SYMBOLCOMMON_NAMEaka. SYNONYMS
win.attor (Back to overview)

Attor


Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.

Attor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability.

The most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.

References
2022-05-09cocomelonccocomelonc
@online{cocomelonc:20220509:malware:1cdee23, author = {cocomelonc}, title = {{Malware development: persistence - part 4. Windows services. Simple C++ example.}}, date = {2022-05-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2019-10-11Unian.UaUnian.Ua
@online{unianua:20191011:international:9c4693c, author = {Unian.Ua}, title = {{International IT company warns of a number of spy attacks on government and diplomatic institutions in Eastern Europe}}, date = {2019-10-11}, organization = {Unian.Ua}, url = {https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html}, language = {Ukrainian}, urldate = {2020-01-08} } International IT company warns of a number of spy attacks on government and diplomatic institutions in Eastern Europe
Attor
2019-10-11c newsRoman Georgiev
@online{georgiev:20191011:7:a4962f1, author = {Roman Georgiev}, title = {{За российскими дипломатами 7 лет следят с помощью шпионского ПО}}, date = {2019-10-11}, organization = {c news}, url = {https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami}, language = {Russian}, urldate = {2019-11-29} } За российскими дипломатами 7 лет следят с помощью шпионского ПО
Attor
2019-10-10ESET ResearchZuzana Hromcová
@online{hromcov:20191010:eset:70f9671, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform}, language = {English}, urldate = {2020-04-06} } ESET discovers Attor, a spy platform with curious GSM fingerprinting
Attor Attor
2019-10-10ThreatpostTara Seals
@online{seals:20191010:sophisticated:131b6b8, author = {Tara Seals}, title = {{Sophisticated Spy Kit Targets Russians with Rare GSM Plugin}}, date = {2019-10-10}, organization = {Threatpost}, url = {https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/}, language = {English}, urldate = {2020-01-09} } Sophisticated Spy Kit Targets Russians with Rare GSM Plugin
Attor
2019-10-10ESET ResearchZuzana Hromcová
@online{hromcov:20191010:eset:d4155ed, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/}, language = {English}, urldate = {2020-02-13} } ESET discovers Attor, a spy platform with curious GSM fingerprinting
Attor
2019-10-10ZDNetCatalin Cimpanu
@online{cimpanu:20191010:new:3f09021, author = {Catalin Cimpanu}, title = {{New espionage malware found targeting Russian-speaking users in Eastern Europe}}, date = {2019-10-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/}, language = {English}, urldate = {2020-01-06} } New espionage malware found targeting Russian-speaking users in Eastern Europe
Attor
2019-10ESET ResearchZuzana Hromcová
@techreport{hromcov:201910:at:3b4754e, author = {Zuzana Hromcová}, title = {{AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM}}, date = {2019-10}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf}, language = {English}, urldate = {2020-01-13} } AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM
Attor
Yara Rules
[TLP:WHITE] win_attor_auto (20221125 | Detects win.attor.)
rule win_attor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.attor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f801 7411 3d81000000 740a }
            // n = 4, score = 400
            //   83f801               | cmp                 eax, 1
            //   7411                 | je                  0x13
            //   3d81000000           | cmp                 eax, 0x81
            //   740a                 | je                  0xc

        $sequence_1 = { 488d4c2440 4889442440 e8???????? 48395c2430 0f8447010000 b101 e8???????? }
            // n = 7, score = 300
            //   488d4c2440           | lea                 edx, [esp + 0x40]
            //   4889442440           | dec                 eax
            //   e8????????           |                     
            //   48395c2430           | lea                 ecx, [esp + 0x58]
            //   0f8447010000         | dec                 eax
            //   b101                 | mov                 dword ptr [esp + 0x58], eax
            //   e8????????           |                     

        $sequence_2 = { 488d5a08 488bcb e8???????? 488d542440 488d4c2458 4889442458 e8???????? }
            // n = 7, score = 300
            //   488d5a08             | dec                 eax
            //   488bcb               | lea                 ebx, [edx + 8]
            //   e8????????           |                     
            //   488d542440           | dec                 eax
            //   488d4c2458           | mov                 ecx, ebx
            //   4889442458           | dec                 eax
            //   e8????????           |                     

        $sequence_3 = { 4885c9 7427 488b842490000000 48899c2490000000 488901 }
            // n = 5, score = 300
            //   4885c9               | xor                 ecx, ecx
            //   7427                 | dec                 eax
            //   488b842490000000     | mov                 ecx, dword ptr [esp + 0x30]
            //   48899c2490000000     | inc                 eax
            //   488901               | xor                 ch, ch

