ACCE Release Notes v2.2.20231027

Release Notes

This release consists of the following:

• Lore Crypter (recategorized from PE Crypter (XOR Resource – Offset – Zero Count))
• IcedID IntBot Loader
• BlackSuit Ransomware variant
• RecordBreaker loader variant
• Raccoon Stealer variant
• X-Files Stealer variants which leverage configuration in dictionary format
• Poverty Stealer variant
• MetaSploit PowerFun module
• ChargeWeapon backdoor, including garble obfuscated version
• NetExec Loader/Downloader
• EagerBee Loader/Implant
• PizzaPotion InfoStealer
• DownTown plugin
• HijackLoader / IDAT Loader components: Container, Side-Loader, Downloader, Crypter
• Knight Ransomware
• RisePro loader
• GrMsk Stealer (CT named malware)
• GuLoader Packer and Downloader variants
• MicroJunked (CT named malware)

Lore Crypter

Lore is a Crypter tracked by IBM Security X-Force which we initially added support for as an unnamed Crypter. While converting the support under the Lore naming convention, we added or updated support for the IcedID IntBot loader and a Windows-based BlackSuit ransomware variant which XOR encodes the ransom note and uses an RSA public key instead of an ED22519 key.

• Lore + IcedID IntBot: 3159d2f0c380060cc1ab80b5f1c9b522
• Lore + BlackSuit: 9305bbe05c27b2431e1e22bf361581fa

RecordBreaker Loader

Our continued observation of RecordBreaker loaders in the wild (see release notes from 2023-07-03 and 2023-02-08) yielded an additional variant for which we identified ~450 samples. The payloads included a Poverty Stealer variant which constructs strings on the stack during runtime and an X-Files Stealer variant which stores its configuration in a dictionary.

• RecordBreaker + Poverty: 86aec1d77c3b004c38d5ee246499728c
• RecordBreaker + X-Files: 554a40726167555954ffb9331b339ddc

ChargeWeapon Backdoor

In early October 2023, ElectricIQ published research on a “cyber espionage campaign where threat actors used a variant of HyperBro loader with a Taiwan Semiconductor Manufacturing (TSMC) lure.”

This included analysis of the ChargeWeapon backdoor, a GOLang-compile binary which was also observed to be obfuscated using the open-source tool garble. We added support for both ChargeWeapon versions to report the C2 socket address.

Within the IOC’s of the report were samples labeled “Generic Malware Downloader,” one of which runs a PowerShell command to download a file using the Start-BitsTransfer command. We refer to this as a NetExec Loader and Downloader.

• ChargeWeapon: 44ee43adc8f423db4a461fc99731cdb9
• ChargeWeapon (garble Obfuscated): a79849ffbb30b6f31efab1977b13d229
• NetExec: 151b6116f0ac94a21543ceeca225099c

REF5961 Intrusion Set

Elastic Security Labs published research on what they call the REF5961 Intrusion Set, including new malware families EagerBee and DownTown.

We added a module to process EagerBee shellcode loaders and the implant variants, which either use a listen port or a c2 socket address. For DownTown Plugins, we added a module to detect the Plugin type. As further plugins are identified, support will be enhanced for any reportable metadata.

Within the carrier files for EagerBee, we identified InfoStealers, which are described as “PizzaPotion,” from Elastic-provided YARA rules on VirusTotal. Support includes reporting of commands executed during runtime and may include URLs, user-agent strings, and filepaths.

• EagerBee: 7893f51d76a621ac124cf13ec2e9c521
• PizzaPotion: 4d33ab1f162fecafe32bf5d63294f4f5

HijackLoader / IDAT Loader

In August 2023, Rapid7 published research on what they refer to as IDAT Loader. Essentially, the malware authors leveraged DLL load-order hijacking to side-load and decrypt data from a PNG image, starting in a specific IDAT chunk which starts with the magic bytes 0xc6a579ea, ultimately running embedded shellcode and modules to drop an embedded component.

On 8 Sep 2023, ZScaler published a report on what they refer to as HijackLoader, while referencing the original Rapid7 research, which either downloads a component or loads a payload from a PNG image as described for IDAT Loader above.

We added support to ACCE for these components, referring to them as HijackLoader. The ACCE modules support extraction of the URL from downloaders, the targeted filename from side-loaders, and extraction/reporting of all embedded modules (including shellcode and payload(s)), filepaths, injection processes, and commands from HijackLoader PNG Containers.

Research on HijackLoader led to identification of 211 total PNG Containers and the addition of support for identified payloads Knight Ransomware, RisePro Loaders, and CT-named GrMsk Stealer.

• HijackLoader Downloader: 93a03e997a9654d4fd303da4af077a82
• HijackLoader Crypter + GrMsk: 0b5b6ac85a912d68a517558885e7633f
• HijackLoader + Knight: d716fb977a092c06d5b9207442a433ee
• HijackLoader + RisePro: 869a364a0dc36750afb4334d503c357f

GuLoader

GuLoader (also known as CloudEyE), is a downloader, observed as shellcode, initially delivered in VisualBasic compiled binaries. GuLoader has since been observed being delivered using a few different mechanisms, including NSIS installers and RAR archives, using an obfuscated shellcode Crypter which decrypts and loads the obfuscated downloader in memory.

The initial variants of the downloader that we observed used exception handling to obfuscate code flow, but only used int3 instructions. When an int3 was encountered, they took the next byte, XOR decoded it, and used that as an offset to the next instruction to execute. The latest variants we observed instead handle four (4) different types of exceptions: int3 breakpoints, privileged instructions, memory access violations, and single-step exceptions.

Despite this change, we were able to update our GuLoader support to deobfuscate and decrypt all embedded strings, enabling reporting of strings and C2 URLs. Examples follow:

• 117d65196ecf1efeeeec72b32ff9cb44
• 1a7ea220f9a8c0df40fc6a398bc72380

We have added hashes and URLs for GuLoader Packers to our GitHub.