This release consists of the following:
- Dosia Toolkit
- Saw RAT
- LambLoad malware
- BianLian Installer, Backdoor, and Ransomware
- Mystic Stealer
- Eternity Miner
- Clean Crypter (CT-named malware)
- Argyle Crypter variant
- Babel Obfuscated variant of Agent Tesla
- Tofsee Implant
- RedLine Stealer variant which decrypts strings using the AES-CBC cipher
- Rhadamanthys Loader variant
- Agent Racoon malware
- Ntospy malware
Dosia, also referred to as DDOSIA, is a toolkit reported to be leveraged by Russian hacktivist(s) called NoName057(16) to conduct DDoS operations. We added ACCE support to handle what we refer to as the AppConfig, BackendLink, and InitConfig variants, of which each store configuration settings differently.
- Dosia (AppConfig): 116ff8c13afee6f906be41ec4b4833ea
- Dosia (BackendLink): e7fdb4cf394518e5f52389c7670eb137
- Dosia (InitConfig): 13802ced91f97122e3bc230474c17fec
Cyble recently published research on a new RAT written in Java and distributed as a JAR archive, which they call Saw RAT. All configuration settings, including c2 commands, are stored as constant fields in the saw.chain/utils/MConstants.class file of the JAR archive. The ACCE module for Saw RAT extracts the constants from this file in the JAR archive and reports the configuration accordingly.
- Saw RAT: 15957e06aead7d907972842d803f6471
Microsoft published research on activity by threat actor Diamond Sleet (ZINC), involving the usage of LambLoad malware, including a “fake” PNG container that contains an encrypted LambLoad implant. Specifically, the last data chunk of the PNG before the IEND chunk is invalid, and all the data from that offset until the IEND chunk is XOR+SUB encrypted.
During execution, the LambLoad downloader will download the PNG and decrypt the LambLoad implant from within it for execution using hard-coded offsets. The ACCE module for the PNG container dynamically determines the offset of the encrypted payload and decrypts it accordingly to extract the LambLoad implant and subsequently report C2 urls.
- LambLoad Downloader: 575ebf994b75d091e8df381cce992aaa
- LambLoad PNG + Implant: fbcbfe33cc9d29566ce2c0a4021b54fb
According to research by ZScaler and InQuest, Mystic Stealer is an information stealer that has been sold in underground markets since April 2023. Configuration data in Mystic Stealer is encrypted using the TEA algorithm in little-endian. Early versions of Mystic stealer stored its configuration as C2 socket addresses, while newer versions store the configuration as URLs.
- Mystic Stealer: 2438343a7ba217b87b3bfbddaf8a99f9
- Mystic Stealer (URL): 3c64b52faea5d6af7d78f5dc36acaaf1
While researching Mystic Stealer, we identified the usage of a Crypter which uses a varying number of arithmetic operations (add, sub, and XOR), with varying keys, to decrypt an embedded payload and inject it into a newly launched instance of C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe. In the initial set of Crypter samples we analyzed, most contained “Clean.pdb” in their PDB path, and we named it Clean Crypter accordingly.
While early versions of Clean Crypter stored the injection process in plaintext, newer versions are XOR decrypting the string on the stack. Additionally, early versions used the standard MurmurHash2 algorithm for API resolution, while newer versions use MurmurHash2 with a non-standard mixing constant.
Other payloads for Clean Crypter we have observed include BlueStealer, Poverty Stealer, RedLine Stealer, Lumma Stealer, RisePro Loader, SmokeLoader, and Eternity Miner.
- Clean Crypter + Eternity Miner: 3f69058c8f3677d149bacdc33658c116
- Clean Crypter + Lumma Stealer: 5dba8b2e8d55ddd234b8c7df530b15fb
We initially discovered Argyle Crypter when researching Rhadamanthys loader in February 2023. The newer version uses a static string as the RC4 key for the embedded payload, while the original samples dynamically loaded the key “ntdll.dll” by iterating imported library names.
- Argyle Crypter + Mystic Stealer: 54f5a88e40b41b5d088d6dda06295b4e
Rhadamanthys Loader Variant
When conducting research on HijackLoader (IDAT Loader) in October, we identified some of the payloads as containing a new loading sequence of Rhadamanthys. Most notably, we identified a new FS format (in comparison to research by Hasherezade with CheckPoint Research) which contained the XS formatted data in a segment named 0xbf0e967b.
The encrypted data used to form the FS formatted component was observed to be stored in three separate segments. The first segment is constructed on the stack across multiple functions. The second segment is formed from the hexadecimal characters from GUID strings in the .rdata PE segment. The final segment is deobfuscated from a contiguous buffer.
In addition to the compressed/encrypted XS component, the FS component contains custom bytecode which it uses to perform at least API resolution and decryption/decompression of the component.
- Rhadamanthys Loader: 014b6d7fd900989ef6cbac0aaddf7026