{ "id": "8cd8819d-bfc6-4c2b-89df-3f03051e8de3", "created_at": "2026-04-06T00:18:26.010305Z", "updated_at": "2026-04-10T03:34:54.743184Z", "deleted_at": null, "sha1_hash": "9b0936b1e3b43ea3afe57dce26d6dbd5dc56d6bc", "title": "Automation to Combat Evolving Obfuscation – Cipher Tech Solutions, Inc.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1461613, "plain_text": "Automation to Combat Evolving Obfuscation – Cipher Tech\r\nSolutions, Inc.\r\nArchived: 2026-04-02 11:05:25 UTC\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\nJuly 12, 2021 | By Melissa Frydrych co-authored by Claire Zaboeva, Dan Dash\r\nIn a recent collaboration to investigate a rise in malware infections featuring a commercial Remote Access Trojan\r\n(RAT), IBM Security X-Force and Cipher Tech Solutions (CT), a defense and intelligence security firm,\r\ninvestigated malicious activity that spiked in Q1-2021. With over 1,300 malware samples collected, our teams\r\nanalyzed the delivery of a new variant of the RoboSki packer, a packer being widely used to thwart detection and\r\nultimately deliver commodity RATs to enterprise networks.\r\nCipher Tech automated the capability to rapidly extract configuration data from malware to produce actionable\r\nIOCs. Analysts tested the ability to statically extract configuration data, bypassing dynamic anti-analysis features\r\nusing data processed by CT1, discovering approximately 1,300 additional samples. The RoboSki-packed malware\r\nsamples discovered feature new capabilities, such as the ability to load resources and convert pixelated data to\r\nRGB order, resulting in the RoboSki component, and decoding and decrypting a ReZer0 loader. The ReZer0\r\nloader can embed malware or fetch it from remote servers and is known for its ability to deliver encrypted\r\npayloads and anti-sandbox checks. Layering loaders is a tactic many malware distributors use to evade anti-virus\r\ndetection and security scanners.\r\nCT partnered with IBM X-Force to uncover how attackers delivered the commercial RATs while analyzing the\r\ndelivery of RoboSki samples, X-Force isolated a sample of 21 phishing emails addressed to organizations\r\nworldwide in, and around mid-February 2021 with attachments including RoboSki packed malware. The emails,\r\nwhich feature global trade themes, lead to the delivery of numerous malwares, such as Agent Tesla, FormBook,\r\nnjRAT, NetWire, and the Remcos RAT.\r\nX-Force found infrastructure overlaps with the delivery of RoboSki’s distribution with recent, or ongoing activity\r\nspreading malware such as AsyncRAT, LokiBot, NanoCore, and the Gamarue Botnet, in addition to Agent Tesla,\r\nFormBook, njRAT, NanoCore, and Remcos RAT which have previously been reported on IBM’s premium threat\r\nintelligence platform TruSTAR and Security Intelligence.\r\nPrior references to the RoboSki malware have been made in mid-2020, linking it to activity by a group known as\r\n“Vendetta”. X-Force and CT do not necessarily attribute the new RoboSki variant we analyzed, or its means of\r\ndelivery, exclusively to Vendetta. We believe that the activity we examined points to independent cybercriminals\r\ndistributing malware globally, and a part of the continuous effort to evolve tools and methods, better obfuscate\r\nactivity, and evade detection.\r\n1Automated Component and Configuration Extraction(ACCE)\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 1 of 15\n\nAre Cybercriminals Riding the Tide of Global Recovery?\r\n2020 saw the global economy experience the worst peacetime economic decline since the Great Depression, but in\r\nits economic growth forecast for 2021, the International Monetary Fund (IMF) predicts renewed global economic\r\nexpansion of 6% in 2021 alone.  Arguably underpinning this recovery in global trade is a worldwide expansion in\r\nthe eCommerce ecosystem, which grew by a staggering 30% within the last year. Doubtlessly attune to these\r\nchanges in the digital current, malicious cyber actors are baiting their hooks accordingly to imitate authentic\r\nrequests for quotations, payment orders, and shipping updates, hoping to snare those logistical linchpins, like\r\nmanufacturers, shippers, and suppliers, in the global supply chain.\r\nX-Force analysts studied a sample of 21 phishing emails containing malicious attachments that deliver the\r\nRoboSki packer, and subsequently a variety of final payloads. Analyzed emails were sent approximately between\r\nthe second and third week of February 2021 and were categorized into three main themes: Purchase\r\nOrder/RFQ/Inquiry, Shipping Notification, and Payment Notice/ Bank Transfers. The sample emails were sent to\r\n15 unique companies located in 12 different countries across Europe, South America, the Middle East, and South\r\nAsia.