Attor (Malware Family)

Attor

VTCollection

Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.

Attor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability.

The most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.

References

2022-12-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.
Attor Zebrocy

2022-05-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu

2019-10-11 ⋅ ⋅ c news ⋅ Roman Georgiev
За российскими дипломатами 7 лет следят с помощью шпионского ПО
Attor

2019-10-11 ⋅ ⋅ Unian.Ua ⋅ Unian.Ua
International IT company warns of a number of spy attacks on government and diplomatic institutions in Eastern Europe
Attor

2019-10-10 ⋅ Threatpost ⋅ Tara Seals
Sophisticated Spy Kit Targets Russians with Rare GSM Plugin
Attor

2019-10-10 ⋅ ZDNet ⋅ Catalin Cimpanu
New espionage malware found targeting Russian-speaking users in Eastern Europe
Attor

2019-10-10 ⋅ ESET Research ⋅ Zuzana Hromcová
ESET discovers Attor, a spy platform with curious GSM fingerprinting
Attor

2019-10-10 ⋅ ESET Research ⋅ Zuzana Hromcová
ESET discovers Attor, a spy platform with curious GSM fingerprinting
Attor Attor

2019-10-01 ⋅ ESET Research ⋅ Zuzana Hromcová
AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM
Attor

Yara Rules

[TLP:WHITE] win_attor_auto (20260504 | Detects win.attor.)

rule win_attor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.attor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f801 7411 3d81000000 740a }
            // n = 4, score = 400
            //   83f801               | cmp                 eax, 1
            //   7411                 | je                  0x13
            //   3d81000000           | cmp                 eax, 0x81
            //   740a                 | je                  0xc

        $sequence_1 = { 48894718 8d5001 48894720 ff15???????? }
            // n = 4, score = 300
            //   48894718             | mov                 ecx, ebp
            //   8d5001               | dec                 eax
            //   48894720             | lea                 edx, [esp + 0x90]
            //   ff15????????         |                     

        $sequence_2 = { 488b742458 4d85ed 7404 41895d00 418ac4 }
            // n = 5, score = 300
            //   488b742458           | dec                 eax
            //   4d85ed               | mov                 dword ptr [eax - 0x18], edi
            //   7404                 | dec                 esp
            //   41895d00             | mov                 dword ptr [eax - 0x20], esp
            //   418ac4               | dec                 eax

        $sequence_3 = { 488958a8 48895808 4885c9 0f8427030000 4885d2 }
            // n = 5, score = 300
            //   488958a8             | dec                 eax
            //   48895808             | lea                 ecx, [esp + 0x38]
            //   4885c9               | dec                 eax
            //   0f8427030000         | mov                 dword ptr [esp + 0x38], eax
            //   4885d2               | je                  0x13

        $sequence_4 = { 488d4c2440 4889442440 e8???????? 48395c2430 }
            // n = 4, score = 300
            //   488d4c2440           | dec                 edx
            //   4889442440           | lea                 ebp, [eax + ebp + 8]
            //   e8????????           |                     
            //   48395c2430           | dec                 eax

        $sequence_5 = { 4a8d6c2808 488bcd e8???????? 488d942490000000 488d4c2438 4889442438 }
            // n = 6, score = 300
            //   4a8d6c2808           | mov                 esi, dword ptr [esp + 0x58]
            //   488bcd               | dec                 ebp
            //   e8????????           |                     
            //   488d942490000000     | test                ebp, ebp
            //   488d4c2438           | je                  6
            //   4889442438           | inc                 ecx

        $sequence_6 = { 7411 33c9 e8???????? 488b4c2430 e8???????? }
            // n = 5, score = 300
            //   7411                 | mov                 dword ptr [ebp], ebx
            //   33c9                 | inc                 ecx
            //   e8????????           |                     
            //   488b4c2430           | mov                 al, ah
            //   e8????????           |                     

        $sequence_7 = { 55 4883ec78 48897010 488978e8 4c8960e0 }
            // n = 5, score = 300
            //   55                   | push                ebp
            //   4883ec78             | dec                 eax
            //   48897010             | sub                 esp, 0x78
            //   488978e8             | dec                 eax
            //   4c8960e0             | mov                 dword ptr [eax + 0x10], esi

        $sequence_8 = { 83c40c 85c0 0f84ef000000 6a01 e8???????? }
            // n = 5, score = 200
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f84ef000000         | je                  0xf5
            //   6a01                 | push                1
            //   e8????????           |                     

        $sequence_9 = { e8???????? 57 ffd6 83c408 8b442440 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   83c408               | add                 esp, 8
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]

        $sequence_10 = { 83c40c 3bc7 8944241c 0f84f3000000 8b4c2424 8d6908 55 }
            // n = 7, score = 200
            //   83c40c               | add                 esp, 0xc
            //   3bc7                 | cmp                 eax, edi
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   0f84f3000000         | je                  0xf9
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   8d6908               | lea                 ebp, [ecx + 8]
            //   55                   | push                ebp

        $sequence_11 = { 740a 83f808 7405 83f811 }
            // n = 4, score = 200
            //   740a                 | je                  0xc
            //   83f808               | cmp                 eax, 8
            //   7405                 | je                  7
            //   83f811               | cmp                 eax, 0x11

        $sequence_12 = { 83c404 83e103 f3aa 8b442418 85c0 0f8422020000 }
            // n = 6, score = 200
            //   83c404               | add                 esp, 4
            //   83e103               | and                 ecx, 3
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   85c0                 | test                eax, eax
            //   0f8422020000         | je                  0x228

        $sequence_13 = { 8b542444 89442434 8b44242c 8d741008 56 }
            // n = 5, score = 200
            //   8b542444             | mov                 edx, dword ptr [esp + 0x44]
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   8d741008             | lea                 esi, [eax + edx + 8]
            //   56                   | push                esi

        $sequence_14 = { ffd5 85c0 0f8433010000 8b74243c 33c0 8bce 6a01 }
            // n = 7, score = 200
            //   ffd5                 | call                ebp
            //   85c0                 | test                eax, eax
            //   0f8433010000         | je                  0x139
            //   8b74243c             | mov                 esi, dword ptr [esp + 0x3c]
            //   33c0                 | xor                 eax, eax
            //   8bce                 | mov                 ecx, esi
            //   6a01                 | push                1

        $sequence_15 = { 8b44241c 83c40c 3bc7 7465 6a01 }
            // n = 5, score = 200
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   83c40c               | add                 esp, 0xc
            //   3bc7                 | cmp                 eax, edi
            //   7465                 | je                  0x67
            //   6a01                 | push                1

    condition:
        7 of them and filesize < 2023424
}

Download all Yara Rules

Attor Propose Change

References

Yara Rules

Attor