ACCE Release Notes v2.10.20250730

This release consists of the following:

SquidLoader

As described by researchers at Trellix, SquidLoader consists of multiple layers of obfuscated components. In addition to the loader component described in the article which uses an xor-add algorithm to decode the next layer, we identified the following loader variants:

  • A loader variant which searches for a hard-coded egg b”PNG\r\n\x1a\nGIF87a”, marking the start of an 8-bit integer prefixed structure (entry count) of ChaCha20-Poly1350 32-bit prefixed data buffers.
  • A loader variant containing an RC4 encrypted and Base64 encoded shellcode buffer, where the RC4 key is derived using a custom algorithm described in the Python code below, where key, encoded, and add_key are predefined parameters:
for i in range(0, len(key), 2):
    ka = key[i]
    kb = key[i + 1]
    kx = (ka ^ kb) + i
    
    da = (encoded[ka] - kx) & 0xff
    db = (encoded[kb] - kx) & 0xff
    encoded[kb] = (da + add_key) & 0xff
    encoded[ka] = (db + add_key) & 0xff

Following the initial loader may be a loader shellcode layer (described in the article as Stage 2) which uses RC4 and a custom substitution cipher to load multiple payloads from the parent loader component.

From the collected samples, two payload variants were observed:

  • A simple downloader which contains download parameters (address and port) in plaintext that is loaded by an additional shellcode loader which xor decodes the payload.
  • An implant which contains msgpack serialized and xor encoded configuration settings consisting of at least an RSA public key and one of the following:
    • c2 socket addresses
    • c2 urls and a user-agent string

Samples:

Posted in Uncategorized and tagged , .