As we continue adding support to ACCE, we wanted to provide more information about where are efforts are being directed, and are starting a new series that will correspond with new ACCE releases, dubbed “Release Notes”.
Each post will describe what the new release consists of, in terms of new or updated support, and will typically include links to example results on our Research ACCE instance.
This release consists of the following:
- Added support for Ursnif LDR4 variant
- Added support for Aurora Stealer and OthersideMETA Dropper
- Updated support for DuckLogs Stealer
- Added support for Syncro RAT
- Continued kordesii conversions to dragodis/rugosa
Mandiant reported on a new Ursnif variant dubbed LDR4, for which we’ve added detection and support to report c2 urls, a missionid, a server key, and a RSA public key.
As part of this update, we also recategorized SPLCrypt and an IcedID XOR Container and Loader (RC4 + XOR-Sub + QuickLZ) as Hexa, based upon reporting by IBM. Hexa loaders were observed being used to load the LDR4 variant, mentioned above.
Examples for Hexa loading Ursnif LDR4:
SEKOIA.IO reported on a Golang stealer named Aurora. After developing some initial detection support for the 64-bit plaintext samples identified by SEKOIA.IO, we identified 32-bit samples and also several variants which used Sub+Base64 and Sub+Replace string decryption/obfuscation.
For each variant, a c2 socket address and missionid (BuildID) are reported. If additional parameters are available from a hard-coded configuration dictionary, which was observed to be cleared in a number of samples, the key/value pairs from that dictionary are reported.
Examples for Aurora:
- 64-bit Plaintext: 0fb09d2503b250064d1e6d54178b715f
- 32-bit Plaintext: 72b6bbf21a8799ca2800e3eb8a7df35e
- 64-bit Sub+Replace: 941f5bd2ec939e4be3d11a83e046d2f5
- 32-bit Sub+Base64: 0eb911dec37fa01a74037374294ab3d8
As part of this research, we also identified a .NET dropper we’ve dubbed OthersideMETA, based upon its System.Reflection.AssemblyTitleAttribute and System.Reflection.AssemblyDescriptionAttribute. The filepath is reported and the embedded component is dispatched for further analysis.
Example for OthersideMETA:
- OthersideMeta Dropper: 8530d941140b91df2ddfeb8d0e9cc18e
We had initially added support for DuckLogs stealer, described by Cyble back in August, but observed some variants which used a new configuration prefix.
Like other recent .NET stealers, DuckLogs borrows code from other malware authors, including one we call StringsCrypt, which we’ve observed in Blitzed, Moon, Stealerium, StormKitty, and WorldWind stealers. One variant additionally uses the same string decryption methodology previously associated with Agent Tesla v3.
The StringsCrypt module typically uses a header “ENCRYPTED:” for all configuration data, which indicates further decryption needs to occur to retrieve the underlying value. For the new DuckLogs variants, this header was changed to “DUCKLOGS:”. We updated the modules to account for variations in the configuration header, and accounted for arrays of c2 domains present in the new DuckLogs variants.
Example for DuckLogs variant:
- DuckLogs Stealer: 25f8e08d2fa2281f727705d89429deb6
Deep Instinct reported on the MuddyWater threat actor abusing the Syncro platform to leverage as a RAT. We added support to detect Syncro MSI files and obtain and report the API_KEY, CUSTOMER_ID, and FOLDER_ID.
Example for Syncro MSI:
- Syncro MSI: 43be8a405a7f57cf9f910d829c521b21
We are continuing to convert our existing kordesii support to leverage the Dragodis framework and rugosa library, enabling usage of IDA or Ghidra. The following is a list of conversions and currently supported disassembler(s) (IDA and/or Ghidra):
- BS2005 (IDA)
- Bisonal (IDA/Ghidra)
- BlackMatter (IDA/Ghidra)
- BlueCore (IDA/Ghidra)
- BlueMockingbird (IDA)
- BravePrince (IDA/Ghidra)
- Burix (IDA)
- CARBANAK (IDA/Ghidra)
- clistLogger (IDA/Ghidra)
- Cobalt Strike (IDA/Ghidra)
- Cotx (IDA)
- CryptOne (IDA/Ghidra)
- DADJOKE (IDA)
- DADSTACHE (IDA)
- Ketrican (IDA)