ACCE Release Notes v2.0.20230327

Release Notes

This release consists of the following:

  • ScrubCrypt Crypter
  • EvilCoder’s XBinder, XWorm V2 and V3
  • Razor Crypter (TDES-ECB Variant)
  • RFDxNew Loader
  • BabylonRAT
  • OrcusRAT
  • Lemon Clipper
  • BlackBinder Dropper (Open-source)
  • Hiddenz’s loader and HVNC
  • PureCrypter Loader variants using a JSON configuration dictionary
  • DarkCrystal RAT

ScrubCrypt

Perception Point, Fortinet, and others have reported on a Crypter being sold on hacking forums, consisting of a batch script component and a .NET compiled component. Support was added and can be observed with sample 7d8a84813d06c036c7df72e36d152fac.

EvilCoder Malware

XWorm RAT, part of a corpus of tools being marketed by EvilCoder, was described over the summer by Cyble, specifically version 2.X. The Twitter user @suyog41 recently posted a hash for XWorm V3.1, which introduced the usage of Base64+AES-ECB encryption for configuration parameters (settings were in plaintext in version 2).

Subsequent research on XWorm, including associated Crypters like Razor described below, led to the identification of another tool in EvilCoder’s toolset, XBinder V2. XBinder contains gzip-compressed payloads in its .NET resources, and a list of “|” delimited configuration parameters for each embedded payload.

Razor Crypter

The initial hash posted by @suyog41 for XWorm v3.1, 96ab0ccc72c5c32440c82dd030656f8b, was a Crypter which TDES-ECB decrypted the XWorm payload from a .NET byte array leveraging a key derived from the MD5 hash of a utf-16 encoded seed value. While searching for other Crypter samples on VirusTotal, we came across the name “Razor” on a few of the samples. Razor is a Crypter that has been around for at least 9 years, as evidenced by this instructional YouTube video on how to use the Crypter.

We went back to VirusTotal to identify an array of builders for Razor Crypter and while most used their standard gzip compression for protection, a “Private” version leveraged Rijndael encryption using the same key derivation and component storage methodology as observed in sample 96ab0ccc72c5c32440c82dd030656f8b. Based on this information, we believe the Crypter is a Razor variant and are categorizing it as such.

A RetroHunt on VirusTotal led to the identification of more than 270 additional Razor Crypter samples, containing payloads for malware families including AsyncRAT, Chaos Ransomware, DarkComet, etc.

Also included were unsupported payloads, and support was specifically added for BabylonRAT, Hiddenz’s loader and HVNC, OrcusRAT, an open-source BlackBinder dropper, a clipper we are calling Lemon Clipper, and a loader we are calling RFDxNew.

Lemon is a basic CryptoCurrency clipper which we named after finding the same configured BTC address “1H8M6uYCSAquJuZjTjy33ruXs23hZy72E9” as a “donation” address in a cached version of the open-source ApexLegends Aimbot by user LemonServicee. The user is no longer on GitHub.

RFDxNew is a loader written in VisualBasic that contains a plaintext component in its overlay data. All of the samples we identified contain the string “F:\\RFD\\xNewCode\\xNewPro\\xT\\trjFN\\Project1.vbp”, and we named the loader based on a combination of “RFD” and “xNewCode”.

PureCrypter + DarkCrystal

While doing follow-on research for the PureCrypter loader, which was reported on by ZScaler in June 2022, we identified a variant which gzip decompressed a JSON formatted dictionary of configuration elements, with keys numbered “1” through “34”. Included in the configuration is an interval, injection process, mutex, filename, and embedded payload(s).

The sample we analyzed, 19ee73b1d586408486fb5034e68db1f8, loaded a DarkCrystal RAT implant. We added support for DarkCrystal RAT to report all basic configuration and plugins. While some vendors refer to DarkCrystal as DCRat, we are specifically not doing so to avoid confusion with the open-source C# DcRat, which we also support.

Posted in Uncategorized and tagged , .