8.t Dropper (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.8t_dropper (Back to overview)

8.t Dropper

aka: 8t_dropper, RoyalRoad

Actor(s): Hellsing, Ice Fog, Pirate Panda, RANCOR, TA428, Tick, Tonto Team, Karma Panda

VTCollection

8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.

References

2023-04-05 ⋅ Medium Ilandu ⋅ Ilan Duhin
PortDoor - APT Backdoor analysis
ACBackdoor 8.t Dropper PortDoor

2023-03-07 ⋅ Check Point Research ⋅ Check Point Research
Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities
5.t Downloader 8.t Dropper Soul

2023-02-07 ⋅ MalGamy ⋅ MalGamy
The Approach of TA413 for Tibetan Targets
8.t Dropper LOWZERO

2022-09-22 ⋅ Recorded Future ⋅ Insikt Group®
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
8.t Dropper LOWZERO

2022-07-07 ⋅ Sentinel LABS ⋅ Tom Hegel
Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs
8.t Dropper Korlia Tonto Team

2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-01-13 ⋅ AlienVault ⋅ Tom Hegel
A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder

2021-01-04 ⋅ nao_sec blog ⋅ nao_sec
Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback

2020-09-16 ⋅ RiskIQ ⋅ Jon Gross
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy

2020-08-19 ⋅ RiskIQ ⋅ Cory Kennedy, Jon Gross
RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy

2020-08-19 ⋅ NTT Security ⋅ Fumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428

2020-06-03 ⋅ Kaspersky Labs ⋅ Giampaolo Dedola, GReAT, Mark Lechtik
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing

2020-03-21 ⋅ MalwareLab.pl ⋅ Maciej Kotowicz
On the Royal Road
8.t Dropper

2020-03-20 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy

2020-03-12 ⋅ Check Point ⋅ Check Point Research
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy

2020-03-12 ⋅ Check Point Research ⋅ Check Point
Vicious Panda: The COVID Campaign
8.t Dropper Vicious Panda

2020-03-11 ⋅ Virus Bulletin ⋅ Ghareeb Saad, Michael Raggi
Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
8.t Dropper

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike

2019-07-23 ⋅ Proofpoint ⋅ Dennis Schwarz, Michael Raggi, Proofpoint Threat Insight Team
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428

2019-03-05 ⋅ Accenture ⋅ Accenture
MUDCARP's Focus on Submarine Technologies
8.t Dropper APT40

2019-01-03 ⋅ ⋅ m4n0w4r
Another malicious document with CVE-2017–11882
8.t Dropper

2018-11-03 ⋅ ⋅ m4n0w4r
Là 1937CN hay OceanLotus hay Lazarus …
8.t Dropper

2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
Malicious document targets Vietnamese officials
8.t Dropper

2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
Malicious document targets Vietnamese officials
8.t Dropper PlugX 1937CN

Yara Rules

[TLP:WHITE] win_8t_dropper_auto (20241030 | Detects win.8t_dropper.)

rule win_8t_dropper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.8t_dropper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c9ff f2ae f7d1 49 c6440c0c52 }
            // n = 5, score = 200
            //   83c9ff               | or                  ecx, 0xffffffff
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx
            //   c6440c0c52           | mov                 byte ptr [esp + ecx + 0xc], 0x52

        $sequence_1 = { 83c40c c3 8b442408 83f801 }
            // n = 4, score = 200
            //   83c40c               | add                 esp, 0xc
            //   c3                   | ret                 
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   83f801               | cmp                 eax, 1

        $sequence_2 = { 8d942410010000 6804010000 52 68???????? ff15???????? 8d842410010000 68???????? }
            // n = 7, score = 200
            //   8d942410010000       | lea                 edx, [esp + 0x110]
            //   6804010000           | push                0x104
            //   52                   | push                edx
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d842410010000       | lea                 eax, [esp + 0x110]
            //   68????????           |                     

        $sequence_3 = { 8bc6 5f 5e 5b c9 c3 ff35???????? }
            // n = 7, score = 200
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 
            //   ff35????????         |                     

        $sequence_4 = { 49 51 68???????? 6a02 50 8b442418 }
            // n = 6, score = 200
            //   49                   | dec                 ecx
            //   51                   | push                ecx
            //   68????????           |                     
            //   6a02                 | push                2
            //   50                   | push                eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]

        $sequence_5 = { 6801000080 ff15???????? bf???????? 83c9ff 33c0 }
            // n = 5, score = 200
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   bf????????           |                     
            //   83c9ff               | or                  ecx, 0xffffffff
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { 683f000f00 50 52 6801000080 ff15???????? bf???????? 83c9ff }
            // n = 7, score = 200
            //   683f000f00           | push                0xf003f
            //   50                   | push                eax
            //   52                   | push                edx
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   bf????????           |                     
            //   83c9ff               | or                  ecx, 0xffffffff

        $sequence_7 = { 51 ff15???????? 8d942410010000 6804010000 52 68???????? }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8d942410010000       | lea                 edx, [esp + 0x110]
            //   6804010000           | push                0x104
            //   52                   | push                edx
            //   68????????           |                     

        $sequence_8 = { 83c408 85f6 741b 56 6800700000 6a01 }
            // n = 6, score = 200
            //   83c408               | add                 esp, 8
            //   85f6                 | test                esi, esi
            //   741b                 | je                  0x1d
            //   56                   | push                esi
            //   6800700000           | push                0x7000
            //   6a01                 | push                1

        $sequence_9 = { 7559 8b4c2408 51 ff15???????? 8d942410010000 6804010000 }
            // n = 6, score = 200
            //   7559                 | jne                 0x5b
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8d942410010000       | lea                 edx, [esp + 0x110]
            //   6804010000           | push                0x104

    condition:
        7 of them and filesize < 147456
}

Download all Yara Rules

8.t Dropper Propose Change

References

Yara Rules

8.t Dropper