ostap (Malware Family)

ostap

Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe
anti-virus.EXE
BehaviorDumper
BennyDB.exe
ctfmon.exe
fakepos_bin
FrzState2k
gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)
ImmunityDebugger.exe
KMS Server Service.exe
ProcessHacker
procexp
Proxifier.exe
python
tcpdump
VBoxService
VBoxTray.exe
VmRemoteGuest
vmtoolsd
VMware2B.exe
VzService.exe
winace
Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

References

2021-11-24 ⋅ Lasq's Security Blog ⋅ Lasq's Security Blog
From the archive #1: OSTap downloader deobfuscation and analysis
ostap

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2020-04-14 ⋅ Intrinsec ⋅ Jean Bichet
Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend
ostap TrickBot

2020-03-20 ⋅ Bitdefender ⋅ Liviu Arsene
5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos

2019-09-12 ⋅ Github (cryptogramfan) ⋅ Alex Holland
Ostap Deobfuscation script
ostap

2019-09-03 ⋅ Bromium ⋅ Alex Holland
Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader
ostap

2019-08-05 ⋅ Trend Micro ⋅ Noel Anthony Llimos, Michael Jhon Ofiaza
Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot

2018-01-06 ⋅ CERT.PL ⋅ Paweł Srokosz
Ostap malware analysis (Backswap dropper)
ostap

Yara Rules

[TLP:WHITE] js_ostap_w0 (20190905 | No description)

rule js_ostap_w0 {
	meta:
		author = "Alex Holland @cryptogramfan (Bromium Labs)"
		date = "2019-08-29"
		sample_1 = "F3E03E40F00EA10592F20D83E3C5E922A1CE6EA36FC326511C38F45B9C9B6586"
		sample_2 = "38E2B6F06C2375A955BEA0337F087625B4E6E49F6E4246B50ECB567158B3717B"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap"
        malpedia_version = "20190905"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
	strings:
		$comment = { 2A 2A 2F 3B } // Matches on **/;
		$array_0 = /\w{5,8}\[\d+\]=\d{1,3};/
		$array_1 = /\w{5,8}\[\d+\]=\d{1,3};/
				
	condition:
		((($comment at 0) and (#array_0 > 100) and (#array_1 > 100)) or
		((#array_0 > 100) and (#array_1 > 100))) and
		(filesize > 500KB and filesize < 1500KB)
}

Download all Yara Rules

ostap Propose Change

References

Yara Rules

ostap