This release consists of the following:
- SvcStealer malware
- Optimal Dropper (CT-named malware)
- KINS Dropper
- Diamotrix Clipper
- Fevur Loader (CT-named malware)
- MuddyRust Installer (CT-named malware)
- TinyNuke Bot and Injector
- CyberLock Ransomware
- PS2EXE + CyberLock: 2d9bed0a9ee3e6384a1d2d195859a5c7
- Clematis Loader
- Arc Stealer
- Clematis + Arc: f9f00b186a3d78c55e4bdd92f24fa943
- binomo ScreenLocker
- Clematis + binomo: 129201e5d1a9509daa8e5ece2f29e458
- DJSpace Downloader (CT-named malware)
- Clematis + DJSpace: fb0bbc5dd97ee382a8bb492fcc976f7b
- IATKey Keylogger (CT-named malware)
- Clematis + IATKey: fbd3b75110db3a5afc4c5f5b60cebffd
- MemoryModulePP Downloader
- Clematis + MemoryModulePP: 862f646fc05257b7f71470bc7ccd8558
- MetaSploit Loader
- Clematis + MetaSploit: 4ad52425c3ea150aeec72bca740631b4
- tryharder Downloader
- Clematis + tryharder: 2f3a5013e676d4ba67cee1b86de24988
SvcStealer Research
Optimal Dropper
While adding support for SvcStealer, we identified that the sample in a post from threat researcher Jane_0sint was a dropper containing SvcStealer and additional payloads. Optimal Dropper, named for the InternalName found in the file metadata of some samples, contains multiple plaintext payloads which are dropped to disk and executed. Payloads included: SvcStealer, Diamotrix Clipper, modified versions of KINS Dropper and TinyNuke, RedLine Stealer, Amadey Stealer, DcRat implant, Lumma Stealer, QuasarRAT stealer, Kitsune RAT, VenomRAT, Violet Stealer, newly observed malware we are calling MuddyRust Installer and Fevur Loader, and numerous hack tools.
- Optimal + SvcStealer + Diamotrix + KINS + TinyNuke: b7467bfb329210d69e5dc27ff11c59ef
MuddyRust
MuddyRust is a Rust compiled installer which we named based upon a class “muddy_internal” observed in non-stripped samples. MuddyRust contains an XOR encoded component, decoded using a 32-byte key, and decrypts strings using the ChaCha20-Poly1305 algorithm. In some samples, the ChaCha20 key was XOR encoded.
MuddyRust establishes persistence using a scheduled task and checks the compromised system for analysis tools including dnspy.exe, immunitydebugger.exe, pe-sieve32.exe, etc.
- MuddyRust + RedLine: 466c29184afcb67c12e49a5fea592c1a
Fevur Loader
Fevur Loader contains an RC4-encrypted component which is injected into a newly created, suspended process instance of the module file. APIs in Fevur Loader are dynamically resolved by base64 and XOR decoding the string and using the GetProcAddress API. Each payload in the small sample set of Fevur Loader we acquired was observed to be Lumma Stealer.
- Fevur + Lumma: 0bb5ff045230522d480ac207737ae039