ACCE Release Notes v2.0.20230406

Release Notes

This release consists of the following:

  • ToxicEye RAT
  • WhiteSnake Stealer
  • Eternity Stealer and Ransomware
  • Jaca Downloader (Part of Jaca Framework)
  • Raven RAT
  • SomniRecord Backdoor
  • HiatusRAT
  • SysUpdate malware, including Shikata Ga Nai customization

ToxicEye RAT

ToxicEye is a .NET compiled RAT which has been reported on since 2021, and uses Telegram as an exfiltration mechanism. We identified a number of samples which were obfuscated using XorStringsNET during our research in early March 2023, and added support for those versions and a plaintext version identified by @suyog41 on Twitter.

WhiteSnake Stealer

In February, Cyble reported on a stealer named WhiteSnake being sold on cybercrime forums. We observed that the WhiteSnake stealer decrypts strings using an XOR algorithm, where the key varies per string and is passed as an argument for decryption. In WhiteSnake, the .NET class which contained the XOR algorithm contained one additional method for creating a mutex.

Pivoting on the string decryption algorithm, we identified a number of samples which used similar methodology, including the XOR algorithm and a mutex creation method in the same class. However, the class contained numerous other methods, each of which decrypted a single string to pass back to the caller. Further research identified these samples as Eternity malware, specifically the Stealer and Ransomware, which were also reported on by Cyble in 2022.

Support was added for WhiteSnake, Eternity Stealer, and Eternity Ransomware.

Jaca Downloader

In late March, we observed a tweet from @StopMalvertisin for a DoNot APT downloader. During analysis, we observed that the downloader decrypted strings using Base64+AES-CBC+Subtraction+Reversal. Further research for related samples indicated this was one of a few string decryption/decoding methodologies, including a variant of the previously described sequence, bits-to-bytes decoding, and add decryption.

Our research indicates this downloader may be part of the Jaca framework, as described by CN-SEC, and we are referring to it as a Jaca downloader. We identified both 32-bit and 64-bit versions, and results include decryption keys, decrypted strings, a c2 address, and possibly a named mutex.

  • 32-bit: 4e54c1e8694e170244e4b7892bdb3ff0
  • 64-bit: 3feb4de4375dcc3ffb4144e2fc61dd94


In early March, Lumen released a blog describing HiatusRAT, which infects business grade routers and allows the attacker to execute several types of commands. We added support to extract the configuration described in the article, including the established listenport.

  • i386: ff8e26ec2573f482abbd1a8fdd80fc81
  • MIPS: 9690a3e310ed96073035c4cc3436fa9c


SysUpdate malware, as described by Trend Micro, was expanded to support Linux variants and expand their infection methodology on Windows systems. We added support for both variants, to include the infection chain from the customized Shikata Ga Nai encoder to the SysUpdate Implant.

Posted in Uncategorized and tagged , .