This release consists of the following:
- OceanMap malware
- MasePie malware
- GuLoader packer variant
- Medusa gaze ransomware
- PyInstaller malware support
- Cryptonite ransomware
- Shellcode_Loader malware
- Luna Grabber malware
- pyImpossibleObf Python Obfuscator
- Vare Loader and Stealer
- SmallSieve Backdoor
- LodeInfo Macros and Downloader
- RisePro Stealer (C#)
- RoboSki Crypter (Split-Param Variant)
- Hornet Stealer
- AllaKore Implant configured with multiple addresses
- Kaje Downloader (CT named malware)
- DarkGate MSI+AutoIt Loader and v6.1.6 implant
- DBatLoader Packer and Downloader variants
CERT-UA published research on an APT28 attack from mid-December 2023, including the MasePie downloader and implant, and the OceanMap backdoor (written in C#).
The ACCE modules for MasePie support extracting the download URLs from the LNK downloader, and the C2 socket address from the Python implant.
The OceanMap backdoor module obtains and reports the C2 socket addresses and network credentials.
- MasePie Downloader: 75acdddd5ccc7fce5133b12b4140ee15
- MasePie Implant: 47f4b4d8f95a7e842691120c66309d5b
- OceanMap Backdoor: 5db75e816b4cef5cc457f0c9e3fc4100
Medusa gaze Ransomware
Palo Alto’s Unit 42 published an article on Medusa gaze Ransomware earlier this month, describing an escalation in activity observed by the threat actor. As their reporting denoted, strings are XOR decrypted after being loaded onto the stack from a separate function, which can make decryption of the strings tedious. The ACCE module for the ransomware decrypts all strings using DC3’s Dragodis framework and rugosa library. It additionally decrypts the ransom note, reporting embedded information including URLs, email addresses, and the Tox ID.
- Medusa gaze: 8cd11f34d817a99e4972641caf07951e
Continuing from our last update, we added additional modules for various PyInstaller malware as denoted above. The usage of pyImpossibleObf to protect the Vare malware resulted in the addition of a few modules to support the obfuscation. Research on Luna Grabber revealed widespread usage and recent uploads to VirusTotal; starting from the one sample reported by ReversingLabs, we identified a few hundred additional samples.
- pyImpossibleObf + Vare: 58c3b9974a9e8fc06db3404bdf0ac200
- Luna Grabber: 78edf6b1eab9b2648eac0f1980f0c052
- Small Sieve: 5763530f25ed0ec08fb26a30c04009f1
ITOCHU published research on file-less malware LodeInfo versions from 2023 into 2024, including information about updated Macro deployments, downloaders, and DLL side-loading of the backdoor.
The MSO Macros contain 32 and 64-bit versions of the downloader shellcode, and the reported variants decode the shellcode using either Base64 or XOR algorithms. In both variants, the encoded shellcode is split among numerous functions, either as an array of bytes or as a string, and combined in a reference function prior to decoding and execution in memory. Support was added for both variants.
As reported by ITOCHU, some variants of the downloader derive an AES-CBC key for decryption of the downloaded component. For those variants, the ACCE module derives the key, and for all variants the download URL(s) are XOR decrypted for reporting.
The LodeInfo backdoor functions similarly to already supported variants, the major differences being the change in the API hashing algorithm (from CRC32 to the custom algorithm described by ITOCHU), and the usage of a Vigenere cipher for network decryption. The LodeInfo backdoor module was updated to report the network decryption parameters.
- MSO (XOR) + LodeInfo Downloader: 69dd7fd355d79db0325816569ae2129a
- MSO (Base64) + LodeInfo Downloader: 9598b2af9dd1493dd213dbca56912af4
- XOR Encrypted LodeInfo Backdoor: 60dea5b5f889f37f5a9196e040bce0eb
RisePro Stealer (C#)
After adding support for RisePro loader in October, we saw that Any.Run published research on additional RisePro modules, including a stealer written in C# and obfuscated using ConfuserEx. Interestingly, the configuration parameters are Base64 encoded and stored in a PE resource (as opposed to a .NET resource) and loaded during runtime. The ACCE module decodes and reports the configuration, then identifies where the default configuration settings are stored to report the RisePro version.
- RisePro Stealer: 4dcab04a5ad3cdf32bc42bf8c49451c8
X (formerly known as Twitter) user @spamhaus started a thread about a Go-based stealer dubbed Hornet, which decrypts strings using the Fernet algorithm. Using the information presented in the thread, we obtained a Hornet sample from VirusTotal and added a module to decrypt strings and report a C2 socket address and AES-GCM network key.
- Hornet Stealer: ea11fd0069cd6f0d64c2aae18865dd1b
BlackBerry published research on a modified version of the open-source AllaKore implant being used against Mexican banks, specifically using an MSI to deploy a .NET compiled downloader to retrieve and run the AllaKore implant.
The downloader was unnamed in reporting, and we are calling it Kaje based upon the filename used for the initial downloaded component “Kaje.zip”.
With the exception of one sample, existing ACCE support for AllaKore handled all of the samples from the BlackBerry report. AllaKore is typically configured with a single C2 address and port, while the outlier sample was configured with two C2 addresses. The AllaKore module was updated to support this variant.
- MSI + Kaje Downloader: 2a49d542949b12223e3867bc3f75c4c6
- AllaKore Implant: e87419ef4cd803d1398207af21b39f0e
Over the past month, various outlets have reported on an updated DarkGate infection chain involving a parent MSI file and AutoIt, including Splunk, VMRay, and S2W Lab. During that time, X user @spamhaus posted that DarkGate had deployed a new version, v6.1.6, which uses a new method of decrypting configuration data. The configuration data is decrypted using a custom XOR algorithm, represented using the Python code below.
def darkgate_xor(data: bytes, key: bytes) -> bytes:
key_index = 0
key_size = len(key)
decrypted = bytearray()
for datum in data:
key_byte = key[key_index]
decrypted.append((datum ^ key_byte) & 0xff)
key_index = (key_byte + key_index) % key_size
if not key_index:
key_index = key_size - 1
The algorithm contains a weakness where it can degenerate into a single-byte XOR algorithm. This occurs when the value of the key at a specific index is a multiple of the length of the key. More complex degenerate cases also exist where the algorithm can iterate through a small subset of the full XOR key.
Following the thread from @spamhaus, we identified a few MSI + AutoIt infection chains which ultimately deployed DarkGate v6.1.6, and we updated ACCE support accordingly.
In addition to a new decryption algorithm, we observed the following changes for the DarkGate configuration:
- A list of C2 addresses can now be found directly in the configuration settings. In previous versions the C2 URLs were stored separately.
- The usage of each configuration key has changed from what has previously been reported as seen below. Any keys not present were not observed in the analyzed samples.
|C2 address listing
|Virtual Machine detection
|Minimum disk storage check
|Virtual Machine detection (Same as 3)
|Minimum RAM size check
|Display message box
|Message box caption
|Message box text
|String (Base64 encoded)
|Minimum disk storage value
|Minimum RAM size value
|Stager constant (egg, XOR key)
|Alphabet for test.txt, used by AutoIt script to run and extract component
- MSI + AutoIt + DarkGate: 8620964386571932fe13b8eb27644588