SYMBOLCOMMON_NAMEaka. SYNONYMS
win.8t_dropper (Back to overview)

8.t Dropper

aka: 8t_dropper, RoyalRoad

Actor(s): Hellsing, Ice Fog, Pirate Panda, RANCOR, TA428, Tick, Tonto Team, Karma Panda


8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.

References
2023-04-05Medium IlanduIlan Duhin
@online{duhin:20230405:portdoor:e39d907, author = {Ilan Duhin}, title = {{PortDoor - APT Backdoor analysis}}, date = {2023-04-05}, organization = {Medium Ilandu}, url = {https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba}, language = {English}, urldate = {2023-04-06} } PortDoor - APT Backdoor analysis
ACBackdoor 8.t Dropper PortDoor
2023-03-07Check Point ResearchCheck Point Research
@online{research:20230307:pandas:2e3c757, author = {Check Point Research}, title = {{Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities}}, date = {2023-03-07}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/}, language = {English}, urldate = {2023-03-13} } Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities
8.t Dropper Soul Unidentified 089 (Downloader)
2023-02-07MalGamyMalGamy
@online{malgamy:20230207:approach:ef67110, author = {MalGamy}, title = {{The Approach of TA413 for Tibetan Targets}}, date = {2023-02-07}, organization = {MalGamy}, url = {https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage}, language = {English}, urldate = {2023-02-09} } The Approach of TA413 for Tibetan Targets
8.t Dropper LOWZERO
2022-09-22Recorded FutureInsikt Group®
@techreport{group:20220922:chinese:9349a24, author = {Insikt Group®}, title = {{Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets}}, date = {2022-09-22}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf}, language = {English}, urldate = {2022-09-26} } Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
8.t Dropper LOWZERO
2022-07-07Sentinel LABSTom Hegel
@online{hegel:20220707:targets:174ab91, author = {Tom Hegel}, title = {{Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs}}, date = {2022-07-07}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/}, language = {English}, urldate = {2022-07-12} } Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs
8.t Dropper Korlia
2021-10-26KasperskyKaspersky Lab ICS CERT
@techreport{cert:20211026:attacks:6f30d0f, author = {Kaspersky Lab ICS CERT}, title = {{APT attacks on industrial organizations in H1 2021}}, date = {2021-10-26}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf}, language = {English}, urldate = {2021-11-08} } APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-01-13AlienVaultTom Hegel
@techreport{hegel:20210113:global:72b7b9d, author = {Tom Hegel}, title = {{A Global Perspective of the SideWinder APT}}, date = {2021-01-13}, institution = {AlienVault}, url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf}, language = {English}, urldate = {2021-01-18} } A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-09-16RiskIQJon Gross
@online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-19RiskIQJon Gross, Cory Kennedy
@online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy
2020-08-19NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200819:operation:445be8c, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: Colorful Panda Footprint}}, date = {2020-08-19}, institution = {NTT Security}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2022-07-29} } Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428
2020-06-03Kaspersky LabsGReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing
2020-03-21MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200321:royal:da8fd16, author = {Maciej Kotowicz}, title = {{On the Royal Road}}, date = {2020-03-21}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/on_the_royal_road/}, language = {English}, urldate = {2020-03-24} } On the Royal Road
8.t Dropper
2020-03-20Medium SebdravenSébastien Larinier
@online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746}, language = {English}, urldate = {2020-03-26} } New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy
2020-03-12Check Point ResearchCheck Point
@online{point:20200312:vicious:1d97e93, author = {Check Point}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign}, language = {English}, urldate = {2022-07-25} } Vicious Panda: The COVID Campaign
8.t Dropper Vicious Panda
2020-03-12Check PointCheck Point Research
@online{research:20200312:vicious:3218bb8, author = {Check Point Research}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/}, language = {English}, urldate = {2020-03-13} } Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2020-03-11Virus BulletinGhareeb Saad, Michael Raggi
@online{saad:20200311:attribution:3efcc0a, author = {Ghareeb Saad and Michael Raggi}, title = {{Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers}}, date = {2020-03-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/}, language = {English}, urldate = {2020-03-13} } Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
8.t Dropper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2019-09-22Check Point ResearchCheck Point Research
@online{research:20190922:rancor:e834f67, author = {Check Point Research}, title = {{Rancor: The Year of The Phish}}, date = {2019-09-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/}, language = {English}, urldate = {2020-03-04} } Rancor: The Year of The Phish
8.t Dropper Cobalt Strike
2019-07-23ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2021-02-06} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
2019-03-05AccentureAccenture
@techreport{accenture:20190305:mudcarps:2e785cc, author = {Accenture}, title = {{MUDCARP's Focus on Submarine Technologies}}, date = {2019-03-05}, institution = {Accenture}, url = {https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf}, language = {English}, urldate = {2022-09-12} } MUDCARP's Focus on Submarine Technologies
8.t Dropper APT40
2019-01-03m4n0w4r
@online{m4n0w4r:20190103:another:2f48120, author = {m4n0w4r}, title = {{Another malicious document with CVE-2017–11882}}, date = {2019-01-03}, url = {https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f}, language = {Vietnamese}, urldate = {2020-03-11} } Another malicious document with CVE-2017–11882
8.t Dropper
2018-11-03m4n0w4r
@online{m4n0w4r:20181103:l:d496fbd, author = {m4n0w4r}, title = {{Là 1937CN hay OceanLotus hay Lazarus …}}, date = {2018-11-03}, url = {https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241}, language = {Vietnamese}, urldate = {2020-03-11} } Là 1937CN hay OceanLotus hay Lazarus …
8.t Dropper
2018-07-31Medium SebdravenSébastien Larinier
@online{larinier:20180731:malicious:571d2df, author = {Sébastien Larinier}, title = {{Malicious document targets Vietnamese officials}}, date = {2018-07-31}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?}, language = {English}, urldate = {2020-03-04} } Malicious document targets Vietnamese officials
8.t Dropper
Yara Rules
[TLP:WHITE] win_8t_dropper_auto (20230407 | Detects win.8t_dropper.)
rule win_8t_dropper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.8t_dropper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 8b442418 68???????? 50 ff15???????? 85c0 7559 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7559                 | jne                 0x5b