\r\nIn all instances, the phishing emails were addressed to companies associated with the manufacture or export of\r\nitems supporting and/or supplying construction, transport, engineering, or energy services. Most samples were\r\ndirected at entities in Europe, with the highest concentration of targeted organizations based in Romania, Italy, and\r\nGermany.\r\nX-Force and CT analysts assess with high confidence that global trade and logistics themed phishing campaigns\r\nwill continue to plague organizations into the year ahead, as the recovery of global trade unfolds over time. \r\nOrganizations, especially those engaged in import and export, should exercise extra caution, and seek to cultivate\r\na culture of cyber awareness among management and all employees.\r\nNew Orders and Requests for Quotations\r\nMost emails in our sample were sent to a Romania-based company characterized as a global supplier of\r\nelectrotechnical power products, including power transformers and rotary electric machines. Several of the emails\r\nwere crafted to appear to originate from real company email domains, indicating the senders are trying to increase\r\nthe likelihood that the phishing email appears legitimate. Apart from a single instance, the emails pose as an\r\ninquiry surrounding purchase orders and requests for quotations. All emails are written in poor English and\r\ninclude an attached purchase order or quotation contained in an archive file (Zip, CAB, or RAR), which when\r\nexecuted, drops the RoboSki packed malware.\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 2 of 15\n\nFigure 1: Sample email sent to a Romania based company\r\nAdditional phishing messages uncovered with the same theme were primarily composed in varying qualities of\r\nEnglish and directed at seven unique entities across Europe and South America, targeting companies that\r\nmanufacture automobile parts, machinery, and energy components. While the quality of the text differs by sample,\r\nthe uncovered emails contain signature blocks attempting to impersonate well known global corporations.\r\nWhere’s My Package?\r\nWe found the email sender janattbs7[@]gmail[.]com sent not only one email to the Romanian-based company\r\nregarding a “quotation request”, but also an email for “shipping documents”. Due to additional emails sent to the\r\nsame company with varying themes, X-Force researched the spoofed sender company as well as the recipient\r\ncompany; however, no clear connection between the two was discerned.\r\nSome of the sample emails used package delivery lures that purported to come from DHL or FedEx. These were\r\ntypically sent to companies within the construction industry that support oil companies and government clients, as\r\nwell as water technology and processing.\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 3 of 15\n\nFigure 2: Sample DHL Email\r\n“Dear Customer,\r\nYour package has arrived at the office. Our courier could not deliver it to your address due to a wrong address\r\nprovided by our customer.\r\nTo receive your package, please go to any of our nearest office and show this receipt.\r\nCLICK ON THE ATTACHED FILE TO DOWNLOAD AND PRINT THE RECEIPT.\r\nGreetings\r\nThe DHL team”\r\nFake Notices, Payments, and Invoices\r\nOther emails in the sample featured fake payment notices, invoices, or bank transfers and were sent to\r\norganizations in Europe and the Middle East. Half of the samples were composed in the native language of the\r\ntargeted recipients and contained signature blocks of authentic banks or import/export companies. The remaining\r\nemails were composed in well-worded English, and featured signature blocks impersonating the Managing\r\nDirector of a legitimate global shipping and logistics/supply chain management company based in Bangladesh.\r\nWhile the sender email addresses did not match the signature blocks featured in each of the samples, in all cases\r\nthe signature blocks themselves imitate authentic companies that may have a legitimate interest in the products or\r\nservices of the targeted corporation.\r\nIn two instances, emails used the encrypted email service Tutanota (ex. imports[@]tutanota[.]com[.]de.). Affixed\r\nto each of these emails was an attached archive file (TAR, 7z, GZIP) posing as either Transfer Requests, SWIFT\r\nstatements from an authentic bank, or numeric codes potentially pointing to account numbers.\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 4 of 15\n\nFigure 3: Sample payment email\r\nObservations from Our Analysis \r\nX-Force uncovered several unique characteristics which provide insight into the attack infrastructure used in the\r\nvarious delivery of RoboSki packed malware to facilitate operations. The activity we examined involved at least\r\n289 email addresses for exfiltration of which, about 150 do not appear legitimate nor have discoverable returns,\r\nwhile more than half appear to be valid accounts.