ACCE Release Notes v2.5.20240201

Release Notes

This release consists of the following:

  • OceanMap malware
  • MasePie malware
  • GuLoader packer variant
  • Medusa gaze ransomware
  • PyInstaller malware support
    • Cryptonite ransomware
    • Shellcode_Loader malware
    • Luna Grabber malware
    • pyImpossibleObf Python Obfuscator
    • Vare Loader and Stealer
    • SmallSieve Backdoor
  • LodeInfo Macros and Downloader
  • RisePro Stealer (C#)
  • RoboSki Crypter (Split-Param Variant)
  • Hornet Stealer
  • AllaKore Implant configured with multiple addresses
  • Kaje Downloader (CT named malware)
  • DarkGate MSI+AutoIt Loader and v6.1.6 implant
  • DBatLoader Packer and Downloader variants

APT28 Malware

CERT-UA published research on an APT28 attack from mid-December 2023, including the MasePie downloader and implant, and the OceanMap backdoor (written in C#).

The ACCE modules for MasePie support extracting the download URLs from the LNK downloader, and the C2 socket address from the Python implant.

The OceanMap backdoor module obtains and reports the C2 socket addresses and network credentials.

Medusa gaze Ransomware

Palo Alto’s Unit 42 published an article on Medusa gaze Ransomware earlier this month, describing an escalation in activity observed by the threat actor. As their reporting denoted, strings are XOR decrypted after being loaded onto the stack from a separate function, which can make decryption of the strings tedious. The ACCE module for the ransomware decrypts all strings using DC3’s Dragodis framework and rugosa library. It additionally decrypts the ransom note, reporting embedded information including URLs, email addresses, and the Tox ID.

PyInstaller Malware

Continuing from our last update, we added additional modules for various PyInstaller malware as denoted above. The usage of pyImpossibleObf to protect the Vare malware resulted in the addition of a few modules to support the obfuscation. Research on Luna Grabber revealed widespread usage and recent uploads to VirusTotal; starting from the one sample reported by ReversingLabs, we identified a few hundred additional samples.


ITOCHU published research on file-less malware LodeInfo versions from 2023 into 2024, including information about updated Macro deployments, downloaders, and DLL side-loading of the backdoor.

The MSO Macros contain 32 and 64-bit versions of the downloader shellcode, and the reported variants decode the shellcode using either Base64 or XOR algorithms. In both variants, the encoded shellcode is split among numerous functions, either as an array of bytes or as a string, and combined in a reference function prior to decoding and execution in memory. Support was added for both variants.

As reported by ITOCHU, some variants of the downloader derive an AES-CBC key for decryption of the downloaded component. For those variants, the ACCE module derives the key, and for all variants the download URL(s) are XOR decrypted for reporting.

The LodeInfo backdoor functions similarly to already supported variants, the major differences being the change in the API hashing algorithm (from CRC32 to the custom algorithm described by ITOCHU), and the usage of a Vigenere cipher for network decryption. The LodeInfo backdoor module was updated to report the network decryption parameters.

RisePro Stealer (C#)

After adding support for RisePro loader in October, we saw that Any.Run published research on additional RisePro modules, including a stealer written in C# and obfuscated using ConfuserEx. Interestingly, the configuration parameters are Base64 encoded and stored in a PE resource (as opposed to a .NET resource) and loaded during runtime. The ACCE module decodes and reports the configuration, then identifies where the default configuration settings are stored to report the RisePro version.

Hornet Stealer

X (formerly known as Twitter) user @spamhaus started a thread about a Go-based stealer dubbed Hornet, which decrypts strings using the Fernet algorithm. Using the information presented in the thread, we obtained a Hornet sample from VirusTotal and added a module to decrypt strings and report a C2 socket address and AES-GCM network key.


BlackBerry published research on a modified version of the open-source AllaKore implant being used against Mexican banks, specifically using an MSI to deploy a .NET compiled downloader to retrieve and run the AllaKore implant.

The downloader was unnamed in reporting, and we are calling it Kaje based upon the filename used for the initial downloaded component “”.

With the exception of one sample, existing ACCE support for AllaKore handled all of the samples from the BlackBerry report. AllaKore is typically configured with a single C2 address and port, while the outlier sample was configured with two C2 addresses. The AllaKore module was updated to support this variant.


Over the past month, various outlets have reported on an updated DarkGate infection chain involving a parent MSI file and AutoIt, including Splunk, VMRay, and S2W Lab. During that time, X user @spamhaus posted that DarkGate had deployed a new version, v6.1.6, which uses a new method of decrypting configuration data. The configuration data is decrypted using a custom XOR algorithm, represented using the Python code below.

def darkgate_xor(data: bytes, key: bytes) -> bytes:
	key_index = 0
	key_size = len(key)
	decrypted = bytearray()
	for datum in data:
		key_byte = key[key_index]
		decrypted.append((datum ^ key_byte) & 0xff)
		key_index = (key_byte + key_index) % key_size
		if not key_index:
			key_index = key_size - 1
	return bytes(decrypted)

The algorithm contains a weakness where it can degenerate into a single-byte XOR algorithm. This occurs when the value of the key at a specific index is a multiple of the length of the key.  More complex degenerate cases also exist where the algorithm can iterate through a small subset of the full XOR key.

Following the thread from @spamhaus, we identified a few MSI + AutoIt infection chains which ultimately deployed DarkGate v6.1.6, and we updated ACCE support accordingly.

In addition to a new decryption algorithm, we observed the following changes for the DarkGate configuration:

  • A list of C2 addresses can now be found directly in the configuration settings. In previous versions the C2 URLs were stored separately.
  • The usage of each configuration key has changed from what has previously been reported as seen below. Any keys not present were not observed in the analyzed samples.
0C2 address listingString
3Virtual Machine detectionBoolean
4Minimum disk storage checkBoolean
5Server detectionBoolean
6Virtual Machine detection (Same as 3)Boolean
7Minimum RAM size checkBoolean
8Display message boxBoolean
11Message box captionString
12Message box textString (Base64 encoded)
18Minimum disk storage valueInteger
19Minimum RAM size valueInteger
27Stager constant (egg, XOR key)String
tablaAlphabet for test.txt, used by AutoIt script to run and extract componentString
Posted in Uncategorized and tagged , .