        $sequence_1 = { 68???????? 6a02 50 8b442418 68???????? 50 ff15???????? }
            // n = 7, score = 200
            //   68????????           |                     
            //   6a02                 | push                2
            //   50                   | push                eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_2 = { ff15???????? 85c0 7559 8b4c2408 51 ff15???????? 8d942410010000 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7559                 | jne                 0x5b
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8d942410010000       | lea                 edx, [esp + 0x110]

        $sequence_3 = { c6440c0d75 c6440c0e6e 8d4c2408 51 }
            // n = 4, score = 200
            //   c6440c0d75           | mov                 byte ptr [esp + ecx + 0xd], 0x75
            //   c6440c0e6e           | mov                 byte ptr [esp + ecx + 0xe], 0x6e
            //   8d4c2408             | lea                 ecx, [esp + 8]
            //   51                   | push                ecx

        $sequence_4 = { 6801000080 ff15???????? bf???????? 83c9ff 33c0 f2ae }
            // n = 6, score = 200
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   bf????????           |                     
            //   83c9ff               | or                  ecx, 0xffffffff
            //   33c0                 | xor                 eax, eax
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]

        $sequence_5 = { c6440c0e6e 8d4c2408 51 683f000f00 50 52 }
            // n = 6, score = 200
            //   c6440c0e6e           | mov                 byte ptr [esp + ecx + 0xe], 0x6e
            //   8d4c2408             | lea                 ecx, [esp + 8]
            //   51                   | push                ecx
            //   683f000f00           | push                0xf003f
            //   50                   | push                eax
            //   52                   | push                edx

        $sequence_6 = { 83c408 85f6 741b 56 6800700000 6a01 }
            // n = 6, score = 200
            //   83c408               | add                 esp, 8
            //   85f6                 | test                esi, esi
            //   741b                 | je                  0x1d
            //   56                   | push                esi
            //   6800700000           | push                0x7000
            //   6a01                 | push                1

        $sequence_7 = { 68???????? 50 ff15???????? 85c0 7559 8b4c2408 }
            // n = 6, score = 200
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7559                 | jne                 0x5b
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]

        $sequence_8 = { 8d7c240d c644240c00 f3ab 66ab aa bf???????? 83c9ff }
            // n = 7, score = 200
            //   8d7c240d             | lea                 edi, [esp + 0xd]
            //   c644240c00           | mov                 byte ptr [esp + 0xc], 0
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   bf????????           |                     
            //   83c9ff               | or                  ecx, 0xffffffff

        $sequence_9 = { 85f6 741b 56 6800700000 6a01 }
            // n = 5, score = 200
            //   85f6                 | test                esi, esi
            //   741b                 | je                  0x1d
            //   56                   | push                esi
            //   6800700000           | push                0x7000
            //   6a01                 | push                1

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules