This release consists of the following:
- Recategorized LoopAddTS as DarkWire Crypter and added support for Crypter and Shellcode variants
- Added support for Turian Backdoor
- Added support for reported Turla malware: KopiLuwak Reconnaissance tool and QuietCanary backdoor
- Added support for Silence Group malware: TrueBot and Teleport
- Continued kordesii conversions to dragodis/rugosa
We first identified DarkWire Crypter (formerly LoopAddTS and renamed after speaking with our friends at IBM) based upon some tweets about Ursnif by user @SethKingHi here and here. Later, when researching ZLoader, we discovered that some of the hashes in the ProofPoint article ZLoader Loads Again were in fact DarkWire Crypter variants containing ZLoader payloads.
When coming across the Crypter once again while researching the Teleport tool described by Cisco Talos (see below), we refactored our detection and support, enabling identification of an additional 5000 samples in VirusTotal in just the last three months.
The DarkWire Crypter is notable for its heavy obfuscation, and decrypts a shellcode loader using an Addition-based algorithm.
The DarkWire shellcode contains its own configuration, with options to leverage aPLib decompression and a take-skip algorithm after decrypting the payload using a XOR-based algorithm.
The following are examples of DarkWire Crypters containing varying payloads:
- DarkWire Crypter loading IcedID: 0766e51975d805b215523657cf8f5764
- DarkWire Crypter loading Ursnif: 0f7ffc91618c8682aa83173d9cc655d0
Palo Alto described updates to the Playful Taurus backdoor named Turian. We added support for the latest ELF and PE binary versions to extract the c2 socket address, proxy settings (if configured), and installation parameters (if configured).
The following are examples of Turian backdoors:
- Turian Backdoor (Windows): b54cbde68c020136ebd424fc3f33e4a7
- Turian Backdoor (Linux): 90ce1320bd999c17abdf8975c92b08f7
Mandiant reported on a recent Turla campaign which involved usage of a KopiLuwak reconnaissance tool variant and the QuietCanary backdoor.
For the KopiLuwak variant, we added support to extract the c2 URL, RC4 encryption key, a useragent, and executed commands used for reconnaissance. Example output for MD5 d8233448a3400c5677708a8500e3b2a0 can be seen here.
When executed, the QuietCanary backdoor creates an instance of an internal class HttpConnection, which takes the c2 URL, useragent, initial network key, and optional proxy settings as arguments. QuietCanary support reports those parameters and an interval value. Example output for MD5 5d6b920fd8f3b5a3a8c9dead25e3a255 can be seen here.
Silence Group Malware
As mentioned above, Cisco Talos posted about Silence Group malware including updates to TrueBot and a new tool they call Teleport, which we observed to be packed using DarkWire Crypter.
We added support for the varying TrueBot loaders referenced in the blog post and the downloader itself to report the c2 URL and a mutex. Example output for TrueBot loader MD5 4f3916e7714f2a32402c9d0b328a2c91 can be viewed here.
While performing further research, we identified 64-bit variants of the downloader, compiled as recently as 2023-01-18 (MD5: ee1ccb6a0e38bf95e44b73c3c46268c5), and a 64-bit loader variant which stores the downloader and a launcher component in its resources (MD5: e9b3ba7b4f37fe4a9804136801abb8b0).
As described by Cisco Talos, Teleport is a command-line tool named for a hard coded value in the binary, which is used as a seed to derive an AES encryption key. The parser for Teleport reports the derived key, as seen with the DarkWire packed sample MD5 a7fb7ec6b5454fca1cb8af7d0610771b.
- GoldenBird (IDA/Ghidra)
- PE Crypters (IDA/Ghidra)
- PLEAD (IDA)
- PoisonIvy (IDA)
- Ramsay (IDA)
- Reaver (IDA)
- REvil (IDA/Ghidra)
- RSA+RC4 Packer (IDA/Ghidra)
- RunningRat (IDA)
- Ryuk (IDA)
- scDownloader (IDA/Ghidra)
- ShadowHammer (IDA)
- ShellDll (IDA)
- SkinnyBoy (IDA)
- SLUB (IDA)
- SysJoker (IDA/Ghidra)
- Taidoor (IDA)
- Tallmess (IDA)
- Terra (IDA)
- ThiefQuest (IDA)
- Tiger (IDA)
- TrickBot (IDA)
- TSCookie (IDA)
- UnderScored (IDA)
- Ursnif (IDA/Ghidra)
- ViciousPanda (IDA)
- XOR.DDoS (IDA)
- YoreKey (IDA)
- yty (IDA)
- Zebrocy.Nim (IDA/Ghidra)
- ZeroCleare (IDA)