ACCE Release Notes v2.0.20230501

Release Notes

This release consists of the following:

  • 3CX supply chain attack support, including Iconic malware and UpdateAgent implant
  • FormBook loader (RC4) and stealer variant
  • Eternity Worm
  • Agent Tesla Obfuscar variant which contains only one communications method as observed with XorStringsNET variants
  • Remcos v4.X
  • GCleaner downloader
  • Mélofée malware
  • AlienReverse malware
  • Forest Crypter
  • IcedID Lite Downloader
  • Paracetamol Crypter
  • Bozok Implant

3CX Supply Chain Attack

The 3CX supply chain attack has been covered by multiple vendors, including Cyble, Uptycs and TrendMicro. We added support for the Iconic malware, including the side-loader, encrypted container, and loaders (both PE and Mach-O), and the reported UpdateAgent payload.

The offline version of ACCE supports processing of the compromised 3CX MSI, extracting all of the Iconic components described above. However, any hosted instances of ACCE, to include Research ACCE, will not process the 3CX MSI due to its size.

GCleaner Downloader

GCleaner, reported by @crep1x on Twitter, is a fairly simple downloader containing XOR encrypted strings that are decrypted on the stack during runtime. Most samples we observed, including from the original tweet, were packed using Burix. The GCleaner module reports decrypted strings and reports C2 configuration data.

Mélofée Malware

Exatrack reported on an implant targeted Linux servers, which they call Mélofée. We added support for both the installer and implant variants. The installer module extracts the persistence script and reports filepaths. The implant module reports C2 configuration and the lockfile path, which is used as a mutex.

While adding support for Mélofée, we additionally added a module for the AlienReverse implant to include reporting of the configured C2 socket address, PEL network activity password (pel_encrypt / pel_decrypt from the Reptile project), intervals, and proxy settings (if configured).

Forest Crypter / IcedID Lite Downloader

While investigating IcedID reporting from Acronis and on Malware Bazaar, we observed that the samples containing the IcedID payload were Forest Crypter, which was reported on by IBM and initially reported in the community as being specific to the BumbleBee malware family.

The Forest Crypter is notable for its obfuscation and mechanisms for constructing the embedded payload before ultimately executing it in memory. We established baseline support for some of the recently observed variants, but both detection and support for Forest will be an ongoing project as it continues to evolve, evading detection and recovery efforts.

Paracetamol Crypter

After recently adding support for DarkCrystal RAT, we saw a tweet from @embee_research which referenced a crypter being used for a DarkCrystal RAT payload. User @pmelson indicated the technique was similar to a loader he had seen and referred to as Paracetamol, based upon a variable name in the code.

We added an ACCE module for the .NET version of Paracetamol, identifying variants which use TDES decryption or Gzip decompression, and variants obfuscated using OrangeHeap or a combination of SmartAssembly and Babel. Research using VirusTotal yielded numerous Paracetamol Crypters containing payloads including AsyncRAT, Bozok Implant, open-source DcRat, njRAT, Stealerium, and XWorm, among others.

Posted in Uncategorized and tagged , .