apt

Ecipekac Loader discovered in A41APT campaign

A41APT is a long-running activity, with activities detected from March 2019 to December 2020. Most of the malware families found were fileless malware, which had never been seen before. One specific malware in this campaign is called Ecipekac (aka DESLoader, SigLoader and HEAVYHAND). It is a very complex multi-layer loader module used to deliver payloads such as SodaMaster (aka DelfsCake, dfls and DARKTOWN), P8 RAT (aka GreetCake and HEAVYPOT) and FYAnti (aka DILLJUICE stage2), which are finally loaded with QuasarRAT .

We observed a multi-layer x64 loader that was specifically used for this organization, and after finding the unique string in the second layer of the loader, we called it Ecipekac.

a41apt ecipekac

Ecipekac: Layer I loader

ecipekac

The Layer I loader abuses policytool.exe (a legitimate application usually packaged in the IBM Development Package of Eclipse) to load a malicious DLL named’jli.dll’ in the current directory through DLL side loading technology. The “jli.dll” file serves as the first layer of the Ecipekac loader. The DLL file has many export functions. However, they all reference similar functions with the main load function.

Ecipekac: Layer II loader shellcode

ecipekac

The Layer II loader is a simple shellcode that contains the data of the next DLL in the disordered part. First, this shellcode checks the magic string “ecipekac” in this data set. Then, it reconstructs and loads each part of the embedded data into the allocated memory in the correct order to create the original code of the DLL.

layer III loader DLL

ecipekac

The third layer loads the next layer in a similar way to the first layer. It reads the encrypted data from the end of “pcasvc.dll”, which is signed with a digital certificate, the same as in the case of “vac.dll”.

Ecipekac: Layer IV loader shellcode

ecipekac

In our research, we found three different types of Shellcode used as the fourth layer of Ecipekac.

The first type is shellcode. The behavior of the type is the same as Ecipekac Layer II Shellcode. The only difference is the embedded PE. In this case, the embedded PE is the final payload of Ecipekac. The payload of the first type of shellcode is “P8RAT” or “FYAnti loader “.

The second type is that Shellcode is completely different from other loader types.

The third type is the Cobalt Strike register.

Ecipekac’s payload

ecipekac

As mentioned earlier, in addition to the Cobalt Strike boarding machine, we also observed three final payloads injected by the Ecipekac loader during long-term operation.

  • P8RAT
  • SodaMaster
  • FYAnti loader for QuasarRAT

P8RAT

One of Ecipekac’s payload is a new fileless malware, which we call P8RAT (aka GreetCake). P8RAT has the following unique data structure for storing C2 communication configuration. In all the collected P8RAT samples, we found a total of 10 backdoor commands. The main purpose of P8RAT is to download and execute the payload (consisting of PE and shellcode) from its C2 server.

SodaMaster

Another payload of the Ecipekac loader (we call SodaMaster (aka DelfsCake)) is also a new fileless malware. In our research, we found more than 10 SodaMaster samples. All samples collected by this module are almost the same, and the offsets and hexadecimal patterns of all functions match exactly. The only difference is the configuration data, including the hard-coded C2, the encoded RSA key, and other data used to calculate the value of the mutex.

FYAnti loader for QuasarRAT

The last observed payload type deployed by Ecipekac is a loader module called FYAnti loader. In the Ecipekac loader malware at the fourth level, the DLL is loaded into memory and an export with the name “F ** kY ** Anti” is called. Because of this unique string, we named this loader “FYAnti”. The execution flow of FYAnti has two additional layers to achieve the final stage, namely QuasarRAT (also known as xRAT).

IOCs

Ecipekac loader
be53764063bb1d054d78f2bf08fb90f3
cca46fc64425364774e5d5db782ddf54
dd672da5d367fd291d936c8cc03b6467

Ecipekac shellcode
f60f7a1736840a6149d478b23611d561
59747955a8874ff74ce415e56d8beb9c
4638220ec2c6bc1406b5725c2d35edc3
d37964a9f7f56aad9433676a6df9bd19
335ce825da93ed3fdd4470634845dfea
f4c4644e6d248399a12e2c75cf9e4bdf

Encrypted QuasarRAT
019619318e1e3a77f3071fb297b85cf3