SYMBOLCOMMON_NAMEaka. SYNONYMS
win.beatdrop (Back to overview)

BEATDROP

Actor(s): APT29


According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. BEATDROP then injects and executes downloaded payloads into a suspended process. Upon execution, BEATDROP maps a copy of ntdll.dll into memory to execute shellcode in its own process. The sample then creates a suspended thread with RtlCreateUserThread the thread points to NtCreateFile. The sample changes execution to shellcode and resumes the thread. The shellcode payload is retrieved from Trello and is targeted per victim. Once the payload has been retrieved, it is deleted from Trello.

References
2022-09-06INCIBE-CERTINCIBE
@techreport{incibe:20220906:estudio:20f14b0, author = {INCIBE}, title = {{Estudio del análisis de Nobelium}}, date = {2022-09-06}, institution = {INCIBE-CERT}, url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf}, language = {Spanish}, urldate = {2022-11-22} } Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-07-19R136a1Dominik Reichel
@online{reichel:20220719:look:84e1e01, author = {Dominik Reichel}, title = {{A look into APT29's new early-stage Google Drive downloader}}, date = {2022-07-19}, organization = {R136a1}, url = {https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/}, language = {English}, urldate = {2022-10-19} } A look into APT29's new early-stage Google Drive downloader
BEATDROP BOOMBOX Gdrive Unidentified 098 (APT29 Slack Downloader)
2022-04-29MandiantJohn Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby
@online{wolfram:20220429:trello:c078513, author = {John Wolfram and Sarah Hawley and Tyler McLellan and Nick Simonian and Anders Vejlby}, title = {{Trello From the Other Side: Tracking APT29 Phishing Campaigns}}, date = {2022-04-29}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns}, language = {English}, urldate = {2022-10-19} } Trello From the Other Side: Tracking APT29 Phishing Campaigns
BEATDROP VaporRage
Yara Rules
[TLP:WHITE] win_beatdrop_auto (20230125 | Detects win.beatdrop.)
rule win_beatdrop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.beatdrop."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 478b5c9d00 45339c9d000c0000 4189ce 8b9dc4000000 418b74b500 }
            // n = 5, score = 100
            //   478b5c9d00           | inc                 ecx
            //   45339c9d000c0000     | mov                 edx, dword ptr [esp + edx*4]
            //   4189ce               | shr                 edx, 0x18
            //   8b9dc4000000         | inc                 ecx
            //   418b74b500           | shr                 ebx, 0x10

        $sequence_1 = { 56 53 4883ec20 83791475 4889cb 741a }
            // n = 6, score = 100
            //   56                   | inc                 ebp
            //   53                   | movzx               edx, dl
            //   4883ec20             | inc                 edi
            //   83791475             | xor                 eax, dword ptr [ebp + edx*4 + 0x400]
            //   4889cb               | inc                 ebp
            //   741a                 | movzx               edx, bh

        $sequence_2 = { 41b901000000 eb3b c644242f65 488d54242b 41b902000000 }
            // n = 5, score = 100
            //   41b901000000         | cmp                 dword ptr [esp + 0x60], 1
            //   eb3b                 | mov                 byte ptr [esp + 0xc], 0
            //   c644242f65           | mov                 byte ptr [esp + 0xd], 0
            //   488d54242b           | jne                 0xffffffef
            //   41b902000000         | dec                 eax

        $sequence_3 = { 89542438 4488442440 7505 e8???????? 488d542438 4c8d442440 }
            // n = 6, score = 100
            //   89542438             | inc                 ecx
            //   4488442440           | mov                 ebx, edx
            //   7505                 | shr                 edx, 0x18
            //   e8????????           |                     
            //   488d542438           | inc                 ebp
            //   4c8d442440           | movzx               ecx, cl

        $sequence_4 = { 4589d1 0fb6cd 41c1e910 44334664 418b8c8c00080000 }
            // n = 5, score = 100
            //   4589d1               | dec                 ecx
            //   0fb6cd               | mov                 dword ptr [esp + 8], eax
            //   41c1e910             | mov                 edx, 1
            //   44334664             | dec                 esp
            //   418b8c8c00080000     | mov                 ecx, esp

        $sequence_5 = { 4133948400040000 4489c0 0fb6c4 4133948400080000 89c8 c1e818 440fb6da }
            // n = 7, score = 100
            //   4133948400040000     | dec                 ecx
            //   4489c0               | mov                 esp, ecx
            //   0fb6c4               | mov                 edx, 8
            //   4133948400080000     | dec                 esp
            //   89c8                 | mov                 ecx, esp
            //   c1e818               | dec                 eax
            //   440fb6da             | lea                 ecx, [eax + ebp]

        $sequence_6 = { 53 4883ec40 488d056f6a0200 4d89cd 4d85c9 4989ce 4889d3 }
            // n = 7, score = 100
            //   53                   | test                dh, dh
            //   4883ec40             | inc                 ecx
            //   488d056f6a0200       | mov                 al, 5
            //   4d89cd               | dec                 eax
            //   4d85c9               | sar                 edx, 3
            //   4989ce               | dec                 eax
            //   4889d3               | lea                 ecx, [ebx + 0x80]

        $sequence_7 = { e8???????? 4c8d05d69effff 488d154f8b0000 4c89e1 e8???????? 4989c5 4c89e1 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8d05d69effff       | cmp                 dword ptr [ebx + 0x40], eax
            //   488d154f8b0000       | jne                 0x45b
            //   4c89e1               | inc                 ecx
            //   e8????????           |                     
            //   4989c5               | mov                 eax, 0x1f4f
            //   4c89e1               | dec                 eax

        $sequence_8 = { 0fb610 48ffc0 488901 895314 8b4314 83f8ff 7412 }
            // n = 7, score = 100
            //   0fb610               | dec                 eax
            //   48ffc0               | mov                 eax, dword ptr [8]
            //   488901               | ud2                 
            //   895314               | dec                 eax
            //   8b4314               | mov                 dword ptr [esp + 0x28], 0
            //   83f8ff               | dec                 eax
            //   7412                 | mov                 eax, dword ptr [8]

        $sequence_9 = { e8???????? 4c8b3b 488b6b08 4889c1 4889c6 e8???????? 4d29fe }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8b3b               | dec                 eax
            //   488b6b08             | xor                 dword ptr [ecx], eax
            //   4889c1               | dec                 eax
            //   4889c6               | mov                 eax, dword ptr [ebp + 0x100]
            //   e8????????           |                     
            //   4d29fe               | dec                 eax

    condition:
        7 of them and filesize < 575488
}
Download all Yara Rules