SYMBOLCOMMON_NAMEaka. SYNONYMS
win.8t_dropper (Back to overview)

8.t Dropper

aka: 8t_dropper, RoyalRoad

Actor(s): Hellsing, Ice Fog, Pirate Panda, RANCOR, TA428, Tick, Tonto Team, Karma Panda


8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.

References
2020-09-16RiskIQJon Gross
@online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-19RiskIQJon Gross, Cory Kennedy
@online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy
2020-06-03Kaspersky LabsGReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing
2020-03-21MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200321:royal:da8fd16, author = {Maciej Kotowicz}, title = {{On the Royal Road}}, date = {2020-03-21}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/on_the_royal_road/}, language = {English}, urldate = {2020-03-24} } On the Royal Road
8.t Dropper
2020-03-20Medium SebdravenSébastien Larinier
@online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746}, language = {English}, urldate = {2020-03-26} } New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy
2020-03-12Check PointCheck Point Research
@online{research:20200312:vicious:3218bb8, author = {Check Point Research}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/}, language = {English}, urldate = {2020-03-13} } Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2020-03-11Virus BulletinGhareeb Saad, Michael Raggi
@online{saad:20200311:attribution:3efcc0a, author = {Ghareeb Saad and Michael Raggi}, title = {{Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers}}, date = {2020-03-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/}, language = {English}, urldate = {2020-03-13} } Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
8.t Dropper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2019-09-22Check Point ResearchCheck Point Research
@online{research:20190922:rancor:e834f67, author = {Check Point Research}, title = {{Rancor: The Year of The Phish}}, date = {2019-09-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/}, language = {English}, urldate = {2020-03-04} } Rancor: The Year of The Phish
8.t Dropper Cobalt Strike
2019-07-23ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2019-12-20} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT TA428
2019-01-03m4n0w4r
@online{m4n0w4r:20190103:another:2f48120, author = {m4n0w4r}, title = {{Another malicious document with CVE-2017–11882}}, date = {2019-01-03}, url = {https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f}, language = {Vietnamese}, urldate = {2020-03-11} } Another malicious document with CVE-2017–11882
8.t Dropper
2018-11-03m4n0w4r
@online{m4n0w4r:20181103:l:d496fbd, author = {m4n0w4r}, title = {{Là 1937CN hay OceanLotus hay Lazarus …}}, date = {2018-11-03}, url = {https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241}, language = {Vietnamese}, urldate = {2020-03-11} } Là 1937CN hay OceanLotus hay Lazarus …
8.t Dropper
2018-07-31Medium SebdravenSébastien Larinier
@online{larinier:20180731:malicious:571d2df, author = {Sébastien Larinier}, title = {{Malicious document targets Vietnamese officials}}, date = {2018-07-31}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?}, language = {English}, urldate = {2020-03-04} } Malicious document targets Vietnamese officials
8.t Dropper
Yara Rules
[TLP:WHITE] win_8t_dropper_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_8t_dropper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d8574f5ffff 50 56 e8???????? ff75fc e8???????? 6800100000 }
            // n = 7, score = 100
            //   8d8574f5ffff         | lea                 eax, [ebp - 0xa8c]
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   6800100000           | push                0x1000

        $sequence_1 = { 6854654000 56 ffd3 85c0 7509 56 ff15???????? }
            // n = 7, score = 100
            //   6854654000           | push                0x406554
            //   56                   | push                esi
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   7509                 | jne                 0xb
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_2 = { c645b4fb 8845b5 8845b6 c645b7eb c645b812 c645b944 c645ba8b }
            // n = 7, score = 100
            //   c645b4fb             | mov                 byte ptr [ebp - 0x4c], 0xfb
            //   8845b5               | mov                 byte ptr [ebp - 0x4b], al
            //   8845b6               | mov                 byte ptr [ebp - 0x4a], al
            //   c645b7eb             | mov                 byte ptr [ebp - 0x49], 0xeb
            //   c645b812             | mov                 byte ptr [ebp - 0x48], 0x12
            //   c645b944             | mov                 byte ptr [ebp - 0x47], 0x44
            //   c645ba8b             | mov                 byte ptr [ebp - 0x46], 0x8b

        $sequence_3 = { a5 a5 66a5 a4 59 33c0 }
            // n = 6, score = 100
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 8bec 6aff 6868514000 687c414000 }
            // n = 4, score = 100
            //   8bec                 | mov                 ebp, esp
            //   6aff                 | push                -1
            //   6868514000           | push                0x405168
            //   687c414000           | push                0x40417c

        $sequence_5 = { 8845b1 8845b2 c645b3eb c645b412 c645b544 c645b68b c645b745 }
            // n = 7, score = 100
            //   8845b1               | mov                 byte ptr [ebp - 0x4f], al
            //   8845b2               | mov                 byte ptr [ebp - 0x4e], al
            //   c645b3eb             | mov                 byte ptr [ebp - 0x4d], 0xeb
            //   c645b412             | mov                 byte ptr [ebp - 0x4c], 0x12
            //   c645b544             | mov                 byte ptr [ebp - 0x4b], 0x44
            //   c645b68b             | mov                 byte ptr [ebp - 0x4a], 0x8b
            //   c645b745             | mov                 byte ptr [ebp - 0x49], 0x45

        $sequence_6 = { 6880256300 6884256300 ff74240c e8???????? 83c40c c3 }
            // n = 6, score = 100
            //   6880256300           | push                0x632580
            //   6884256300           | push                0x632584
            //   ff74240c             | push                dword ptr [esp + 0xc]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c3                   | ret                 

        $sequence_7 = { 56 57 33c0 8d7de1 be40644000 ab ab }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   33c0                 | xor                 eax, eax
            //   8d7de1               | lea                 edi, [ebp - 0x1f]
            //   be40644000           | mov                 esi, 0x406440
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_8 = { eb2b 8b35???????? 0fb6d2 8a1432 881401 41 c604013d }
            // n = 7, score = 100
            //   eb2b                 | jmp                 0x2d
            //   8b35????????         |                     
            //   0fb6d2               | movzx               edx, dl
            //   8a1432               | mov                 dl, byte ptr [edx + esi]
            //   881401               | mov                 byte ptr [ecx + eax], dl
            //   41                   | inc                 ecx
            //   c604013d             | mov                 byte ptr [ecx + eax], 0x3d

        $sequence_9 = { 6844634000 ff7508 ffd6 57 }
            // n = 4, score = 100
            //   6844634000           | push                0x406344
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd6                 | call                esi
            //   57                   | push                edi

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules