ACCE Release Notes v1.8.20230105

Happy New Year! Please find our first release notes of the year below, with much more to come in 2023!

As a reminder, you can create an account on our Research ACCE instance to view the examples provided in the links.

Release Notes

This release consists of the following:

  • Added support for AcridRain Stealer
  • Added support for LowZero malware
  • Added support for Snow loader
  • Added support for AESRT ransomware
  • Added support for Vohuk ransomware
  • Continued kordesii conversions to dragodis/rugosa

AcridRain Stealer

SEKOIA.IO recently tweeted about an updated version of the AcridRain stealer being “advertised by SheldIO on underground forums and sold for $300 a month”.

AcridRain employs a commonly observed mechanism for XOR decrypting strings constructed on the stack, support was added to report the configured C2 socket address and targeted filenames (which contain wildcards).

Example for AcridRain:

LowZero

Recorded Future has reported on likely TA413 activity, including the custom LowZero backdoor being deployed via Royal Road weaponized documents.

The Royal Road weaponized document decrypts and executes a LowZero loader component that LZF decompresses, XOR decrypts and loads an injector component – which subsequently runs the LowZero backdoor. Support was added to extract these components and report the LowZero configuration described in the referenced Recorded Future article.

Example for LowZero:

Snow Loader

While researching new reporting for IcedID, we analyzed a delivery mechanism leveraging MSI installers. The installers utilize a CustomAction to ultimately drop and execute an additional Binary from the MSI installer which is named calc (MD5: eaf85e9f10d0e3079484391d29307ae9) in the linked instance.

calc is a loader that decrypts and executes IcedID in memory. Analysis of the loader revealed similarities to Hexa, including its usage of an XOR-sub decryption algorithm and QuickLZ decompression, and after speaking with our friends at IBM this loader will be referred to as Snow. Support was added to extract embedded components from the Snow loader.

Example for Snow:

AESRT and Vohuk Ransomware

In one of their Ransomware Roundups, Fortinet detailed a new ransomware AESRT and a new variant of Vohuk ransomware.

AESRT AES-CBC encrypts files on disk using a key and IV derived from a hard-coded password, as described by Lab52. AESRT also provides an email address to contact for paying the ransom and retrieving a key (ransom password) to unlock their files, which is interestingly stored in plaintext in the AESRT binary. The AESRT module reports the AES-CBC file encryption parameters, the ransom password, and the contact email address.

Example for AESRT:

Vohuk writes a ransom note to disk, which includes its version number, contact email addresses, and a unique-id to include in the email. The Vohuk module reports all of this information, including the ransom note filename, and outputs the ransom note.

Example for Vohuk:

Dragodis Conversions

The following is a list of conversions in this release to leverage the Dragodis framework, rugosa library, and currently supported disassembler(s) (IDA and/or Ghidra):

  • Denis (IDA/Ghidra)
  • dneSpy (IDA)
  • ELECTRICFISH (IDA)
  • Evora (IDA)
  • FunnyDream.Backdoor (IDA)
  • FunnyDream.TcpTransfer (IDA)
  • FunnyDream.MD_Client (IDA)
  • joanap (IDA)
  • Kobalos (IDA/Ghidra)
  • LookBack (IDA)
  • Matanbuchus (IDA/Ghidra)
  • Mikroceen (IDA/Ghidra)
  • Mirai (IDA)
  • ncc (IDA)
  • Neshta (IDA/Ghidra)
  • NimzaLoader (IDA/Ghidra)
  • OceanLotus.Downloader (IDA)
  • OceanLotus.Dropper (IDA)
  • OceanLotus.Shellcode (IDA)
  • Okrum (IDA)
Posted in Uncategorized and tagged , .