SYMBOLCOMMON_NAMEaka. SYNONYMS
win.beatdrop (Back to overview)

BEATDROP

Actor(s): APT29

VTCollection    

According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. BEATDROP then injects and executes downloaded payloads into a suspended process. Upon execution, BEATDROP maps a copy of ntdll.dll into memory to execute shellcode in its own process. The sample then creates a suspended thread with RtlCreateUserThread the thread points to NtCreateFile. The sample changes execution to shellcode and resumes the thread. The shellcode payload is retrieved from Trello and is targeted per victim. Once the payload has been retrieved, it is deleted from Trello.

References
2023-07-26WeixinAnheng Threat Intelligence Center
APT29 recently faked the German embassy and issued a malicious PDF file
BEATDROP Unidentified 107 (APT29)
2023-03-10MrtiepoloGianluca Tiepolo
Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission
BEATDROP EnvyScout GraphicalNeutrino tDiscoverer VaporRage
2022-09-06INCIBE-CERTINCIBE
Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-07-19R136a1Dominik Reichel
A look into APT29's new early-stage Google Drive downloader
BEATDROP BOOMBOX Gdrive Unidentified 098 (APT29 Slack Downloader)
2022-04-29MandiantAnders Vejlby, John Wolfram, Nick Simonian, Sarah Hawley, Tyler McLellan
Trello From the Other Side: Tracking APT29 Phishing Campaigns
BEATDROP VaporRage
Yara Rules
[TLP:WHITE] win_beatdrop_auto (20230808 | Detects win.beatdrop.)
rule win_beatdrop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.beatdrop."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 4c89f1 e8???????? 4c8d0571aaffff }
            // n = 4, score = 400
            //   e8????????           |                     
            //   4c89f1               | dec                 eax
            //   e8????????           |                     
            //   4c8d0571aaffff       | lea                 edx, [0x2e4db]

        $sequence_1 = { 4733bc84000c0000 4189c1 4589f0 41c1e918 4433bebc000000 41c1e810 }
            // n = 6, score = 400
            //   4733bc84000c0000     | dec                 eax
            //   4189c1               | lea                 edx, [0xb87a]
            //   4589f0               | dec                 esp
            //   41c1e918             | mov                 ecx, ebp
            //   4433bebc000000       | dec                 eax
            //   41c1e810             | mov                 dword ptr [esi], eax

        $sequence_2 = { 0fb6c0 413394b5000c0000 c1eb18 33552c 4133948500040000 4489c0 }
            // n = 6, score = 400
            //   0fb6c0               | dec                 eax
            //   413394b5000c0000     | mov                 dword ptr [esp + 0x1e0], eax
            //   c1eb18               | xor                 eax, eax
            //   33552c               | dec                 eax
            //   4133948500040000     | lea                 eax, [esp + 0x2d0]
            //   4489c0               | dec                 eax

        $sequence_3 = { 4189d3 0fb6ce 41c1e818 41c1eb18 478b4c8500 4589f8 438b5c9d00 }
            // n = 7, score = 400
            //   4189d3               | dec                 ecx
            //   0fb6ce               | mov                 esp, ecx
            //   41c1e818             | dec                 esp
            //   41c1eb18             | mov                 ecx, esp
            //   478b4c8500           | dec                 eax
            //   4589f8               | add                 esp, 0x20
            //   438b5c9d00           | dec                 eax

        $sequence_4 = { 4189d3 c1ea18 41c1eb10 335e78 418b1494 4333948c000c0000 450fb6db }
            // n = 7, score = 400
            //   4189d3               | lea                 eax, [0xf5d3]
            //   c1ea18               | dec                 eax
            //   41c1eb10             | mov                 dword ptr [ecx], eax
            //   335e78               | dec                 ecx
            //   418b1494             | mov                 esp, ecx
            //   4333948c000c0000     | dec                 esp
            //   450fb6db             | mov                 ecx, esp

        $sequence_5 = { 4489cb 334610 41c1eb18 450fb6d2 0fb6df 4333849400040000 }
            // n = 6, score = 400
            //   4489cb               | mov                 eax, dword ptr [esi]
            //   334610               | dec                 eax
            //   41c1eb18             | mov                 ecx, dword ptr [ebx]
            //   450fb6d2             | dec                 eax
            //   0fb6df               | mov                 dword ptr [esp + 0x20], eax
            //   4333849400040000     | dec                 esp

        $sequence_6 = { 41c1e818 4189cf 4489d1 478b0484 4733848c000c0000 4589d1 }
            // n = 6, score = 400
            //   41c1e818             | mov                 dword ptr [esp + 0x88], eax
            //   4189cf               | dec                 esp
            //   4489d1               | mov                 edx, ebp
            //   478b0484             | mov                 dword ptr [esp + 0x94], 0x104
            //   4733848c000c0000     | test                eax, eax
            //   4589d1               | je                  0x30aa

        $sequence_7 = { 488b3d???????? 89d8 4989ce 4989d5 488b0d???????? 4c89c6 4c89cd }
            // n = 7, score = 400
            //   488b3d????????       |                     
            //   89d8                 | sete                al
            //   4989ce               | or                  dl, al
            //   4989d5               | jne                 0x20c6
            //   488b0d????????       |                     
            //   4c89c6               | dec                 eax
            //   4c89cd               | test                ecx, ecx

        $sequence_8 = { 498344241010 eb11 498d4c2408 e8???????? eb05 49ff442418 }
            // n = 6, score = 400
            //   498344241010         | dec                 eax
            //   eb11                 | lea                 edx, [0x2222f]
            //   498d4c2408           | dec                 esp
            //   e8????????           |                     
            //   eb05                 | mov                 ecx, esp
            //   49ff442418           | dec                 eax

        $sequence_9 = { e8???????? 4885c0 752c 4c8b4b08 41b813000000 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   4885c0               | lea                 ecx, [0x27ae2]
            //   752c                 | call                ebx
            //   4c8b4b08             | dec                 eax
            //   41b813000000         | lea                 ecx, [0x61]

    condition:
        7 of them and filesize < 584704
}
Download all Yara Rules