This release consists of the following:
- ToxicEye RAT
- WhiteSnake Stealer
- Eternity Stealer and Ransomware
- Jaca Downloader (Part of Jaca Framework)
- Raven RAT
- SomniRecord Backdoor
- SysUpdate malware, including Shikata Ga Nai customization
ToxicEye is a .NET compiled RAT which has been reported on since 2021, and uses Telegram as an exfiltration mechanism. We identified a number of samples which were obfuscated using XorStringsNET during our research in early March 2023, and added support for those versions and a plaintext version identified by @suyog41 on Twitter.
- ToxicEye RAT: 5b45640a3bd4fdc32df75aa462f5a167
- ToxicEye RAT (XorStringsNET): 0df4c3644530fed853b61750786206ca
In February, Cyble reported on a stealer named WhiteSnake being sold on cybercrime forums. We observed that the WhiteSnake stealer decrypts strings using an XOR algorithm, where the key varies per string and is passed as an argument for decryption. In WhiteSnake, the .NET class which contained the XOR algorithm contained one additional method for creating a mutex.
Pivoting on the string decryption algorithm, we identified a number of samples which used similar methodology, including the XOR algorithm and a mutex creation method in the same class. However, the class contained numerous other methods, each of which decrypted a single string to pass back to the caller. Further research identified these samples as Eternity malware, specifically the Stealer and Ransomware, which were also reported on by Cyble in 2022.
Support was added for WhiteSnake, Eternity Stealer, and Eternity Ransomware.
- WhiteSnake Dropper: 8cf2faaf885a8057601149d78a4a12ca
- Eternity Stealer: 170f9bad6b995e5722ccfc90872bbcde
- Eternity Ransomware: d0192583c195bf804d2440043e375129
In late March, we observed a tweet from @StopMalvertisin for a DoNot APT downloader. During analysis, we observed that the downloader decrypted strings using Base64+AES-CBC+Subtraction+Reversal. Further research for related samples indicated this was one of a few string decryption/decoding methodologies, including a variant of the previously described sequence, bits-to-bytes decoding, and add decryption.
Our research indicates this downloader may be part of the Jaca framework, as described by CN-SEC, and we are referring to it as a Jaca downloader. We identified both 32-bit and 64-bit versions, and results include decryption keys, decrypted strings, a c2 address, and possibly a named mutex.
In early March, Lumen released a blog describing HiatusRAT, which infects business grade routers and allows the attacker to execute several types of commands. We added support to extract the configuration described in the article, including the established listenport.
SysUpdate malware, as described by Trend Micro, was expanded to support Linux variants and expand their infection methodology on Windows systems. We added support for both variants, to include the infection chain from the customized Shikata Ga Nai encoder to the SysUpdate Implant.