Ecipekac

Ecipekac, also known as DESLoader, SigLoader, and HEAVYHAND, is a complex piece of malware that uses an intricate loading schema to infect systems. This multi-layered approach involves four fileless loader modules that sequentially load and decrypt one another until the final payload is loaded into memory. The first and second layers of this process involve Ecipekac Layer I and II loaders, which are encrypted shellcodes. A unique string found within the second layer of the Ecipekac loader led to its identification and naming. Notably, the encrypted shellcodes were inserted into digitally signed DLLs without impacting the validity of the digital signature, a significant aspect of this malware. The payloads of Ecipekac include two new types of fileless malware: SodaMaster (also known as DelfsCake) and P8RAT (also known as GreetCake). These payloads are part of the infection flow of Ecipekac, with the first shellcode type's procedure mirroring that of the Ecipekac Layer II shellcode. The key difference lies in the embedded PE, which serves as the final payload of Ecipekac. Furthermore, the payloads check a registry key and process names to identify virtual machine environments, indicating a level of sophistication in avoiding detection or analysis. In summary, Ecipekac represents a significant evolution in malware design due to its layered, fileless structure and ability to manipulate digital signatures. Its complexity and stealth make it a formidable threat to cybersecurity. By deploying multiple payloads, including the newly identified SodaMaster and P8RAT, it can carry out a range of malicious activities. As such, enhanced vigilance and advanced threat detection measures are crucial in combatting this sophisticated malware.