SYMBOLCOMMON_NAMEaka. SYNONYMS
win.attor (Back to overview)

Attor


Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.

Attor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability.

The most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.

References
2022-12-09cocomelonccocomelonc
@online{cocomelonc:20221209:malware:cff0b3d, author = {cocomelonc}, title = {{Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.}}, date = {2022-12-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html}, language = {English}, urldate = {2022-12-12} } Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.
Attor Zebrocy
2022-05-09cocomelonccocomelonc
@online{cocomelonc:20220509:malware:1cdee23, author = {cocomelonc}, title = {{Malware development: persistence - part 4. Windows services. Simple C++ example.}}, date = {2022-05-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2019-10-11Unian.UaUnian.Ua
@online{unianua:20191011:international:9c4693c, author = {Unian.Ua}, title = {{International IT company warns of a number of spy attacks on government and diplomatic institutions in Eastern Europe}}, date = {2019-10-11}, organization = {Unian.Ua}, url = {https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html}, language = {Ukrainian}, urldate = {2020-01-08} } International IT company warns of a number of spy attacks on government and diplomatic institutions in Eastern Europe
Attor
2019-10-11c newsRoman Georgiev
@online{georgiev:20191011:7:a4962f1, author = {Roman Georgiev}, title = {{За российскими дипломатами 7 лет следят с помощью шпионского ПО}}, date = {2019-10-11}, organization = {c news}, url = {https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami}, language = {Russian}, urldate = {2019-11-29} } За российскими дипломатами 7 лет следят с помощью шпионского ПО
Attor
2019-10-10ESET ResearchZuzana Hromcová
@online{hromcov:20191010:eset:70f9671, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform}, language = {English}, urldate = {2020-04-06} } ESET discovers Attor, a spy platform with curious GSM fingerprinting
Attor Attor
2019-10-10ThreatpostTara Seals
@online{seals:20191010:sophisticated:131b6b8, author = {Tara Seals}, title = {{Sophisticated Spy Kit Targets Russians with Rare GSM Plugin}}, date = {2019-10-10}, organization = {Threatpost}, url = {https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/}, language = {English}, urldate = {2020-01-09} } Sophisticated Spy Kit Targets Russians with Rare GSM Plugin
Attor
2019-10-10ESET ResearchZuzana Hromcová
@online{hromcov:20191010:eset:d4155ed, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/}, language = {English}, urldate = {2020-02-13} } ESET discovers Attor, a spy platform with curious GSM fingerprinting
Attor
2019-10-10ZDNetCatalin Cimpanu
@online{cimpanu:20191010:new:3f09021, author = {Catalin Cimpanu}, title = {{New espionage malware found targeting Russian-speaking users in Eastern Europe}}, date = {2019-10-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/}, language = {English}, urldate = {2020-01-06} } New espionage malware found targeting Russian-speaking users in Eastern Europe
Attor
2019-10ESET ResearchZuzana Hromcová
@techreport{hromcov:201910:at:3b4754e, author = {Zuzana Hromcová}, title = {{AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM}}, date = {2019-10}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf}, language = {English}, urldate = {2020-01-13} } AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM
Attor
Yara Rules
[TLP:WHITE] win_attor_auto (20230407 | Detects win.attor.)
rule win_attor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.attor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f801 7411 3d81000000 740a }
            // n = 4, score = 400
            //   83f801               | cmp                 eax, 1
            //   7411                 | je                  0x13
            //   3d81000000           | cmp                 eax, 0x81
            //   740a                 | je                  0xc

        $sequence_1 = { 488b442440 488b8c2490000000 4533c0 418d5002 4d8bcf }
            // n = 5, score = 300
            //   488b442440           | mov                 dword ptr [esp + 0x30], ebx
            //   488b8c2490000000     | dec                 eax
            //   4533c0               | mov                 dword ptr [ecx], eax
            //   418d5002             | dec                 eax
            //   4d8bcf               | mov                 ecx, dword ptr [esp + 0xa8]

        $sequence_2 = { 4c8b5c2440 4d85db 743a 418833 488b442440 4c8bc5 c6400103 }
            // n = 7, score = 300
            //   4c8b5c2440           | mov                 al, dh
            //   4d85db               | dec                 eax
            //   743a                 | add                 esp, 0x68
            //   418833               | inc                 ecx
            //   488b442440           | pop                 esi
            //   4c8bc5               | dec                 esp
            //   c6400103             | mov                 ebx, dword ptr [esp + 0x40]

        $sequence_3 = { 48895c2430 488901 488b8c24a8000000 4885c9 7427 488b842490000000 }
            // n = 6, score = 300
            //   48895c2430           | dec                 ebp
            //   488901               | test                ebx, ebx
            //   488b8c24a8000000     | je                  0x44
            //   4885c9               | inc                 ecx
            //   7427                 | mov                 byte ptr [ebx], dh
            //   488b842490000000     | dec                 eax

