This release consists of the following:
- 3CX supply chain attack support, including Iconic malware and UpdateAgent implant
- FormBook loader (RC4) and stealer variant
- Eternity Worm
- Agent Tesla Obfuscar variant which contains only one communications method as observed with XorStringsNET variants
- Remcos v4.X
- GCleaner downloader
- Mélofée malware
- AlienReverse malware
- Forest Crypter
- IcedID Lite Downloader
- Paracetamol Crypter
- Bozok Implant
3CX Supply Chain Attack
The 3CX supply chain attack has been covered by multiple vendors, including Cyble, Uptycs and TrendMicro. We added support for the Iconic malware, including the side-loader, encrypted container, and loaders (both PE and Mach-O), and the reported UpdateAgent payload.
The offline version of ACCE supports processing of the compromised 3CX MSI, extracting all of the Iconic components described above. However, any hosted instances of ACCE, to include Research ACCE, will not process the 3CX MSI due to its size.
- Iconic Side-Loader: 74bc2d0b6680faa1a5a76b27e5479cbc
- Iconic Encrypted Container: 82187ad3f0c6c225e2fba0c867280cc9
- Iconic Mach-O Loader: 660ea9b8205fbd2da59fefd26ae5115c
- UpdateAgent: 5faf36ca90f6406a78124f538a03387a
GCleaner, reported by @crep1x on Twitter, is a fairly simple downloader containing XOR encrypted strings that are decrypted on the stack during runtime. Most samples we observed, including from the original tweet, were packed using Burix. The GCleaner module reports decrypted strings and reports C2 configuration data.
- Burix Packer loading GCleaner: 816091e8b995c57bd04f5f326ae23f0f
Exatrack reported on an implant targeted Linux servers, which they call Mélofée. We added support for both the installer and implant variants. The installer module extracts the persistence script and reports filepaths. The implant module reports C2 configuration and the lockfile path, which is used as a mutex.
While adding support for Mélofée, we additionally added a module for the AlienReverse implant to include reporting of the configured C2 socket address, PEL network activity password (pel_encrypt / pel_decrypt from the Reptile project), intervals, and proxy settings (if configured).
- Mélofée Implant (XOR): 9e232a14ba4fdb7f95d59d06682af25f
- Mélofée Implant (RC4): 9b653d1f5988bf0178c74104f4150a79
- AlienReverse: c0766e8a2020aeac14537dc61fe608b1
Forest Crypter / IcedID Lite Downloader
While investigating IcedID reporting from Acronis and on Malware Bazaar, we observed that the samples containing the IcedID payload were Forest Crypter, which was reported on by IBM and initially reported in the community as being specific to the BumbleBee malware family.
The Forest Crypter is notable for its obfuscation and mechanisms for constructing the embedded payload before ultimately executing it in memory. We established baseline support for some of the recently observed variants, but both detection and support for Forest will be an ongoing project as it continues to evolve, evading detection and recovery efforts.
- Forest Crypter + IcedID: 149a20540bf65ce00fe6f06d48bf4b4d
- Forest Crypter + IcedID Lite Downloader: 5d9c2b17f30765462ff5e3eaa0931885
- Forest Crypter + BumbleBee: 22c884dd78b0ab7f6c6c5eedd37a4e89
After recently adding support for DarkCrystal RAT, we saw a tweet from @embee_research which referenced a crypter being used for a DarkCrystal RAT payload. User @pmelson indicated the technique was similar to a loader he had seen and referred to as Paracetamol, based upon a variable name in the code.
We added an ACCE module for the .NET version of Paracetamol, identifying variants which use TDES decryption or Gzip decompression, and variants obfuscated using OrangeHeap or a combination of SmartAssembly and Babel. Research using VirusTotal yielded numerous Paracetamol Crypters containing payloads including AsyncRAT, Bozok Implant, open-source DcRat, njRAT, Stealerium, and XWorm, among others.