Supper (Malware Family)

Supper

Supper is a 64-bit Windows backdoor and tunnelling utility first observed in the wild in July 2024. This malware operates as both a Remote Access Trojan (RAT) and a SOCKS5 proxy, offering threat actors persistent access to infected systems and the ability to route arbitrary traffic through victim environments.

Once executed, it establishes a TCP connection to its primary C2 endpoint, i.e. hardcoded in the file, over port 443. A fallback mechanism allows the malware to retrieve alternate C2 IP addresses from an encoded file, %temp%/s01bafg, ensuring resilience in case the primary server is unavailable. The malware supports up to 16,384 concurrent sessions over a single TCP connection, each uniquely identified via a 16-bit session ID.

Communication begins with an unencrypted 300-byte handshake payload that includes a static bot identifier (0x00691155), system metadata (hostname, domain, OS version, integrity level), and a fixed flag. Following this, all network traffic is wrapped in a 12-byte obfuscated header and an encrypted payload (8 bytes) which consists of two encrypted IP addresses. The header is transformed using two hardcoded XOR keys: 0x4d4d4d4d4d4d4d4d and 0x4d4d4d4d. Payload encryption is performed with a non-standard, stateful XOR cipher, where each byte of the message is encrypted based on a calculated offset and a cycling key (xored with 0x4d4d4d4d) derived from the header.

It supports a range of C2 commands, including remote shell execution, session teardown, SOCKS5 proxy operations, self-deletion, and dynamic updating of fallback IPs. When executing commands, Supper spawns a hidden cmd.exe instance and forwards command outputs back to the C2 server after encryption. As a proxy, it accepts operator-specified connection requests, establishes TCP sessions to external targets, and forwards data between the target and the attacker, all managed under the session multiplexing framework.

If instructed or if a C2 session fails, the malware can delete itself using cmd.exe or schtasks.exe, often masquerading the operation under the guise of a scheduled task named "GoogleUpdateTask". The file used to store fallback C2 IPs (%temp%/s01bafg) is updated by the malware using its encryption routine.

References

2025-04-16 ⋅ Sekoia ⋅ Sekoia TDR
Interlock ransomware evolving under the radar
Interlock Berserk Stealer Interlock Lumma Stealer Supper

2025-04-15 ⋅ Beazley Security Labs ⋅ Beazley Security Labs
Hunting Mice In Tunnels II - Fake CAPTCHAs and Ransomware
Interlock Supper

2025-03-31 ⋅ VirusTotal
48157c03bf9731926f9567fe1fabc807bff166241f8d6c27e6308dde68112669
Supper

2024-11-29 ⋅ Fortinet ⋅ Fred Gutierrez, Shunichi Imano
Ransomware Roundup - Interlock
Interlock Interlock Supper

Yara Rules

[TLP:WHITE] wun_unidentified_119_w0 (20250417 | No description)

rule wun_unidentified_119_w0 {

    meta:
        author = "defender2yara"
        detection_name = "Backdoor:Win64/Supper.A!ldr"
        threat_id = "2147917250"
        type = "Backdoor"
        platform = "Win64: Windows 64-bit platform"
        family = "Supper"
        severity = "Critical"
        info = "ldr: loader component of a malware"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supper"
        malpedia_rule_date = "20250417"
        malpedia_hash = ""
        malpedia_version = "20250417"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $x_1_1 = {48 8b 04 1f 48 33 45 f0 48 89 04 1e e8 ?? ?? ?? ?? 48 3b 45 e0 0f 83 ?? ?? ?? ?? 48 31 c9 51 48 8d}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

[TLP:WHITE] wun_unidentified_119_w1 (20250417 | No description)

rule wun_unidentified_119_w1 {

    meta:
        author = "defender2yara"
        detection_name = "Backdoor:Win64/Supper.B"
        threat_id = "2147920400"
        type = "Backdoor"
        platform = "Win64: Windows 64-bit platform"
        family = "Supper"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supper"
        malpedia_rule_date = "20250417"
        malpedia_hash = ""
        malpedia_version = "20250417"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $x_1_1 = {66 81 7d 10 ff 3f 0f ?? ?? ?? ?? ?? 0f b7 45 10 48 98 48 8d 14 c5 00 00 00 00 48 8d}  //weight: 1, accuracy: Low
        $x_1_2 = {81 7d fc ff 3f 00 00 0f ?? ?? ?? ?? ?? 48 8b 05 5e 3e 02 00 48 85 c0 74 ?? 48 8b 05 52 3e 02 00 48 89 c1 e8}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (1 of ($x*))
}

Download all Yara Rules

Supper Propose Change

References

Yara Rules

Supper