With the recent wave of OneNote documents being used to deliver malware, as documented by ProofPoint, Bleeping Computer, and others, we added support in ACCE to extract those malicious components for further analysis. Tailored support for the extracted components will be an ongoing process.
In addition to the generic OneNote support, this release consists of the following:
- Added support for:
- Royal Ransomware
- Collector Stealer (also known as CollectorGoomba)
- Rhadamanthys components (Loader, Shellcode Loader, Downloader)
- Argyle Crypter
- Laplas Clipper C++ and GoLang variants
- Colibri Implant
- YouTubeBot components (Crypter and Stealer)
- Updated support for:
- Snow Loader
- Lumma Stealer
CyberReason reported about the Royal Ransomware group emerging in 2022, describing a Windows version of the ransomware. Then in early February, @BushidoToken tweeted about a Linux variant of the same ransomware being observed in the wild. We added support for both the Windows and Linux variants of the ransomware to report the RSA public key, the ransom note, and the URL from the ransom note.
- Royal Ransomware (Windows): 58997b926632f4f1e1aa9697b40447ac
- Royal Ransomware (Linux): 2902e12f00a185471b619233ee8631f3
VMRay posted analysis on Collector Stealer, which they refer to as CollectorGoomba, including how the malware attempts to leverage a dead-drop resolver to obtain its c2 address before using a hard-coded c2. We added support to report decrypted strings, the dead-drop resolver URL, the default c2 address, and a version number.
- Collector Stealer: 3c664ce93398fd0fe4635b709351b0a4
Starting with analysis posted by Medium and @crep1x on Twitter, our analysis and research of Rhadamanthys led to the identification of four (4) different loader variants, differentiated by their mechanism for decoding/decrypting the embedded shellcode loader.
The initial loader variant used character replacement and Base32 decoding using a custom alphabet, while a secondary variant additionally conducted TEA-CBC decryption using two (2) rounds instead of the standard 32. Additional loader variants used Base58 decoding with RC4 decryption, while a final variant used only RC4 decryption.
The shellcode loader uses a custom LZSS implementation to decompress the downloader and maps the downloader into memory using custom headers.
The downloader RC4 decrypts the c2 URL from the initial loader component to perform its activity. Interestingly, across the 54 Rhadamanthys loaders we identified, there were only seven (7) unique downloaders, and the RC4 decryption key for the URL was the same across all seven.
- Rhadamanthys Loader (Base32): 89ec4405e9b2cab987f2e4f7e4b1666e
- Rhadamanthys Loader (Base32 + TEA): 227eb8918a067c8c06505e165d641fac
- Rhadamanthys Loader (Base58 + RC4): 10e64f1f518fc2047178ed1f368842b5
- Rhadamanthys Loader (RC4): 8df13d982fc2e55697e2b2c93d276b3b
One of the initial Rhadamanthys loaders we analyzed was packaged in a Crypter we had not previously observed. The Crypter identifies its last PE segment, which has a non-standard name, and RC4 decrypts it using the key b”ntdll.dll”. Interestingly, the key is dynamically loaded by iterating imported library names.
Using a VirusTotal RetroHunt led us to identify nearly 200 samples of the Crypter, which we’ve named Argyle based on one of the PE segment names. In addition to Rhadamanthys, we observed the Argyle Crypter being used with Vidar Stealer, Laplas Clipper, Colibri, Lumma Stealer, RedLine Stealer, and YouTubeBot.
- Argyle Crypter (Rhadamanthys): 93cec9d367d574fc3120469d0340fb39
- Argyle Crypter (YouTubeBot): 0b5db4b01bda5954b23adf6eeb519974
The original versions of Laplas Clipper we observed were compiled using .NET, as reported by Cyble. After observing the C++ compiled payloads from our Argyle Crypter research, we were able to identify them as Laplas based on reporting by Cisco Talos. Since a GoLang compiled version was built and distributed between the .NET and C++ versions, we decided to add support for those variants while we built support for the C++ version.
For the Laplas C++ version, the module reports decrypted strings, a c2 URL, an API key, and CryptoCurrency addresses. For the Laplas GoLang version, a c2 URL, API key, and possibly a scheduled task name and filenames are reported.
Colibri is a Malware-as-a-Service (Maas) that is advertised on cybercrime forums, as reported by BitSight. The module XOR decrypts and reports strings, in addition to the c2 address, version, and scheduled task settings, if available.
- Colibri Implant: ca119e4b2512b6ab12b7af248986bf9c
One of the Argyle Crypter payloads was compiled in .NET and appeared to be a Crypter itself. Analysis indicated it read a PE Resource RT_ICON/1, which is a PNG image, and manipulated the pixels (steganography) to yield an AES-CBC encrypted component. After decryption and research, including an article by Cyble, we identified the final payload as YouTubeBot.
Further research on the Crypter led to the identification of ConfuserEx obfuscated variants of both the Crypter and YouTubeBot stealer, but no other malware payloads. We are currently categorizing the Crypter as belonging to the YouTubeBot malware family.
The stealer module reports a c2 socket address, version, filepath, and scheduled task installation information.