FYAnti

Fyanti is a highly sophisticated multi-layer malware loader module, used to deliver various malicious payloads such as SodaMaster (also known as DelfsCake, dfls, and DARKTOWN), P8RAT (also known as GreetCake and HEAVYPOT), and FYAnti (also known as DILLJUICE stage2). These payloads eventually load QuasarRAT (also known as xRAT), a remote access tool. The execution flow of the FYAnti involves two additional layers that culminate in implementing the final stage, which is the QuasarRAT. The first layer of the FYAnti loader decrypts an embedded .NET module and executes it using a technique known as CppHostCLR. The FYAnti malware has been linked to the APT10 group, a well-known cyber espionage group, due to similarities in techniques and tools used. This connection was highlighted in a Symantec blog post, where it was noted that the FYAnti loader, its unique export name "F**kY**Anti", the CppHostCLR injection technique for the .NET loader, and the use of QuasarRAT were similar to APT10's activities previously discovered by BlackBerry Cylance's threat research team. Furthermore, the A41APT campaign also showed parallels with APT10 activities, including the use of the Ecipekac Loader, FYAnti loader, the same unique export name, the CppHostCLR technique, and QuasarRAT as the final payload. Kaspersky has provided detailed information about the FYAnti loader through OpenTIP links associated with the malware's digital fingerprints. The three identified hashes, dd672da5d367fd291d936c8cc03b6467, f4c4644e6d248399a12e2c75cf9e4bdf, and 335ce825da93ed3fdd4470634845dfea, correspond to different versions of the FYAnti loader. The second layer of the FYAnti loader is responsible for searching a specific file in the infected system, further demonstrating the malware's complexity and sophistication.