SYMBOLCOMMON_NAMEaka. SYNONYMS
win.badnews (Back to overview)

BadNews

Actor(s): Dropping Elephant

There is no description at this point.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2019-10-22Lab52Jagaimo Kawaii
@online{kawaii:20191022:new:0d66066, author = {Jagaimo Kawaii}, title = {{New PatchWork Spearphishing Attack}}, date = {2019-10-22}, organization = {Lab52}, url = {https://lab52.io/blog/new-patchwork-campaign-against-pakistan/}, language = {English}, urldate = {2020-01-13} } New PatchWork Spearphishing Attack
BadNews
2019-10-02Virus BulletinDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20191002:abusing:3c9a1b7, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Abusing third-party cloud services in targeted attacks}}, date = {2019-10-02}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf}, language = {English}, urldate = {2020-01-13} } Abusing third-party cloud services in targeted attacks
BadNews SLUB
2019-08-26QianxinRed Raindrop Team
@online{team:20190826:aptc09:a228795, author = {Red Raindrop Team}, title = {{APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan}}, date = {2019-08-26}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/}, language = {English}, urldate = {2020-01-07} } APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan
BadNews
2018-10-09Trend MicroDaniel Lunghi, Jaromír Hořejší, Cedric Pernet
@techreport{lunghi:20181009:untangling:348f703, author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet}, title = {{Untangling the Patchwork Espionage Group}}, date = {2018-10-09}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf}, language = {English}, urldate = {2020-01-06} } Untangling the Patchwork Espionage Group
BadNews SocksBot Dropping Elephant
2018-03-07Palo Alto Networks Unit 42Brandon Levene, Josh Grunzweig, Brittany Ash
@online{levene:20180307:patchwork:8973699, author = {Brandon Levene and Josh Grunzweig and Brittany Ash}, title = {{Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent}}, date = {2018-03-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/}, language = {English}, urldate = {2019-12-20} } Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent
BadNews
2017-04-05FortninetJasper Manuel, Artem Semenchenko
@online{manuel:20170405:indepth:8481b41, author = {Jasper Manuel and Artem Semenchenko}, title = {{In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2}}, date = {2017-04-05}, organization = {Fortninet}, url = {http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2}, language = {English}, urldate = {2019-10-13} } In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2
BadNews
2017-04-05FortinetJasper Manuel, Artem Semenchenko
@online{manuel:20170405:indepth:f5fe3b5, author = {Jasper Manuel and Artem Semenchenko}, title = {{In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1}}, date = {2017-04-05}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1}, language = {English}, urldate = {2020-01-06} } In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1
BadNews
2016-08-08ForcepointAndy Settle, Nicholas Griffin, Abel Toro
@techreport{settle:20160808:monsoon:c4f71cc, author = {Andy Settle and Nicholas Griffin and Abel Toro}, title = {{MONSOON – ANALYSIS OF AN APT CAMPAIGN}}, date = {2016-08-08}, institution = {Forcepoint}, url = {https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf}, language = {English}, urldate = {2020-01-07} } MONSOON – ANALYSIS OF AN APT CAMPAIGN
BadNews TinyTyphon Dropping Elephant
2016-08-08ForcepointNicholas Griffin
@online{griffin:20160808:monsoon:ac7eb5b, author = {Nicholas Griffin}, title = {{MONSOON - Analysis Of An APT Campaign}}, date = {2016-08-08}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign}, language = {English}, urldate = {2020-04-06} } MONSOON - Analysis Of An APT Campaign
BadNews TinyTyphon Dropping Elephant
Yara Rules
[TLP:WHITE] win_badnews_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_badnews_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 50 e8???????? 83c404 68???????? 6804010000 ff15???????? }
            // n = 7, score = 700
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   68????????           |                     
            //   6804010000           | push                0x104
            //   ff15????????         |                     

        $sequence_1 = { 83e957 eb02 33c9 c0e004 }
            // n = 4, score = 700
            //   83e957               | sub                 ecx, 0x57
            //   eb02                 | jmp                 4
            //   33c9                 | xor                 ecx, ecx
            //   c0e004               | shl                 al, 4

        $sequence_2 = { 33c9 c0e004 02c1 3423 c0c003 }
            // n = 5, score = 700
            //   33c9                 | xor                 ecx, ecx
            //   c0e004               | shl                 al, 4
            //   02c1                 | add                 al, cl
            //   3423                 | xor                 al, 0x23
            //   c0c003               | rol                 al, 3

        $sequence_3 = { d1f9 68???????? 03c9 51 }
            // n = 4, score = 600
            //   d1f9                 | sar                 ecx, 1
            //   68????????           |                     
            //   03c9                 | add                 ecx, ecx
            //   51                   | push                ecx

        $sequence_4 = { c745806e000000 ff15???????? 57 ff15???????? }
            // n = 4, score = 600
            //   c745806e000000       | mov                 dword ptr [ebp - 0x80], 0x6e
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_5 = { c705????????33322e64 66c705????????6c6c c605????????00 ff15???????? }
            // n = 4, score = 600
            //   c705????????33322e64     |     
            //   66c705????????6c6c     |     
            //   c605????????00       |                     
            //   ff15????????         |                     

