ACCE Release Notes v2.2.20230913

Release Notes

This release consists of the following:

  • Open-source Revenant Agent
  • Merdoor malware
  • ZXshell component support
  • UNC4841 APT support including:
    • SaltWater Backdoor
    • SeaSpray Launcher
    • SeaSpy
  • FrozenHill launcher
  • FunnySwitch malware
  • Spyder Dropper and Crypter components
  • RedHotel APT support including Dropper, Downloader, and Side-Loader components
  • Brute Ratel C4 (BRC4) injector variant and XOR encrypted injector
  • SmugX malware
  • Barge Crypter
  • NapListener malware
  • Open-Source SparkRAT
  • SharpExtract

Revenant

Revenant is an open-source “3rd party agent for Havoc written in C, and based on Talon,” which was initially observed in the wild (ITW) in Mar 2023, but has seen VirusTotal (VT) submissions as recently as 3 Sep 2023, as observed in the profile on Valhalla.

Support for Revenant includes reporting of the C2 url, a useragent string, an interval, and a missionid.

  • Revenant: 56516bb160fdba5925ea56a0682f9d6b

Lancefly APT

In May 2023, Symantec published a report about the Lancefly APT leveraging custom malware named Merdoor in addition to the ZXShell rootkit.

Merdoor malware has been deployed in RAR SFX archives (described in Symantec reporting as a dropper) containing 3 components: a legitimate, signed binary (executable) vulnerable to DLL search-order hijacking, a side-loader, and an encrypted payload. When loaded by the executable, the side-loader will DES-CBC decrypt and run the implant in memory.

ACCE supports submission of the Merdoor “dropper”, extracting the embedded components and processing the side-loader to decrypt the Merdoor implant. The Merdoor module will report the configuration DES-CBC key, C2 socket addresses, minimum/maximum interval parameters, and an installation registry path.

The ACCE ZXShell module includes support for the installer component (which contains the configuration data block) including extraction of the embedded components to include the ZXShell backdoor.

UNC4841 APT

Mandiant published 2 detailed reports on UNC4841 APT activity, first on 15 Jun 2023 and later on 29 Aug 2023. While most of the reported malware was not publicly available, we added ACCE support for SaltWater, SeaSpray, and SeaSpy malware.

  • SaltWater: 4ec4ceda84c580054f191caa09916c68
  • SeaSpray: 35cf6faf442d325961935f660e2ab5a0
  • SeaSpy: 4ca4f582418b2cc0626700511a6315c0

FrozenHill Launcher

On 11 Jul 2023, Mandiant published a report on USB-based campaigns affecting both public and private sector entities across the globe. The malware samples Mandiant associated with Sogu were already supported by ACCE, though we identify the end payload as a Mustang Panda PlugX variant, and the reported SnowyDrive malware was not publicly available to add support. The FrozenHill launcher, however, was publicly available and support was added to report mutexes, filepaths, and file hashes embedded in the malware.

RedHotel APT

On 8 Aug 2023, Recorded Future released a report on RedHotel APT activity spanning campaigns from 2021 to 2023. This activity included custom malware FunnySwitch and Spyder and offensive security tools Cobalt Strike and Brute Ratel C4 (BRC4).

While ACCE already had support for the Spyder Backdoor and Loader, support was added for the reported dropper and crypters to extract embedded components and in the case of the dropper, report filepaths.

FunnySwitch malware consisted of numerous components including an initial loader, shellcode, a shellcode loader, an implant, and XML-formatted configuration data. Support was added for the entire sequence.

Some of the reported components associated with RedHotel, namely a dropper, side-loader, and a downloader, were unnamed, and ACCE support associates them with the RedHotel APT.

SmugX

On 3 Jul 2023, CheckPoint Research published a report on SmugX, a PlugX variant, which was being deployed using the HTML smuggling technique, either directly dropping a side-loaded component or downloading an MSI which would drop/run the side-loading sequence.

Support was added to ACCE to detect/process the SmugX HTML smuggler, extracting either the JavaScript downloader or the Windows Shortcut dropper. Support was also added for the RC4 and AES-ECB side-loader variants and the SmugX implant.

Barge Crypter

When researching XWorm in March, we observed an unnamed C# crypter which uses steganography and AES-CBC decryption to load an embedded payload, which in all samples we uncovered was QuasarRAT Stealer. Within the obfuscated image, the size of the payload is stored at pixel offset [0, 1], and the payload is obfuscated in ARGB order.

We named the crypter “Barge,” and the ACCE module supports extraction and decryption of the embedded component.

SparkRAT

Spark is an open-source remote administration tool (RAT) written in GoLang, which was most recently observed by AhnLab Security Emergency response Center (ASEC) being distributed in a VPN installer.

The VPN installer is distributed in a C#-compiled binary, and versions of the installer were observed to install the payload as a scheduled task. Some installer versions were also observed to be obfuscated using Obfuscar. We named the installer “SharpExtract” based upon its assembly title/product name “extract.”

SparkRAT AES-CTR encrypts its JSON-encoded configuration and stores it in a buffer with the key and IV. The ACCE module reports the C2 url, mission id (uuid), network password (key), and, if available, a commit hash.

  • SparkRAT: 0b98fb3a09048b79f316d1bd3795f11d
Posted in Uncategorized and tagged , .