ACCE Release Notes v2.2.20230804

Release Notes

This release consists of the following:

• Meduza Stealer
• DuckTail malware
• ShortLoader Loader and Downloader
• AppHttp Downloader
• SmokeLoader variant
• Edge Stealer
• Typhon Reborn Stealer
• Viotto Binder
• Procrean Coinminer
• Xanthe Coinminer
• Abcbot implant
• 32-bit Forest Crypter variant
• Pikabot components: Injector, Core, and Downloader
• ALTAS Clipper
• Keyzetsu Clipper
• KWN Clipper
• DarkGate

Meduza Stealer

Author RussianPanda, @AnFam17 on X (formerly Twitter), published a write-up on Meduza Stealer including an IDAPython based string decryption script and configuration parser.

We added C2 socket address and missionid reporting, and additionally string decryption support for 32-bit and 64-bit versions Meduza Stealer leveraging DC3’s Dragodis framework and rugosa library. We have also added the Meduza module to our open-source ACCE parsers (os_acce_parsers) project.

• Meduza Stealer (32-bit): 9022192413dda223b6e8afd73a22cfaa
• Meduza Stealer (64-bit): 4c213248be08249f75b68d85dcdf3365

DuckTail Malware

DuckTail has been observed since at least July 2022, being distributed using .NET ReadyToRun (R2R) compiled binaries and reported on as recently as May 2023 by TrendMicro.

We added support for the DuckTail Crypter, including a SmartAssembly obfuscated version, and DuckTail Implants, including a plaintext version, a Base64+DES-CBC version, and a Base64+RSA version to report the Telegram URL and email addresses.

• DuckTail Crypter (SmartAssembly) + Implant (Base64+RSA): 10fd15aeaea38f3089d805895236a9e9
• DuckTail Implant (Base64+DES-CBC): eec429beb390d9a716b206e02fd632a8
• DuckTail Implant: 6a62b196160d1a477effa8e07ae48533

Edge Stealer

Edge is a Stealer written in Go, reported on by X user @sarfraz432, which exfiltrates information using FTP. Our research identified two versions of Edge, one which stores the FTP parameters (address, username, and password) in plaintext, and one which hex-encodes the data.

• Edge (Plaintext): 1c23c05cb0477caa68b7c9db9ef0b10f
• Edge (Hex-Encoded): 4eae74b20ded46003ea1373603e9333c

Typhon Reborn Stealer

Typhon Stealer was first reported on by Cyble in August 2022, and an updated version dubbed “Typhon Reborn” was reported on by Palo Alto’s Unit42 in November 2022. Cisco Talos reported on Typhon Reborn V2 in April 2023, indicating that V2 was earlier released in January 2023.

We added ACCE support for Typhon Reborn versions, including reporting of the Telegram URL, mutex, missionid (buildid), filepaths, and various flags/lists. Our research additionally found a version which does not exfiltrate stolen information, but instead only saves it to a directory on disk. Of the Typhon versions which do exfiltrate information, one stored the configuration in plaintext, while the other encrypted some information using Base64+XOR+Base64.

Research on Typhon Reborn indicated some samples were packaged using Viotto Binder, a free binder/installer available from the authors of Remcos.

• Viotto Binder + Typhon Reborn (Base64+XOR+Base64): e732eda903f33de2137e0ac7c58a8b7f
• Typhon Reborn: 6737f16689b10674ee2700fcec7aba65

Pikabot

Pikabot is a rapidly evolving malware threat, reported on by Sophos, ZScaler, and Minerva Labs, which consists of 3 components: a downloader (observed to be protected using Forest Crypter), an injector, and a “Core”.

We updated our Forest Crypter support (see blog post from May 2023) for a 32-bit variant and added support for the downloader to report a PowerShell command, download URL, and a filepath.

As detailed in the referenced reporting, the Pikabot injector stores the embedded Core module as encrypted PNG chunks within its resources. As it collects the chunks, they are XOR decrypted, before being concatenated and then either AES-CBC or RC4 decrypted to load the Core module.

We observed two variants of the Core module, one which leverages ADVobfuscator for inline string encryption (as reported on by Sophos), and another which leverages inline RC4 string decryption. The variants can also be distinguished by the schemas leveraged to AES-CBC decrypt the c2 socket addresses. For both variants, the c2 socket addresses, a version, and a missionid (stream) value are reported.

• Forest + Pikabot Downloader: 01cda7137886a0d0d03c23aaeb0c0407
• Pikabot Injector (AES-CBC) + Core (ADVobfuscator): 87dc797b60c660967550e977c456bbbb
• Pikabot Injector (RC4) + Core (RC4): 7205f7a87ae43f2a44e957da375ec737

Clippers

At the end of June, Cyble reported on new clipper variants they had observed in the wild.

ATLAS (also reported on by X user @suyog41) is written using GO, and the observed samples were not stripped, enabling extraction of the configuration data from the variables in the “main” package. The Telegram URL, mutex, and installation parameters are reported in the module.

KWN is also written using GO, and the ACCE module is able to leverage the variables in these non-stripped samples as well for reporting of CryptoAddresses and the “senderName” (reported as a version). The Telegram URL is additionally extracted and reported.

Keyzetsu is written in C#, and the ACCE module reports decoded strings, CryptAddresses, a version, a mutex, a filepath, and possibly an exfiltration URL.

• ATLAS Clipper: 0cc12d73673ab2c5c2fc4692ddff9c57
• KWN Clipper: 14485f6b7327d25d8a255b9feca41e7b
• Keyzetsu Clipper: 5766e7efad05272d19c72b43e7b942d3

DarkGate

X users including @0xToxin and @JAMESWT_MHT have recently posted about DarkGate, which @CERTCyberdef noted is sold on a Russian cybercriminal marketplace and has been in development since early 2017.

We added an ACCE module to perform string decryption and report the decrypted strings, c2 URL(s), and version for the variants which leverage a custom Base64 alphabet.

• DarkGate: 1b9e9d90136d033a52d2c282503f33b7
• DarkGate: e0d96c0fdcd06ab07d66a11b57a0c6ce