82
- NodeDecrypter loader (CT-named malware)
- BatToExeConverter loader
- PWNP0NY ransomware
- BLX Stealer variant
- Prysmax Stealer variant written/compiled in Rust
- Veil Framework Meterpreter Reverse TCP and Batch script loader
Armillaria Loader
In early May a sample was uploaded to VirusTotal which was detected as BumbleBee malware. Analysis of the sample indicates it is a new loader, which we are calling Armillaria, that was observed loading BumbleBee, ChuChuka Implant, Lumma Stealer, Stealc Stealer, WHT Downloader, and some of threat researcher Hasherezade’s open-source tools.
Armillaria employs anti-analysis techniques including the use of junk code to inflate the size of the entry function, which was observed to prevent a decompiler from analyzing the function.
The loader also dynamically resolves APIs using a custom add-polynomial hashing algorithm, where:
- the polynomial varies per sample
- the string is converted to lower-case
- the first character is ignored
- the null-terminator is included
As part of the loading sequence:
- Structures are created which contain information about two (2) buffers, the first including a decryption function and the first portion of the encrypted payload, and the second containing the second portion of the payload.
- Size and take-skip encoding parameters are masked in the structure, and the mask is different per buffer. This information is unmasked during runtime.
- If the flag for take-skip on a buffer is set, the buffer is first take-skip decoded before being combined with the other segment.
- The take-skip is updated each round using a set of arithmetic operations that vary per sample.
- After being combined, the data is decoded using a series of seeded arithmetic operations that vary per sample, where the seed is updated each round.
The initial payload is a Donut shellcode variant which uses Halo’s Gate to check if Windows API’s are hooked and has differences in the configuration structure when compared to the base repository and it’s various versions.
Samples:
- Armillaria + ChuChuka: 3d93291852845e315e1496e6f7929522
- Armillaria + Hasherezade + WHT: c39168d932bde399edf6e892a1fb7565
- Armillaria + Lumma: 2ffcf8e06a8db0c167610b1439295e98
- Armillaria + BumbleBee: 61e4062d260d0020e6164c274e94b1ba
ChuChuka Implant
One of the Armillaria payloads is an implant we are calling ChuChuka based upon a consistent screenshot directory observed in the five (5) samples we observed. ChuChuka has keylogger, screenshot, and stealer capabilities (targeting browsers, Coinomi, Exodus, and Electrum).
Network communications are RC4 encrypted, and in response to the initial packet the server is expected to return the RC4 key to complete the handshake. C2 commands were observed to contain at least the following:
| Command | Description |
| 8 | Reverse Shell |
| 49 | Download and run file |
| 81 | Terminate browsers (chrome.exe, msedge.exe, brave.exe, and firefox.exe) |
| 90 | Self-delete |
| 128 | Screenshot activity |
| 150 | Upload keylogger data |
| 199 | Upload screenshot data |
NodeDecrypter
Cyfirma published an article about BLX Stealer, an open-source stealer written in Python that we observed to be a variant of the open-source CStealer. We determined that the initial components reported by Cyfirma, both named Node.exe, were compiled using Node.js and contain three (3) hex-encoded buffers. The first two (2) are an AES-CBC key and IV, while the last is the encrypted PyInstaller binary.
During research we identified ~50 samples of this loader and have named it NodeDecrypter. Payloads included BLX as initially reported, ZeroTrace Stealer, PWNP0NY ransomware (a simple Python ransomware which “encrypts” files using a simple XOR encoding), a Prysmax Stealer variant written in Rust, BatToExeConverter compiled BLX downloader batch scripts, BLX downloader binaries, and a different variant of BLX Stealer delivered using both PyInstaller and in Nuitka-compiled formats which may be related to Pentagon Stealer.
- NodeDecrypter + ZeroTrace: 0fa75e640b4ae09ca2a1e07dbf83cdf3
- NodeDecrypter + BLX (CStealer): 3c12072ed35de08307be4815fbaefe66
- NodeDecrypter + BLX (Nuitka): 55d5aea7bc3d0cf16a6439d379545f8c
- NodeDecrypter + BLX (PyInstaller): 7dfc3d02a61b2dc685eb41fb0ab7d621
- NodeDecrypter + BLX Downloader: 3faa3a39243bea93c3681ca52243513e
- NodeDecrypter + BatToExeConverter + BLX Downloader: 107caaf2ae8272b3b42925c671ea6286
- NodeDecrypter + PWNP0NY: 139ccfad7bdf37824fc98ebb229f3c2d
- NodeDecrypter + Prysmax (Rust): 9d6226317cdf56b03d15c954d772130d