ACCE Release Notes v2.3.20231121

Release Notes

This release consists of the following:

  • ManWolf Crypter and Downloader (CT-named malware)
  • Snake Crypter variant
  • Agent Tesla plaintext variant which contains only one communication method
  • GobypassAV loader Base85+RC4+XOR and Base64+XOR variants
  • ObjCShellz malware
  • Tunna Webshell
  • FoxShell Webshell and Backdoor
  • SDD Backdoor
  • LionTail Loader and Backdoors (aka HTTPSnoop and PipeSnoop)
  • Wintapix Loader
  • GrMsk Stealer variant
  • Pangolin8Rat components from Operation Dragon Castling
  • NimPlant Agent
  • Demon payload from Havoc C2 framework
  • Harriet Crypter
  • KaynLdr loader
  • KsNeck Crypter (CT named malware)

ManWolf

Cipher Tech (CT) discovered an unnamed .NET Reactor Obfuscated Crypter as a payload when performing research on the UnderScored Crypter. Based upon naming conventions in underlying components, CT named this Crypter ManWolf, and identified a variant which downloads a component for execution as opposed to loading it from internal data. The ManWolf Crypter performs character replacement and Base64 decoding on the embedded or downloaded component.

Snake Crypter Variant

After viewing an article from threat researcher Matthew about unpacking a .NET Crypter, we identified the Crypter as a Snake Crypter variant (see release notes from v2.1.20230605). This variant uses the SHA256 hashing algorithm to derive an AES-CBC key for decrypting the payload.

GobypassAV

GobypassAV is an open-source loader written in GoLang, which we first identified as a payload when conducting research on Freeze Crypter (see release notes from v2.2.20231004). GobypassAV stores it’s payload in plaintext, encrypted using RC4, XOR, hex-encoding, and Base85 encoding, or XOR and Base64 encoding.

Scarred Manticore Campaign: LionTail Framework

CheckPoint Research published an article in late October detailing a Scarred Manticore campaign leveraging the LionTail framework, including the FoxShell Webshell/Backdoor, the Tunna WebShell, the SDD Backdoor, and the Wintapix loader. Support was added for all of the aforementioned components:

Havoc Framework

Havoc is an open-source framework being leveraged by threat actors as reported by ZScaler. We specifically focused support on variants of the Demon payload, including version 0.1 (unnamed), versions 0.3 (Hermit Purple) through 0.5 (Emperor), and the as-yet-unreleased version 0.6 (Hierophant Green).

Research on Demon Agent (and the associated open-source KaynLdr, which is also found in the Havoc framework package), led to the identification of the open-source Harriet Crypter, the KsNeck Crypter (named by CT from portions of its PDB path), the open-source NimPlant Agent, and the open-source CoffeeLdr.

The Harriet Crypter contains an embedded component which is AES-CBC decrypted using a key derived using the CryptDeriveKey API and SHA256 hash algorithm.

The KsNeck Crypter deobfuscates an embedded component in 32-byte blocks using a different single-byte key for each block.

CoffeeLdr is a loader for Cobalt Strike Beacon Object Files and does not contain embedded configuration. An ACCE module was not added for CoffeeLdr.

Posted in Uncategorized and tagged , .