        $sequence_4 = { 488bcf 418d5101 ff15???????? 85c0 7510 ff15???????? 4032ed }
            // n = 7, score = 300
            //   488bcf               | mov                 eax, dword ptr [esp + 0x40]
            //   418d5101             | dec                 esp
            //   ff15????????         |                     
            //   85c0                 | mov                 eax, ebp
            //   7510                 | mov                 byte ptr [eax + 1], 3
            //   ff15????????         |                     
            //   4032ed               | dec                 eax

        $sequence_5 = { 8919 418ac6 4883c468 415e }
            // n = 4, score = 300
            //   8919                 | dec                 eax
            //   418ac6               | mov                 ecx, dword ptr [esp + 0x90]
            //   4883c468             | mov                 dword ptr [ecx], ebx
            //   415e                 | inc                 ecx

        $sequence_6 = { e8???????? 48399c2490000000 0f846b020000 b101 e8???????? 488b8c2490000000 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   48399c2490000000     | dec                 eax
            //   0f846b020000         | cmp                 dword ptr [esp + 0x90], ebx
            //   b101                 | je                  0x271
            //   e8????????           |                     
            //   488b8c2490000000     | mov                 cl, 1

        $sequence_7 = { 488bac2488000000 48c784248000000000000000 4885f6 740f 33c9 e8???????? }
            // n = 6, score = 300
            //   488bac2488000000     | mov                 eax, dword ptr [esp + 0x90]
            //   48c784248000000000000000     | dec    eax
            //   4885f6               | mov                 ecx, edi
            //   740f                 | inc                 ecx
            //   33c9                 | lea                 edx, [ecx + 1]
            //   e8????????           |                     

        $sequence_8 = { 68???????? e8???????? 8b542444 89442434 8b44242c 8d741008 56 }
            // n = 7, score = 200
            //   68????????           |                     
            //   e8????????           |                     
            //   8b542444             | mov                 edi, eax
            //   89442434             | dec                 eax
            //   8b44242c             | mov                 ebp, edx
            //   8d741008             | dec                 esp
            //   56                   | mov                 esp, ecx

        $sequence_9 = { ffd5 85c0 0f8433010000 8b74243c 33c0 8bce }
            // n = 6, score = 200
            //   ffd5                 | inc                 ecx
            //   85c0                 | push                esp
            //   0f8433010000         | dec                 eax
            //   8b74243c             | sub                 esp, 0x20
            //   33c0                 | xor                 esi, esi
            //   8bce                 | dec                 ecx

        $sequence_10 = { 8b44241c 85c0 0f8452ffffff 6a00 e8???????? 8b442420 }
            // n = 6, score = 200
            //   8b44241c             | cmp                 eax, 1
            //   85c0                 | je                  0x13
            //   0f8452ffffff         | cmp                 eax, 0x81
            //   6a00                 | je                  0x13
            //   e8????????           |                     
            //   8b442420             | dec                 eax

        $sequence_11 = { 740a 83f808 7405 83f811 }
            // n = 4, score = 200
            //   740a                 | inc                 ebp
            //   83f808               | xor                 eax, eax
            //   7405                 | inc                 ecx
            //   83f811               | lea                 edx, [eax + 2]

        $sequence_12 = { e8???????? 8b4c241c 51 ffd6 83c408 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   8b4c241c             | lea                 edx, [esp + 0x30]
            //   51                   | dec                 eax
            //   ffd6                 | lea                 ecx, [esp + 0x40]
            //   83c408               | dec                 eax

        $sequence_13 = { 52 50 e8???????? 8b442424 83c40c 85c0 0f84e1000000 }
            // n = 7, score = 200
            //   52                   | dec                 ebp
            //   50                   | mov                 ecx, edi
            //   e8????????           |                     
            //   8b442424             | dec                 eax
            //   83c40c               | mov                 ebp, dword ptr [esp + 0x88]
            //   85c0                 | dec                 eax
            //   0f84e1000000         | mov                 dword ptr [esp + 0x80], 0

        $sequence_14 = { 0f8483000000 6a02 55 50 ff15???????? }
            // n = 5, score = 200
            //   0f8483000000         | dec                 eax
            //   6a02                 | test                esi, esi
            //   55                   | je                  0x20
            //   50                   | xor                 ecx, ecx
            //   ff15????????         |                     

        $sequence_15 = { 8908 8b44243c 3bc7 7434 8b54241c 897c241c }
            // n = 6, score = 200
            //   8908                 | mov                 dword ptr [esp + 0x40], eax
            //   8b44243c             | dec                 eax
            //   3bc7                 | cmp                 dword ptr [esp + 0x30], ebx
            //   7434                 | je                  0x161
            //   8b54241c             | mov                 cl, 1
            //   897c241c             | je                  0xc

    condition:
        7 of them and filesize < 2023424
}
Download all Yara Rules