ACCE Release Notes v2.2.20230824

Release Notes

This release consists of the following:

  • JanelaRAT malware
  • Agniane Stealer
  • Open-Source PEunion Crypter
  • Snow Loader variant
  • Monti Ransomware
  • Magniber Ransomware

JanelaRAT

Zscaler ThreatLabz posted an article about a modified version of BX RAT they called JanelaRAT being deployed against FinTech users in the LATAM region. JanelaRAT was being delivered through execution of a VBScript in ZIP archives.

We added ACCE support to decode strings in the VBScript to report the download URL, filenames, and registry modifications. Support for JanelaRAT includes reporting of C2 domains, a version value, a default C2 URL, an email address, a network RC4 key, a string AES-CBC key, and decrypted strings.

Agniane Stealer

Cyble and X user @MalGamy12 recently posted about Agniane Stealer, an information stealer being sold online, reportedly for $50/month. Analysis of Agniane revealed it is part of the Cinoshi project, which we previously posted about, and when logging information to a ZIP archive, it specifically includes the following note:

Cinoshi is a handy tool for managing your own traffic!

Our project includes a stealer, a botnet, a clipper
and a miner. All this in one project, in one build!
Everything is configured through a convenient web
panel, you do not need to suffer with anything and
install your own panel. Just register on Cinoshi,
buy a subscription and start working!

Reporting for Agniane includes a C2 url, an OwnerID, a BuildID, a version value, and a token. Support was added for both the plaintext and XorStringsNET obfuscated versions.

While researching Agniane, we observed that some Cinoshi Stealer samples were packaged using the open-source PEunion Crypter, which is available in both native assembly (FASM) and .NET. Support was added for both Crypter versions, including the .NET loader and downloader components.

Monti Ransomware

TrendMicro published an article about a new Linux based variant of Monti Ransomware which uses a new encryptor, compared to previous versions which leveraged the encryptor in leaked Conti source code.

Support for this Monti variant includes reporting of the RSA Public or Private key, a ransom note, its filename, and TOR urls.

Magniber Ransomware

Magniber Ransomware has been reported on since 2017, with the most recent reporting coming from researcher hasherezade. Excluding the MSI carrier, the variant hasherezade reported on (MD5 796eb864005f3393c3adce70dc31d6ba) consists of three components: a Crypter, a Loader, and the Ransomware Core.

The Crypter and Loader contain obfuscated code which XOR decrypts the embedded payload using both a static and a rolling XOR key, an algorithm we refer to as Magniber-XOR. In the initial Crypter variants we observed, the static key was a single byte. Further research using MalwareBazaar identified Crypter variants which used a multi-byte static key as seen in the Loader components.

From these Crypter variants we observed two Ransomware variants that we differentiate based upon how the C2 address is stored. In the original sample, the C2 address and urlpath are stack strings. However, in other samples these values are stored in a data buffer along with all other strings, the Magniber wallpaper, the ransom note stub, and other information.

After adding support for all of these variants, we observed that there were no samples with compile times newer than January 31, 2023. We used VirusTotal to identify newer Magniber Crypter samples, and observed that instead of using the Magniber-XOR algorithm, these samples used a standard XOR to decrypt the Loader component. Additionally, the Ransomware Core in these newer samples now encrypted most strings and data (including the ransom note stub and wallpaper image) using a single-byte XOR key which varied per entry.

Support was added for all identified Magniber variants and includes: extraction of the Loader and Ransomware layers and reporting of the c2 URL, a deobfuscated ransom note, URLs from the ransom note, an RSA public key, and possibly a mutex and deobfuscated command-lines.

Posted in Uncategorized and tagged , .