ACCE Release Notes v2.1.20230522

Release Notes

This release consists of the following:

  • 44 Caliber Stealer “RL” variant
  • RevengeRAT variant
  • Royal Road Downloader variants
  • InvalidPrinter (in2al5d p3in4er) Loader
  • Snow Downloader
  • TrueBot Downloader variants
  • PingPull Linux variant
  • Sword2033 backdoor
  • ImBetter Stealer
  • ibFun Dropper
  • Open-source Lime Crypter and Installer variant
  • ScrubCrypt variant
  • njRAT variant
  • SarinLocker ransomware

44 Caliber Stealer “RL” and RevengeRAT variants

Following on from our research into XWorm and Razor Crypter, we further analyzed two of the payloads extracted from Razor Crypter samples and determined them to be a variant of the open-source 44 Caliber Stealer and a variant of the open-source RevengeRAT.

While the original code base for 44 Caliber leverages a Discord webhook for exfil, the observed variant instead uses Telegram. The variant additionally leveraged the StringsCrypt module, observed in stealers like StormKitty, Stealerium, and WorldWind.

InvalidPrinter (in2al5d p3in4er) Loader

Morphisec recently posted about the InvalidPrinter loader, which they observed being used to deliver Aurora Stealer. Support was added to extract and decrypt the payload from InvalidPrinter.

PingPull / Sword2033

Unit42 at Palo Alto posted an update to their previous research on PingPull malware, indicating they identified a Linux variant and another backdoor they call Sword2033.

The PingPull module was updated to enable support for the Linux variant, and a Sword2033 module was added to support extraction and reporting of network passwords and c2 socket addresses.

ibFun Dropper

In addition to the 44 Caliber / RevengeRAT variants described above, our Razor Crypter research yielded a dropper which AES-CBC decrypts a payload from its resources, writes it to disk, and executes it. The dropper leverages the same cipher for string decryption after Base64 decoding a value.

A VirusTotal RetroHunt yielded 25 additional samples of the dropper, which we are calling ibFun based upon the salt used to derive the AES-CBC parameters in our original sample.

The payloads from the RetroHunt additionally yielded the open-source Lime Crypter and a variant we are calling an Installer, a ScrubCrypt Batch script variant which loads the key/IV in the PowerShell code directly instead of in an array with the encrypted components, an njRAT variant, and SarinLocker ransomware. Modules were added/updated for each of these payloads.

Posted in Uncategorized and tagged , .