        $sequence_6 = { ff15???????? 85c0 7405 83c004 }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7
            //   83c004               | add                 eax, 4

        $sequence_7 = { 57 6a00 6880000000 6a04 6a00 6a01 6a04 }
            // n = 7, score = 600
            //   57                   | push                edi
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a04                 | push                4
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6a04                 | push                4

        $sequence_8 = { ffd3 85c0 7403 83c608 8a06 }
            // n = 5, score = 600
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   83c608               | add                 esi, 8
            //   8a06                 | mov                 al, byte ptr [esi]

        $sequence_9 = { 8bf0 56 ff15???????? 50 6a40 }
            // n = 5, score = 600
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   50                   | push                eax
            //   6a40                 | push                0x40

        $sequence_10 = { f3a5 8bca 83e103 68???????? f3a4 50 }
            // n = 6, score = 300
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   83e103               | and                 ecx, 3
            //   68????????           |                     
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   50                   | push                eax

        $sequence_11 = { c1e706 8b049dd0a70110 0fbe443804 83e001 750d e8???????? }
            // n = 6, score = 100
            //   c1e706               | shl                 edi, 6
            //   8b049dd0a70110       | mov                 eax, dword ptr [ebx*4 + 0x1001a7d0]
            //   0fbe443804           | movsx               eax, byte ptr [eax + edi + 4]
            //   83e001               | and                 eax, 1
            //   750d                 | jne                 0xf
            //   e8????????           |                     

        $sequence_12 = { 75f8 8bca 8d8538fbffff c1e902 50 }
            // n = 5, score = 100
            //   75f8                 | jne                 0xfffffffa
            //   8bca                 | mov                 ecx, edx
            //   8d8538fbffff         | lea                 eax, [ebp - 0x4c8]
            //   c1e902               | shr                 ecx, 2
            //   50                   | push                eax

        $sequence_13 = { 0f84a1000000 8b55f4 8b0495d0a70110 f644180448 7452 6a0a 58 }
            // n = 7, score = 100
            //   0f84a1000000         | je                  0xa7
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   8b0495d0a70110       | mov                 eax, dword ptr [edx*4 + 0x1001a7d0]
            //   f644180448           | test                byte ptr [eax + ebx + 4], 0x48
            //   7452                 | je                  0x54
            //   6a0a                 | push                0xa
            //   58                   | pop                 eax

        $sequence_14 = { d1ee 50 8b45f4 56 ff75e4 8b0485d0a70110 }
            // n = 6, score = 100
            //   d1ee                 | shr                 esi, 1
            //   50                   | push                eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   56                   | push                esi
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   8b0485d0a70110       | mov                 eax, dword ptr [eax*4 + 0x1001a7d0]

        $sequence_15 = { 83e21f c1e206 031485d0a70110 eb05 ba???????? f6422480 }
            // n = 6, score = 100
            //   83e21f               | and                 edx, 0x1f
            //   c1e206               | shl                 edx, 6
            //   031485d0a70110       | add                 edx, dword ptr [eax*4 + 0x1001a7d0]
            //   eb05                 | jmp                 7
            //   ba????????           |                     
            //   f6422480             | test                byte ptr [edx + 0x24], 0x80

        $sequence_16 = { 75f3 8d8d54ffffff 49 8a4101 8d4901 84c0 75f6 }
            // n = 7, score = 100
            //   75f3                 | jne                 0xfffffff5
            //   8d8d54ffffff         | lea                 ecx, [ebp - 0xac]
            //   49                   | dec                 ecx
            //   8a4101               | mov                 al, byte ptr [ecx + 1]
            //   8d4901               | lea                 ecx, [ecx + 1]
            //   84c0                 | test                al, al
            //   75f6                 | jne                 0xfffffff8

        $sequence_17 = { 75e8 eb64 a1???????? 8b9c9d58fbffff 8945f0 66a1???????? }
            // n = 6, score = 100
            //   75e8                 | jne                 0xffffffea
            //   eb64                 | jmp                 0x66
            //   a1????????           |                     
            //   8b9c9d58fbffff       | mov                 ebx, dword ptr [ebp + ebx*4 - 0x4a8]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   66a1????????         |                     

    condition:
        7 of them and filesize < 466944
}
[TLP:WHITE] win_badnews_w0   (20180301 | No description)
import "pe"

rule win_badnews_w0 {
    meta:
        author = "Florian Roth"
        reference = "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "\\Microsoft\\Windows\\coco.exe" fullword ascii
        $x2 = ":\\System Volume Information\\config" fullword ascii
        $x3 = " cscript.[BACKSPA[PAGE DO[CAPS LO[PAGE UPTPX498.dTPX499.d" fullword wide

        $s1 = "\\Microsoft\\Templates\\msvcrt.dll" fullword ascii
        $s2 = "%04d/%02d/%02d %02d:%02d:%02d - {%s}" fullword wide
        $s3 = "wininet.dll    " fullword ascii
        $s4 = "DMCZ0001.dat" fullword ascii
        $s5 = "TZ0000001.dat" fullword ascii
        $s6 = "\\MUT.dat" fullword ascii
        $s7 = "ouemm/emm!!!!!!!!!!!!!" fullword ascii
    condition:
        ( 1 of ($x*) or 3 of them )
}
Download all Yara Rules