As we continue to add support to ACCE, we want to provide transparency into how we are producing these modules. To that end, we are creating an open-source version of ACCE, called os_acce_parsers, which can be found on our GitHub. In addition to the initial Stealc module being provided, we plan to add additional modules moving forward.
This release consists of adding support for the following:
- XorStringsNET obfuscated variants of the following malware families:
- Abaddon Downloader (called AbaddonDropper in the open-source project)
- TelegramBot Grabber
- Mylobot Proxy and Downloader
- WillExec Crypter and Loader
- VagusRAT stealer
- Zebra Loader and Downloader
- Poverty Stealer
While reviewing the output for RoboSki Packer samples, we observed a set (MD5s 350f3f4b6f1f471560bfd559ccdfb525, dde9810cc1ae736d11264d73c62415be, and cd6bd79df2c325a965d59e9c9e26c36e) where the payload was not being identified by ACCE, but external vendors were identifying them as Agent Tesla.
Analysis of the Agent Tesla payloads indicated usage of a string obfuscator which we didn’t recognize. @dr4k0nia tweeted about these payloads, indicating that the threat actors were leveraging their XorStringsNET obfuscator.
Using VirusTotal, we were able to identify 160 additional samples of the XorStringsNET obfuscated Agent Tesla, and observed the following high-level differences from previous variants:
- An additional communications type flag, “4”, which indicates usage of a Discord webhook for exfiltration.
- Only code for the configured communications type is present in the code. Code for any unconfigured communications type is unavailable.
Further research of the XorStringsNET obfuscator in the wild revealed usage in the malware families as described above, to include the open-source malware families Abaddon Downloader, DiscordRAT, Discord-TokenGrabber, and TelegramBot Grabber.
Examples of XorStringsNET obfuscated malware:
- AgentTesla (Discord Webhook): 9c51486116e97ca849b5daffa31edf30
- DcRat: a6ce3abe824a3a5f2f648545c7303320
- RedLine.Stealer: 1ced99705092e8a16e2ece0a49396861
- QuasarRAT: 2deea47e3773c419a14cb1555a66b199
- Abaddon Downloader: 5a1401a383ee5105ffb54b531796ac22
SEKOIA.IO recently published a two-part series about a new information stealer being advertised as Stealc.
Our analysis of the string encryption implemented in Stealc indicated it was using the same RC4 skip-key cipher we had recently observed in a Vidar Stealer variant. Support for Stealc includes string decryption and reporting of the C2 URL and URL paths.
An open-source version of our Stealc module can be found on our GitHub, as described above.
- Burix Packer Loading Stealc: 2ef3f7eaf7c729f7bb0367f9ce306d70
Mylobot and WillExec
Bitsight published information about Mylobot, which has been observed since 2017, including it’s proxy and downloader versions, and the usage of a crypter and loader they named WillExec.
We added support to extract and dispatch the embedded payloads from the WillExec Crypter, and decrypt/report C2 socket addresses from the Mylobot components.
- WillExec Crypter loading Mylobot Proxy: 3c13ad79f88dd5db5a1b97c2507091d6
- WillExec Crypter loading Mylobot Downloader: 45afbc83695c33ec6382bec35835311d
VagusRAT Stealer is another entrant in the long line of C# stealers leveraging the open-source Quasar code base and appears to specifically be built on the DcRat code base. While there are configuration field differences from previous variants, the primary difference we observed in the configuration was XOR decryption of the password used to derive the AES-CBC string decryption key.
Support was added for the non-obfuscated version of VagusRAT while work is done to add support for the Confuser obfuscated variant.
- VagusRAT: 7ce22135f9a3eeaf1653101bbfe68272
After adding support in our last ACCE release for Colibri, we circled back around to the BitSight article to analyze additional hashes. We categorized around 20 of the samples as being the same loader, which we are calling Zebra. The initial Zebra loader uses a take-skip algorithm and XOR decryption to yield the next layer(s) of components, which include loader shellcode and payload(s).
All of the initial Zebra Take-Skip XOR loaders contained an additional Take-Skip XOR loader that loaded Colibri. Alongside Colibri, some samples were observed to load Vidar Stealer, Mars Stealer, Raccoon Stealer, a previously unidentified stealer we are calling Poverty (see below), or a Zebra loader variant which uses only XOR encryption on its payload.
Each Zebra XOR loader decrypts and launches a downloader component, which analysis indicates was likely written by the same author, and we will refer to it as Zebra Downloader.
The Zebra Downloader leverages an XOR algorithm for string decryption where the key is derived within the algorithm. By pivoting on this algorithm in VirusTotal, we were able to identify an additional Zebra loader variant that uses ADD decryption. Samples of the Zebra ADD loader were observed to load RedLine Password Stealer or Zebra Downloader.
- Zebra Take-Skip Loader: 56aba03a0320522704fb81bd636d7ab2
- Zebra ADD Loader: 15af997cf1b59b3cc69ae731db8cc1b5
As described in the Zebra section above, one of the payloads we observed was a previously unidentified stealer we are calling Poverty. We named it Poverty based upon the unique string “Poverty is the parent of crime.” we observed in the samples, which was leveraged as the szDataDescr (readable description of the data to be encrypted) parameter in a call to CryptProtectData.
Variants of the Poverty Stealer were observed to use a Domain Generation Algorithm (DGA) using a variant of ANSI-C-RAND which uses bits 0 through 14, as opposed to the standard 16 through 30, to generate up to 20 C2 domains.
In addition to the Zebra Take-Skip XOR Loader, research using VirusTotal identified Poverty Stealer being protected using at least DarkTortilla Crypter and RecordBreaker Loader.
- Poverty Stealer: 9075e493d3e7093dff6d933a22ba4a0e