\r\nAbout 20 percent of the valid email accounts showed server errors, and roughly 10 percent of accounts were\r\nassociated with catch-all servers that accept emails sent to the domain, regardless of whether the mailbox exists or\r\nnot. The remaining accounts returned as either belonging to invalid domains with no mail exchange record, bad\r\nsyntax, transient network faults, or unknown status.\r\nInfrastructure Overlaps with Distribution of Other Malware\r\nWe isolated about 165 different C2 IP addresses and domains that were used in the distribution of malicious\r\npayloads. Several IP addresses and domains have been reported in previous malware campaigns or are associated\r\nwith recent or ongoing activity delivering a variety of other malware. Some malware variants include Eldorado,\r\nTelegram Bot, NanoBot, LokiBot, and the password stealers Fareit and Redline. The following represents a\r\nsample of the recent, or ongoing, campaigns that share, or have shared infrastructure overlaps with the RoboSki\r\npacker:\r\nAsyncRAT\r\nSome malicious overlaps include domain 8123wsheurope.access[.]ly which resolved to the RoboSki packed\r\nAsyncRAT C2 IP address 79.134.225[.]44 in December 2020. Recently, this domain was reported as being part of\r\nactivity in which attackers used collaboration platforms such as Slack, to evade detection and deliver several types\r\nof RATs and stealers. AsyncRAT has also been active in the past month in attacks on the aviation, travel, and cargo\r\nindustry.\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 5 of 15\n\nNanoCore RAT\r\nIn the same netblock as the AsyncRAT IP address, a RoboSki-packed NanoCore C2 IP address 79.134.225[.]71\r\nresolved to adam9.ddns[.]net, which was a C2 domain reported in late-2020 with relation to activities by the Blade\r\nEagle (Blade Hawk) APT group. In that campaign, Blade Eagle targeted organizations in the Middle East and\r\nWest Asia. We also found that C2 domains uyeco[.]pw and zolta[.]icu were seen in a recent malspam campaign in\r\nwhich malicious executable file formats were abused, and used, in a way that hid them from email scanners and\r\nanti-malware software, ultimately to deliver the NanoCore RAT. The infection TTPs were similar to the ones used\r\nto deliver the RoboSki packed malware, via emails themed with purchase orders in archived files.\r\nLokiBot\r\nOther observed overlaps include RoboSki-packed LokiBot C2 domains:\r\n– alphastand[.]trade – alphashtand[.]top – alphastand[.]win – kbfvzoboss[.]bid\r\nThese were previously observed in a campaign using Microsoft Publisher files to deliver the Pony malware. The\r\ndomains were also reported as a separate phishing campaign in 2019 using “SWIFT monetary transfer” themed\r\nlures to deliver LokiBot, in addition to Neshta, and Fuerboos. All four C2 domains were used again in October\r\n2020, as part of a different Lokibot spam campaign. Of note, these C2 domains were present in 95 of the RoboSki\r\npacked LokiBot samples, accounting for 41 unique LokiBot payloads.\r\nGamarue Botnet\r\nIn addition, the C2 domains azmtool[.]us, becharnise[.]ir, newcesarnex[.]com, and klimsourcinq[.]com, were\r\nreported in February as being related to the Gamarue Botnet. In these instances, each of the domains were present\r\nin varying RoboSki packed LokiBot samples.\r\nFile Path Observations\r\nSome file paths have noticeable misspellings such as %AppData%\\microsift.exe, which was observed in a\r\nRoboSki packed AsyncRAT sample. We found that additional file paths, such as %Temp%\\windefendllinici.exe in\r\nRoboSki packed AsyncRAT samples, may be associated with files compiled in February 2021, that matched\r\nYARA signatures for Nanocore, and password stealers, several of which communicate with the RoboSki packed\r\nAsyncRAT C2 domain laboratoriogenfarp.linkpc[.]net.\r\nIt is possible the appearance of the same file path in a limited sample set may suggest that the same malicious\r\nactor has been involved in several campaigns delivering various malwares. File path %AppData%\\notes\\logs.dat,\r\nseen in a RoboSki packed Remcos sample, was also observed within other files that matched YARA rules for\r\nRemcos RAT and Agent Tesla.  