With recent updates to DC3-MWCP enabling recursion through the use of YARA matching, we updated the ACCE backend to facilitate this workflow, prompting a major version increment to 2.0. This change will help deliver better results by removing hard-coded relationships between parser groupings.
While the bulk of this release included changes related to recursion, malware support updates are as follows:
- Added support for TitanStealer malware
- Updated support for RecordBreaker loader variants
- Added support for Pch3lkin Miner
- Updated support for Vidar stealer variants
@BushidoToken Threat Intel posted about detecting and fingerprinting MaaS platforms, including a malware family dubbed TitanStealer. We looked to Malware Bazaar to identify tagged instances of TitanStealer to begin research on the malware and adding capability. Uptycs also recently published an article on TitanStealer using these same hashes.
TitanStealer is a Golang-compiled binary. Our research identified two (2) variants, one in which all strings are in plaintext and a second in which strings are “trimmed” by removing a trailing character. For both variants, the module reports a c2 socket address and a version.
- TitanStealer: 01e2a830989de3a870e4a2dac876487a
- TitanStealer (Trim): 7f46e8449ca0e20bfd2b288ee6f4e0d1
RecordBreaker Loader Variants
While analyzing the files obtained from Malware Baazar, we identified that some were Crypters/Loaders for shellcode and an embedded component. We decrypted the shellcode for these samples and scanned them with YARA to identify them as RecordBreaker Injector Shellcode. When the new loader variants were compared to previously analyzed samples, we observed them as having similar loading sequences and confirmed them to be RecordBreaker loaders.
NOTE: While in some sources RecordBreaker is synonymous with Raccoon Stealer 2.0, we refer to the loader as RecordBreaker and the stealer as Raccoon.
While one of the new variants used standard XOR decryption as observed in the original samples, the last two use an XOR-based algorithm which takes a seed and performs additional manipulations during decryption to derive the XOR-key byte. These operations can be used to derive the resultant XOR key for both variants. However, we also observed that in the newest samples only the first 4 bytes of the payload are encrypted, and so we avoid performing decryption for these samples altogether.
Pivoting on these RecordBreaker loader variants led to the identification of the Pch3lkin Miner and Vidar Stealer variants (see below). We also observed these variants loading RedLine Stealer.
- RecordBreaker Loader (XOR-Inline): 5e79869f7f8ba836896082645e7ea797
- RecordBreaker Loader (Partial-XOR): d61f393c8ab9111e57f6e89f6783eddc
- RecordBreaker Loader (XOR Derive Key): e7f46144892fe5bdef99bdf819d1b9a6
The Pch3lkin Miner is a .NET compiled stealer which downloads additional components from GitHub, and contains configured ETC and XMR wallet addresses. We named the Pch3lkin Miner based upon the PDB string in sample MD5 40868bf611f74f3abb13ae5daadf19b3, C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb
In addition to a plaintext version, we identified some Pch3lkin Miners which were obfuscated using ConfuserEx. Support for both variants was added to report a mutex, urls, directories, socket addresses, and cryptocurrency addresses.
- Pch3lkin Miner: 40868bf611f74f3abb13ae5daadf19b3
- Pch3lkin Miner (ConfuserEx Obfuscated): 1f3ab205b5e5292a5c8a4da8562105b2
Vidar Stealer Variants
Vidar is a stealer which has been observed since 2018. Our RecordBreaker loader research revealed a variant in which the configuration is in plaintext (recent variants used XOR encryption) and the usage of a custom RC4 implementation which uses a “skip-key” feature in the cipher.
- RecordBreaker Loader loading Vidar Stealer: 21bec83da3a652eb300bc9eda8cc440b