        $sequence_4 = { 4032ed 8bd8 e9???????? 488b4c2430 4533c0 }
            // n = 5, score = 300
            //   4032ed               | mov                 ebp, dword ptr [esp + 0x60]
            //   8bd8                 | dec                 eax
            //   e9????????           |                     
            //   488b4c2430           | cmp                 dword ptr [esp + 0x30], 0
            //   4533c0               | dec                 eax

        $sequence_5 = { 7411 33c9 e8???????? 488b4c2430 e8???????? }
            // n = 5, score = 300
            //   7411                 | dec                 eax
            //   33c9                 | lea                 ecx, [esp + 0x40]
            //   e8????????           |                     
            //   488b4c2430           | dec                 eax
            //   e8????????           |                     

        $sequence_6 = { 740f 33c9 e8???????? 498bcd e8???????? 4c8b6c2448 4d85e4 }
            // n = 7, score = 300
            //   740f                 | jmp                 0xa
            //   33c9                 | mov                 ebx, 8
            //   e8????????           |                     
            //   498bcd               | inc                 eax
            //   e8????????           |                     
            //   4c8b6c2448           | xor                 ch, ch
            //   4d85e4               | dec                 esp

        $sequence_7 = { 4032ed eb08 bb08000000 4032ed 4c8b6c2460 48837c243000 }
            // n = 6, score = 300
            //   4032ed               | mov                 dword ptr [esp + 0x40], eax
            //   eb08                 | dec                 eax
            //   bb08000000           | cmp                 dword ptr [esp + 0x30], ebx
            //   4032ed               | je                  0x157
            //   4c8b6c2460           | mov                 cl, 1
            //   48837c243000         | je                  0x13

        $sequence_8 = { 7467 6a01 e8???????? 8b7c2414 }
            // n = 4, score = 200
            //   7467                 | cmp                 eax, 8
            //   6a01                 | je                  0xa
            //   e8????????           |                     
            //   8b7c2414             | cmp                 eax, 0x11

        $sequence_9 = { 740a 83f808 7405 83f811 }
            // n = 4, score = 200
            //   740a                 | test                esp, esp
            //   83f808               | inc                 eax
            //   7405                 | xor                 ch, ch
            //   83f811               | mov                 ebx, eax

        $sequence_10 = { c60000 8b442410 c6400103 8b4c2410 66895902 8b542410 8bcd }
            // n = 7, score = 200
            //   c60000               | xor                 eax, eax
            //   8b442410             | dec                 ebp
            //   c6400103             | mov                 ecx, esp
            //   8b4c2410             | inc                 ecx
            //   66895902             | lea                 edx, [eax + 2]
            //   8b542410             | inc                 esp
            //   8bcd                 | mov                 dword ptr [esp + 0x20], edi

        $sequence_11 = { 6a02 52 ffd5 85c0 0f8433010000 8b74243c }
            // n = 6, score = 200
            //   6a02                 | mov                 edi, dword ptr [esp + 0x70]
            //   52                   | dec                 eax
            //   ffd5                 | mov                 esi, dword ptr [esp + 0x98]
            //   85c0                 | dec                 eax
            //   0f8433010000         | mov                 dword ptr [esp + 0x30], 0
            //   8b74243c             | je                  0x2c

        $sequence_12 = { 8b542418 50 33ff 51 57 6a02 52 }
            // n = 7, score = 200
            //   8b542418             | dec                 eax
            //   50                   | mov                 ecx, dword ptr [esp + 0x30]
            //   33ff                 | inc                 ebp
            //   51                   | xor                 eax, eax
            //   57                   | dec                 eax
            //   6a02                 | mov                 ecx, dword ptr [esp + 0x30]
            //   52                   | inc                 ebp

        $sequence_13 = { 897c241c 897c2418 897c2424 897c242c }
            // n = 4, score = 200
            //   897c241c             | mov                 ebx, 0x57
            //   897c2418             | dec                 eax
            //   897c2424             | cmp                 dword ptr [esp + 0x90], 0
            //   897c242c             | dec                 eax

        $sequence_14 = { 8b542418 52 ff15???????? 83c408 8b74241c }
            // n = 5, score = 200
            //   8b542418             | cmp                 eax, 1
            //   52                   | je                  0x13
            //   ff15????????         |                     
            //   83c408               | cmp                 eax, 0x81
            //   8b74241c             | je                  0x13

    condition:
        7 of them and filesize < 2023424
}
Download all Yara Rules