ACCE Release Notes v2.5.20240507

This release consists of the following:

  • SameCoin malware (Wiper, Loader, Spreader)
  • Kapeka (aka QueueSeed, KnuckleTouch, IcyWell, WrongSens) Dropper and Backdoor
  • Kryptina Ransomware
  • Yatak Dropper, Loader, and Injector (CT named malware)
  • ManWolf Crypter ConfuserEx obfuscated variant
  • Rhysida ransomware (PE, ELF, and PowerShell versions)
  • Tomb Packer (observed with BroomStick and Rhysida malware)
  • DuneQuixote downloader
  • Akira Megazord and Linux variants
  • Dracula loader and stealer
  • NewBot loader
  • ZLoader v2.X implants
  • ACR Stealer
  • Infinity Dropper, Loader, and Injector (CT named malware)
  • AdobeClipp Clipper
  • BindStub Dropper

Yatak Malware

In late March, Cyble published research regarding different delivery mechanisms being observed with WarzoneRAT. One of those delivery mechanisms involves the use of a PowerShell script that contains embedded, obfuscated components which are deobfuscated using string replacement and hex-decoding, while strings are deobfuscated using string replacement and converting from a bitstring.

We conducted research on this technique and identified an additional 20 samples of the loader, which we are calling Yatak based on a common variable across samples, which contained malware including Agent Tesla, AsyncRAT, FormBook, Remcos, and XWorm.

Tomb Packer

While working on BroomStick malware as part of the last release, we identified that some samples were packed using what appeared to be a modified version of UPX. That packer has since been named “Tomb” by IBM X-Force.

Prior to the decompression step in UPX, Tomb packer AES-CBC decrypts data using a key and IV derived using custom algorithms. While in UPX the decompression algorithm can be zlib, LZMA, or UCL-32, in Tomb the algorithm is only LZMA.

Following decompression, the unpacking process is the same as in standard UPX.

DuneQuixote

In mid-April Kaspersky posted research on the DuneQuixote campaign, including a downloader which uses it’s filename to derive an XOR key to decrypt the download URL. As noted by Kaspersky, this is an anti-analysis technique which will prevent exposure of the URL on automated systems, and generally requires the filename on disk in order to derive the key, which is the MD5 hash of the base filename and a hard-coded string.

In most cases the DuneQuixote ACCE module is able to recover the download URL, while otherwise providing the encrypted data and hard-coded portion of the seed until the filename can be obtained and added to an internal list.

Dracula

At the end of April, X user @g0njxa posted about a malware sample called Dracula Stealer. The sample itself is a loader for a Base64 encoded and Gzip compressed Donut Shellcode sample (Cruller v1.0), which contains the Dracula Stealer.

Both Dracula Loader and Stealer use a unique string obfuscation method, where each character in the string is stored as an integer, converted to a character using “ConvertFromUtf32”, and then concatenated together to form a string. X user @RussianPanda9xx pointed out a relationship with NewBot Loader, specifically the string obfuscation methodology, and we additionally added a module to report the NewBot download URL.

ACR Stealer

In April, SEKOIA.IO posted on X about ACR Stealer, an updated version of GrMsk Stealer sold by SheldIO. The ACCE module for ACR Stealer reports the dead-drop resolver URL and a user-agent string.

Among the IOCs posted by SEKOIA.IO, were obfuscated Batch scripts that concatenated and Base64 decoded a PowerShell script that reverses, Base64 decodes, and zlib decompresses a .NET compiled loader component. The loader component contains two XOR-encoded .NET resources and a delimited, Base64 encoded loader configuration string including a version, flags for anti-analysis settings, and installation parameters. The embedded components include an Injector and the payload.

After conducting further research on the dropper and loader, we identified ~100 additional samples with payloads including at least Agent Tesla, AsyncRAT, AZORult, njRAT, Eternity Stealer, and Rhadamanthys. Nearly all of the .NET-compiled loader samples had an internal filename of “infinity.exe” and we named the malware Infinity accordingly.

Posted in Uncategorized and tagged , .