This release consists of the following: Armillaria Loader In early May a sample was uploaded to VirusTotal which was detected as BumbleBee malware. Analysis of the sample indicates it is a new loader, which we are calling Armillaria, that was observed loading BumbleBee, ChuChuka Implant, Lumma Stealer, Stealc Stealer, WHT Downloader, and some of threat researcher Hasherezade’s open-source tools. Armillaria employs anti-analysis techniques including the use of junk code to inflate the size of the entry function, which was observed to prevent a decompiler from analyzing the function. The loader also dynamically resolves APIs using a custom add-polynomial hashing algorithm, where: As part of the loading sequence: The initial payload is a Donut shellcode variant which uses Halo’s Gate to check if Windows API’s are hooked and has differences in the configuration structure when compared to the base repository and it’s various versions. Samples: ChuChuka Implant One of the Armillaria payloads is an implant we are calling ChuChuka based upon a consistent screenshot directory observed in the five (5) samples we observed. ChuChuka has keylogger, screenshot, and stealer capabilities (targeting browsers, Coinomi, Exodus, and Electrum). Network communications are RC4 encrypted, and in response to the initial packet the server is expected to return the RC4 key to complete the handshake. C2 commands were observed to contain at least the following: […]