This release consists of the following:
- NineRAT malware
- BottomLoader Downloader
- DLRAT malware
- HazyLoad malware
- Babel-obfuscated variant of Laplas Clipper
- OracleIV malware
- Dave Crypter variant
- QakBot variant which uses AES-CBC
- Brute Ratel C4 Injector variant
- PikaBot Injector variant
- TitanLdr open-source loader
- NextCry ransomware
- Black KingDom ransomware
- SugarGh0st implant
- onJS malware (CT-named malware)
Lazarus DLang malware
Cisco Talos published research on Operation Blacksmith, performed by the Lazarus threat actor and involving malware written in DLang. The operation included malware families NineRAT, BottomLoader, DLRAT, and HazyLoad.
Support was added for all identified components:
- NineRAT Dropper: 96d98c83daf368066efe3dd41a0dc622
- BottomLoader Downloader: f8f7eced1411d76e2a0319151ecf80b7
- DLRAT: 9846e2e45000984719804ec2236405bd
- HazyLoad: 19a05a559b0c478f3049cd414300a340
Cado Security reported on Python malware compiled as an ELF executable being distributed in malicious Docker containers. We added an ACCE module to report the User-Agent string and obtain/report the c2 socket address.
- OracleIV: 14b2f5f81e2542fdcc059f690e25c279
In late December 2023, Intrinsec tweeted about a QakBot variant being distributed using a Dave Crypter variant. While previous variants of QakBot encrypted the configuration using the RC4 algorithm (with a SHA1 verification hash), the new variant was observed to use AES-CBC encryption with a SHA256 verification hash.
Unlike in previous versions, the Dave Crypter variant was observed to construct the XOR key for loader decryption on the stack. While researching additional samples of this variant we identified a Brute Ratel C4 variant and a PikaBot injector variant.
In previous versions of the PikaBot injector, the resources containing PNG images with encrypted chunks were contiguous, enabling easy reconstruction of the encrypted binary for RC4 or AES decryption. The observed variant does NOT use contiguous resources, which forces determining the appropriate order from the obfuscated code.
- MSI + Dave Crypter + QakBot: 82b8bd90e500fb0bf878d6f430c5abec
- Dave Crypter + PikaBot: 162c76ae4b1a49fc2c43a8cfcc00f2e0