This release consists of the following:
- Open-source Revenant Agent
- Merdoor malware
- ZXshell component support
- UNC4841 APT support including:
- SaltWater Backdoor
- SeaSpray Launcher
- FrozenHill launcher
- FunnySwitch malware
- Spyder Dropper and Crypter components
- RedHotel APT support including Dropper, Downloader, and Side-Loader components
- Brute Ratel C4 (BRC4) injector variant and XOR encrypted injector
- SmugX malware
- Barge Crypter
- NapListener malware
- Open-Source SparkRAT
Revenant is an open-source “3rd party agent for Havoc written in C, and based on Talon,” which was initially observed in the wild (ITW) in Mar 2023, but has seen VirusTotal (VT) submissions as recently as 3 Sep 2023, as observed in the profile on Valhalla.
Support for Revenant includes reporting of the C2 url, a useragent string, an interval, and a missionid.
- Revenant: 56516bb160fdba5925ea56a0682f9d6b
Merdoor malware has been deployed in RAR SFX archives (described in Symantec reporting as a dropper) containing 3 components: a legitimate, signed binary (executable) vulnerable to DLL search-order hijacking, a side-loader, and an encrypted payload. When loaded by the executable, the side-loader will DES-CBC decrypt and run the implant in memory.
ACCE supports submission of the Merdoor “dropper”, extracting the embedded components and processing the side-loader to decrypt the Merdoor implant. The Merdoor module will report the configuration DES-CBC key, C2 socket addresses, minimum/maximum interval parameters, and an installation registry path.
The ACCE ZXShell module includes support for the installer component (which contains the configuration data block) including extraction of the embedded components to include the ZXShell backdoor.
- Merdoor Dropper (32-bit): 1e70fa98f6229ed2302afdac5a2174a6
- ZXShell Installer: 920dccefa293a4a718eb2abb262f8074
Mandiant published 2 detailed reports on UNC4841 APT activity, first on 15 Jun 2023 and later on 29 Aug 2023. While most of the reported malware was not publicly available, we added ACCE support for SaltWater, SeaSpray, and SeaSpy malware.
- SaltWater: 4ec4ceda84c580054f191caa09916c68
- SeaSpray: 35cf6faf442d325961935f660e2ab5a0
- SeaSpy: 4ca4f582418b2cc0626700511a6315c0
On 11 Jul 2023, Mandiant published a report on USB-based campaigns affecting both public and private sector entities across the globe. The malware samples Mandiant associated with Sogu were already supported by ACCE, though we identify the end payload as a Mustang Panda PlugX variant, and the reported SnowyDrive malware was not publicly available to add support. The FrozenHill launcher, however, was publicly available and support was added to report mutexes, filepaths, and file hashes embedded in the malware.
- PlugX Encrypted Container: 38baabddffb1d732a05ffa2c70331e21
- FrozenHill Launcher: 848feec343111bc11cceb828b5004aad
On 8 Aug 2023, Recorded Future released a report on RedHotel APT activity spanning campaigns from 2021 to 2023. This activity included custom malware FunnySwitch and Spyder and offensive security tools Cobalt Strike and Brute Ratel C4 (BRC4).
While ACCE already had support for the Spyder Backdoor and Loader, support was added for the reported dropper and crypters to extract embedded components and in the case of the dropper, report filepaths.
FunnySwitch malware consisted of numerous components including an initial loader, shellcode, a shellcode loader, an implant, and XML-formatted configuration data. Support was added for the entire sequence.
Some of the reported components associated with RedHotel, namely a dropper, side-loader, and a downloader, were unnamed, and ACCE support associates them with the RedHotel APT.
- Spyder Dropper: 9555ecef1396db7d27a819712588e098
- FunnySwitch Loader: df9c5a67a15ea55df84517acbf26da4d
- RedHotel Dropper + Cobalt Strike: 92df8c81d6a4295dc6a4300f081f88c9
- RedHotel Downloader: dba8d19b089a28e66fc63879eca6b9fa
On 3 Jul 2023, CheckPoint Research published a report on SmugX, a PlugX variant, which was being deployed using the HTML smuggling technique, either directly dropping a side-loaded component or downloading an MSI which would drop/run the side-loading sequence.
- SmugX HTML Smuggler + Dropper: 0c8fc554f486c17a5c455f340ad98c6e
- SmugX HTML Smuggler + Downloader: 36fa67c520bd680f710a4e2c8b85715a
- SmugX MSI: 8fd3eea06d79b795c678bbfa485bf32d
When researching XWorm in March, we observed an unnamed C# crypter which uses steganography and AES-CBC decryption to load an embedded payload, which in all samples we uncovered was QuasarRAT Stealer. Within the obfuscated image, the size of the payload is stored at pixel offset [0, 1], and the payload is obfuscated in ARGB order.
We named the crypter “Barge,” and the ACCE module supports extraction and decryption of the embedded component.
- Barge Crypter: 2a345e6908eda7206d5d6910a38eb943
- Barge Crypter (ConfuserEx Obfuscated): ca72cf4c7471eec33157cdf9a6d37be3
The VPN installer is distributed in a C#-compiled binary, and versions of the installer were observed to install the payload as a scheduled task. Some installer versions were also observed to be obfuscated using Obfuscar. We named the installer “SharpExtract” based upon its assembly title/product name “extract.”
SparkRAT AES-CTR encrypts its JSON-encoded configuration and stores it in a buffer with the key and IV. The ACCE module reports the C2 url, mission id (uuid), network password (key), and, if available, a commit hash.
- SparkRAT: 0b98fb3a09048b79f316d1bd3795f11d