ACCE Release Notes v2.5.20240418

This release consists of the following:

• FalseFont backdoor
• Jasmin Ransomware, including customized loader and library
• Dot Stealer
• Millenium RAT
• StealBit malware
• Grixba Stealer
• SystemBC Implant
• Ghostly Stealer
• Creal Stealer
• 927 Stealer (derivative of Creal Stealer)
• Koi malware (Crypter, Implant, Loader, and Stealer)
• Xeno RAT (including ModC, ConfuserEx, and YAO obfuscated versions)
• EagleMonitorRAT
• YetAnotherObfuscator (YAO) obfuscated variants of the following malware:
  • Lime Crypter
  • AsyncRAT
  • DcRat
  • Umbral Stealer
  • Radx RAT
  • projesSLN Downloader (CT named malware)
• PackLab Crypter
• Xehook Stealer
• Clean Crypter variant
• BroomStick (aka CleanUp, Oyster) malware
• Strela Crypter and Stealer

Dot Stealer

In mid-January and early April, X user @suyog41 posted hashes for Dot Stealer, which according to a GitHub page, is being sold at $25 for a lifetime license. We identified two versions of Dot Stealer; one in which configuration is rot13 encoded in the overlay data, and the other in which configuration is internally loaded in a class.

While researching Dot Stealer, we identified the same rot13 configuration loading technique in the open-source Millenium-RAT, which contains a link to the Dot Stealer GitHub page.

• Dot Stealer (Rot13): 36e9ce869ad1e8383b16579af31ed34e
• Dot Stealer: 972019b2bcc63510fa657cd1d1957748
• Millenium RAT (Rot13): 0c02e78018509d4db0055c114518b21d
• Millenium RAT: 515f2241a1753c1c1fceb254f22d0884

Ghostly Stealer

Following another post from @suyog41, we conducted research on Ghostly Stealer, a PyInstaller packaged Python stealer. Ghostly uses Telegram for data exfiltration where the parser reports the Telegram parameters, an archive password, and blacklisted anti-analysis parameters.

While researching related samples, we identified code overlap with the open-source Creal Stealer, which uses a Discord webhook for exfiltration. We added support for Creal and identified an additional derivative stealer called 927 Stealer.

• Ghostly Stealer (pyc): f54b9d7057b970580b09496095a5e0a9
• Ghostly Stealer: e5d2b68084012977d2e8b7ca62c162d8
• Creal Stealer (pyc): 6d9f700cdd9e60381a8347fc3dd460ac
• 927 Stealer (pyc): cef29fc9f2a73430021a1c83c758dc5c

Koi Malware

In March 2023, an independent researcher posted an article related to MaaS and NullMixer, where they describe the “Koi” loader/stealer, based on the .NET module name “koi” for the dumped stealer. According to ConfuserEx source code, “koi” is the module name assigned to any module protected using the ConfuserEx Crypter (Protector). In the samples posted within the article, there is a PowerShell script (Koi Loader) which runs a ConfuserEx Crypter, which loads a Koi Stealer module.

In mid-January 2024, Cyble posted about a new, incorrectly identified, AZORult implant, which uses the same runtime schema as described above for Koi. eSentire addresses the misidentification as AZORult and posted additional information about the Koi infection chain.

In early April, Palo Alto’s Unit42 posted additional Koi IOCs, where the Koi Loader is the same, but the next layer is no longer a ConfuserEx Protected Koi Stealer, but is instead an Obfuscar-obfuscated Koi Stealer. One of the samples in their post, 97b7cf5bf4cadde3bd8745e3347bb9707a43cb816f21a062eaf3010b6768a551, is a skip-XOR crypter for an embedded implant, which downloads and runs the Koi loader and uses the same unique anti-analysis techniques as the Koi Stealer (described by eSentire in their article). We identified 18 total crypters, all containing the same implant, and identify these in ACCE as Koi Crypters and Implants, respectively.

• Koi Loader + Stealer: 9e99467272b59f3c9909b8048b7f2ca5
• Koi Loader + Stealer (Obfuscar): 26e3de166d7386ef9f10f97da326c756
• Koi Crypter + Implant: 13b4c5dff00cf1ea8a635743903e387f

XenoRAT

After posting about the ModC obfuscator in our release notes last month, threat researcher @R3MRUM shared the hash for a ModC-obfuscated sample of the open-source Xeno RAT. We added support for Xeno RAT, and while searching for additional samples, identified ConfuserEx and YetAnotherObfuscator obfuscated versions.

YetAnotherObfuscator (YAO) Base64 decodes and TDES-ECB decrypts strings during runtime. Further research indicated its usage has been fairly widespread. For the related malware families listed above, RadX Rat and projesSLN Downloader (named for it’s PDB path) are new.

• Xeno RAT: 0b4ced1e11fac0306ee8d9411aea4219
• Xeno RAT (ModC Obfuscated): 5521adc376cd6859604c8a88bdd66191
• Xeno RAT (YAO Obfuscated): 588362c659a6cbdb7851a42ef7c83cab
• RadX Rat (YAO Obfuscated): 301110052d2ad1104def4438b6e2aa2e
• projesSLN Downloader (YAO Obfuscated): bf64fc9b20ce446023b73fb58b2e1ca1

PackLab Crypter

Researcher @g0njxa recently posted an article about Ghostbusters, a “traffer team specialized at working with infostealers.” The researcher linked a sample they built using Ghostbusters tooling, which was protected using PackLab Crypter.

While adding a module for PackLab and identifying payloads, we found samples of Xehook Stealer and added a new ACCE module for support. In addition to Xehook, payloads included 44 Caliber, Lumma, Raccoon, RedLine, StealC, and Vidar Stealers.

• PackLab + Xehook: 29cbcc8fca267a0d345765774d13165b
• PackLab + Raccoon: 3b242b11ee8b8edb411152fa1070cdd5