The presence of %AppData%\\seguridad\\logs.dat in a RoboSki packed Remcos\r\nsample may suggest that a Spanish-speaking company may have had their security logs accessed. In addition, this\r\nfile path was found within a file possibly related to Razy malware. \r\nLicense Re-Use\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 6 of 15\n\nWhile analyzing some of the final payloads, some interesting and specific attributes regarding Remcos RAT were\r\nobserved. Our analysts found that the Remcos configuration contains a license code field (“license_code”), which\r\nis unique to each purchaser. In some cases where the RoboSki packer led to the delivery of Remcos, it was\r\nobserved that two specific license codes were re-used.\r\nThe license codes we observed within the configuration of multiple payloads for packaging were:\r\n1. License code A830299B3222E31F1F2765E3AC4D37FD – observed four times and associated with C2\r\naddresses 184.140.53.148:1011, and 79.134.225.14:1011.\r\n2. License code 8896DBA4C4FC821D8BAAC764BC9822E3 appeared in eight instances, associated with C2\r\naddresses 91.241.19.107:1313, and 176.111.174.14:2804.\r\nIn addition, the configuration of Remcos RAT contains the field “server_password”, with both of these license\r\ncodes using the password “Yes”- although it is possibly defined as the default password.\r\nNew RoboSki Version – The Technical Details\r\nAs identified by X-Force, the RoboSki packer file typically arrives within a malicious email archive attachment.\r\nCT further analyzed the packer and its embedded components to understand the execution flow leading to a\r\ncommodity RAT payload and how that execution flow differed from previous RoboSki packers.\r\nFigure 4: Mapping of RoboSki Packer to Final Payload\r\nRoboSki.Packer\r\nCT analysts found that the RoboSki packer contains numerous .NET Microsoft resources, including the two\r\nresources of interest, SzGeneric and EventWaitHandleRights (highlighted in figure 5), which are stored as PNG\r\nimages.\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 7 of 15\n\nFigure 5: Key Resources\r\nThe resource SzGeneric contains the RoboSki component. The Roboski component is used to decrypt the contents\r\nof the resource EventWaitHandleRights, resulting in a ReZer0 loader. To get to the ReZer0 loader, the RoboSki\r\npacker first loads the SzGeneric resource and converts the pixel data to RGB order, as denoted in the image below,\r\nresulting in the RoboSki component.\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 8 of 15\n\nFigure 6: Conversion to RGB Order\r\nThis differs from previous RoboSki packer versions wherein the component was stored as string data and decoded\r\nusing string replacement and the Base32 algorithm or string replacement, string reversal, and the Base64\r\nalgorithm.\r\nThe converted data is then executed and invoked in a series of module calls, depicted in the image below, in which\r\nthe component is executed from its O5.Ga namespace/class and passed parameters from the class named\r\nChannelSinkStack.\r\nFigure 7: Converted Data Executed and Invoked\r\nThe parameters stored within ChannelSinkStack are the hex-encoded values for the resource named\r\nEventWaitHandleRights, and a base XOR key “xNksm”.\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 9 of 15\n\nFigure 8: ChannelSinkStack Parameters\r\nRoboSki.Component\r\nAs described above, during execution the RoboSki component is provided resource and XOR key parameters, and\r\nproceeds to decode and decrypt the ReZer0 loader from the RoboSki packer. The component loads the resource\r\nand arranges the pixels in BGRA order. The component then parses the resource according to the structure below,\r\nand XOR decrypts the data using the results of permutations against the base XOR key and a control key.\r\nFigure 9: Python Construct Library Structure\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 10 of 15\n\nFigure 10: Structure Parsing and XOR Decryption\r\nThe resultant ReZer0 loader is then executed in memory and subsequently decrypts and executes an embedded\r\npayload, which in this case, is an instance of the Agent Tesla RAT. The ReZer0 loader operates in the same\r\nmanner as described by 360 Total Security and Fortinet. As mentioned in those blog posts, the ReZer0 loader\r\nexhibits anti-analysis features such as detection of Virtual Machines or Sandboxes and can bypass Anti-Virus\r\nsoftware. Due to these anti-analysis features, the results from dynamic analysis, including sandboxes, may be\r\nincomplete or wildly inaccurate. By using Automated Component and Configuration Extraction (ACCE) to\r\nstatically extract the configuration data, we bypass all dynamic anti-analysis features that would otherwise prevent\r\naccurate and reliable analysis.\r\nHow Do We Build ACCE Support?