Attor (Malware Family)

Attor

VTCollection

Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.

Attor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability.

The most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.

References

2022-12-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.
Attor Zebrocy

2022-05-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu

2019-10-11 ⋅ ⋅ c news ⋅ Roman Georgiev
За российскими дипломатами 7 лет следят с помощью шпионского ПО
Attor

2019-10-11 ⋅ ⋅ Unian.Ua ⋅ Unian.Ua
International IT company warns of a number of spy attacks on government and diplomatic institutions in Eastern Europe
Attor

2019-10-10 ⋅ Threatpost ⋅ Tara Seals
Sophisticated Spy Kit Targets Russians with Rare GSM Plugin
Attor

2019-10-10 ⋅ ZDNet ⋅ Catalin Cimpanu
New espionage malware found targeting Russian-speaking users in Eastern Europe
Attor

2019-10-10 ⋅ ESET Research ⋅ Zuzana Hromcová
ESET discovers Attor, a spy platform with curious GSM fingerprinting
Attor

2019-10-10 ⋅ ESET Research ⋅ Zuzana Hromcová
ESET discovers Attor, a spy platform with curious GSM fingerprinting
Attor Attor

2019-10-01 ⋅ ESET Research ⋅ Zuzana Hromcová
AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM
Attor

Yara Rules

[TLP:WHITE] win_attor_auto (20230808 | Detects win.attor.)

rule win_attor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.attor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f801 7411 3d81000000 740a }
            // n = 4, score = 400
            //   83f801               | cmp                 eax, 1
            //   7411                 | je                  0x13
            //   3d81000000           | cmp                 eax, 0x81
            //   740a                 | je                  0xc

        $sequence_1 = { 33c0 488b6c2450 4883c420 415c 5f 5e }
            // n = 6, score = 300
            //   33c0                 | mov                 eax, dword ptr [esp + 0x40]
            //   488b6c2450           | dec                 eax
            //   4883c420             | mov                 ecx, dword ptr [esp + 0x90]
            //   415c                 | inc                 ebp
            //   5f                   | xor                 eax, eax
            //   5e                   | inc                 ecx

        $sequence_2 = { 488b8c24b0000000 4c8b642468 4885c9 7402 8919 408ac5 }
            // n = 6, score = 300
            //   488b8c24b0000000     | dec                 eax
            //   4c8b642468           | mov                 ecx, dword ptr [esp + 0xb0]
            //   4885c9               | dec                 esp
            //   7402                 | mov                 esp, dword ptr [esp + 0x68]
            //   8919                 | dec                 eax
            //   408ac5               | test                ecx, ecx

        $sequence_3 = { 488b8c2490000000 4885c9 0f8441020000 41b802000000 8bd5 ff15???????? 85c0 }
            // n = 7, score = 300
            //   488b8c2490000000     | add                 esp, 0x20
            //   4885c9               | inc                 ecx
            //   0f8441020000         | pop                 esp
            //   41b802000000         | pop                 edi
            //   8bd5                 | pop                 esi
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_4 = { 48395c2430 0f8447010000 b101 e8???????? }
            // n = 4, score = 300
            //   48395c2430           | lea                 edx, [eax + 2]
            //   0f8447010000         | dec                 ebp
            //   b101                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_5 = { 48c744243000000000 7414 33c9 e8???????? 488b8c2490000000 }
            // n = 5, score = 300
            //   48c744243000000000     | cmp    dword ptr [esp + 0x30], ebx
            //   7414                 | je                  0x152
            //   33c9                 | mov                 cl, 1
            //   e8????????           |                     
            //   488b8c2490000000     | inc                 ebp

        $sequence_6 = { 7435 488b442440 488b8c2490000000 4533c0 418d5002 4d8bcf }
            // n = 6, score = 300
            //   7435                 | je                  7
            //   488b442440           | mov                 dword ptr [ecx], ebx
            //   488b8c2490000000     | inc                 eax
            //   4533c0               | mov                 al, ch
            //   418d5002             | je                  0x37
            //   4d8bcf               | dec                 eax

        $sequence_7 = { 4533c0 4d8bcc 418d5002 44896c2420 ff15???????? }
            // n = 5, score = 300
            //   4533c0               | xor                 eax, eax
            //   4d8bcc               | dec                 eax
            //   418d5002             | mov                 ebp, dword ptr [esp + 0x50]
            //   44896c2420           | dec                 eax
            //   ff15????????         |                     

        $sequence_8 = { 8b4c2418 50 55 8b2d???????? 6a00 }
            // n = 5, score = 200
            //   8b4c2418             | lea                 edx, [esp + 0x1c]
            //   50                   | push                ecx
            //   55                   | push                edx
            //   8b2d????????         |                     
            //   6a00                 | add                 esp, 0xc

        $sequence_9 = { 740a 83f808 7405 83f811 }
            // n = 4, score = 200
            //   740a                 | mov                 dword ptr [esp + 0x20], ebp
            //   83f808               | dec                 eax
            //   7405                 | mov                 ecx, dword ptr [esp + 0x90]
            //   83f811               | dec                 eax

        $sequence_10 = { 56 ff15???????? 8d4c2418 8d54241c 51 52 }
            // n = 6, score = 200
            //   56                   | test                ecx, ecx
            //   ff15????????         |                     
            //   8d4c2418             | je                  0x24a
            //   8d54241c             | inc                 ecx
            //   51                   | mov                 eax, 2
            //   52                   | mov                 edx, ebp

        $sequence_11 = { 83c408 eb06 8b35???????? 897c241c 8b7c2420 85ff }
            // n = 6, score = 200
            //   83c408               | mov                 ecx, edi
            //   eb06                 | inc                 ecx
            //   8b35????????         |                     
            //   897c241c             | lea                 edx, [ecx + 1]
            //   8b7c2420             | je                  0xc
            //   85ff                 | cmp                 eax, 8

        $sequence_12 = { 83c40c 89442420 85c0 0f842b010000 8b4c2430 8d7108 }
            // n = 6, score = 200
            //   83c40c               | test                eax, eax
            //   89442420             | dec                 eax
            //   85c0                 | mov                 dword ptr [esp + 0x30], 0
            //   0f842b010000         | je                  0x16
            //   8b4c2430             | xor                 ecx, ecx
            //   8d7108               | dec                 eax

        $sequence_13 = { 85c0 0f840c010000 8b54241c 57 52 }
            // n = 5, score = 200
            //   85c0                 | mov                 ecx, dword ptr [esp + 0x90]
            //   0f840c010000         | inc                 eax
            //   8b54241c             | xor                 ch, ch
            //   57                   | mov                 ebx, eax
            //   52                   | dec                 esp

        $sequence_14 = { 897504 c644241301 740a 8b4c2418 }
            // n = 4, score = 200
            //   897504               | je                  0xa
            //   c644241301           | cmp                 eax, 0x11
            //   740a                 | push                esi
            //   8b4c2418             | lea                 ecx, [esp + 0x18]

        $sequence_15 = { 8b44243c 3bc7 7434 8b54241c }
            // n = 4, score = 200
            //   8b44243c             | mov                 eax, dword ptr [esp + 0x90]
            //   3bc7                 | inc                 ebp
            //   7434                 | xor                 ecx, ecx
            //   8b54241c             | dec                 eax

    condition:
        7 of them and filesize < 2023424
}

Download all Yara Rules

Attor Propose Change

References

Yara Rules

Attor