\r\nACCE is built on top of CT’s proprietary libraries, as well as the Department of Defense Cyber Crime Center’s\r\n(DC3) Malware Configuration Parser (MWCP) and kordesii frameworks. This promotes an automation workflow\r\nwhere initial YARA signature detections prompt running targeted modules organized by capability, to extract\r\nlayers of components (RoboSki packer-\u003e ReZer0 loader -\u003e Agent Tesla payload) and report configuration at each\r\nlayer. By adopting the ACCE workflow, Reverse Engineers can develop modules based upon analysis of a few\r\nsamples, and then leverage that module to continue to extract results from thousands of other related malware\r\nvariants. \r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 11 of 15\n\nThe primary difference between the newly analyzed RoboSki packer and previous RoboSki packers is the way the\r\nReZer0 loader is encrypted. Previously written code for parsing the PNG pixels of the image resource was used in\r\nconjunction with new code for obtaining and using the resource name and initial XOR key using construct, regex\r\npatterns, and an internal library.\r\nFigure 11: Construct\r\nFigure 12: Construct PAYLOAD_SPEC\r\nThe referenced resource is acquired, PNG pixels are parsed, and the resulting data is parsed using the construct\r\nPAYLOAD_SPEC.\r\nSubsequently, the ReZer0 loader is decrypted and dispatched for further processing. The configuration output for\r\nthe RoboSki packer (MD5: 9b792353406c1c8bf440fa5417aee5b2) which contained the LokiBot sample with C2\r\ndomains previously observed in other campaigns:\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 12 of 15\n\nFigure 13: Configuration Output\r\nThreat Hunting Using ACCE Output\r\nAfter adding a parser module to automatically extract the RoboSki component and ReZer0 loader from the new\r\nRoboSki packer variant, we used VirusTotal to find additional samples using the new RoboSki packer variant. As\r\na result, 55 samples were selected to test against the new parser module.\r\nTwo variations in the initial RoboSki packer were observed:\r\n1. In addition to being hex-encoded, the .NET Microsoft resource name and base XOR key are Base64\r\nencoded.\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 13 of 15\n\n2. A .NET obfuscator is leveraged to encrypt all strings in the RoboSki packer, inhibiting the ability to easily\r\nextract the resource name and base XOR key.\r\nAll 55 RoboSki packer samples contained the same RoboSki decryption component.\r\nAfter updating the parser module(s) to support the variations observed in the RoboSki packer, approximately 1300\r\nadditional RoboSki packer samples were obtained via VirusTotal, and subsequently run against the capability. The\r\nresultant payload distribution is as denoted in the following chart:\r\nFigure 14: Payload Distribution\r\nThe most common payload observed was Agent Tesla, accounting for over half of the obtained payloads. Notably,\r\nall the payloads fell into a category of commodity malware such as information stealers or commercial RATs.\r\nAn Ever-Evolving Commodity Malware Scene\r\nMalware distribution is a continually evolving practice that’s undertaken by potential botnet herders and spam\r\ndistributors alike, constantly on the quest to bypass organizational security controls to deliver malware. As part of\r\nthat ecosystem, commodity packers, such as RoboSki, are used extensively to spread numerous types of malicious\r\ncode. Keeping up to date about new variations, IOCs, and overall delivery TTPs are essential to keeping networks\r\nfree of malware that could eventually result in more advanced compromises.\r\nTo avoid the associated risks that come with a reliance on digital exchange for operations, the use of automation to\r\nrapidly generate indicators can help equip Net Defenders with the necessary insight to identify and prevent\r\ncompromise. X-Force and CT analysts assess with high confidence that the use of ordering and logistics themed\r\nphishing emails will persist, especially as global trade continues to recover. Organizations especially engaged in\r\nthe import and export of items worldwide, should exercise extreme caution and harden their network\r\nenvironments.\r\nFor up to date information about malware campaigns, IOCs, and malware reports, join us on X-Force Exchange.\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 14 of 15\n\nSource: https://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nhttps://www.ciphertechsolutions.com/roboski-global-recovery-automation/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/" ], "report_names": [ "roboski-global-recovery-automation" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434706, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b0936b1e3b43ea3afe57dce26d6dbd5dc56d6bc.pdf", "text": "https://archive.orkl.eu/9b0936b1e3b43ea3afe57dce26d6dbd5dc56d6bc.txt", "img": "https://archive.orkl.eu/9b0936b1e3b43ea3afe57dce26d6dbd5dc56d6bc.jpg" } }