SYMBOLCOMMON_NAMEaka. SYNONYMS
win.beatdrop (Back to overview)

BEATDROP

Actor(s): APT29


According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. BEATDROP then injects and executes downloaded payloads into a suspended process. Upon execution, BEATDROP maps a copy of ntdll.dll into memory to execute shellcode in its own process. The sample then creates a suspended thread with RtlCreateUserThread the thread points to NtCreateFile. The sample changes execution to shellcode and resumes the thread. The shellcode payload is retrieved from Trello and is targeted per victim. Once the payload has been retrieved, it is deleted from Trello.

References
2023-03-10MrtiepoloGianluca Tiepolo
@online{tiepolo:20230310:sophisticated:2892d3e, author = {Gianluca Tiepolo}, title = {{Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission}}, date = {2023-03-10}, organization = {Mrtiepolo}, url = {https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58}, language = {English}, urldate = {2023-03-14} } Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission
BEATDROP EnvyScout GraphicalNeutrino tDiscoverer VaporRage
2022-09-06INCIBE-CERTINCIBE
@techreport{incibe:20220906:estudio:20f14b0, author = {INCIBE}, title = {{Estudio del análisis de Nobelium}}, date = {2022-09-06}, institution = {INCIBE-CERT}, url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf}, language = {Spanish}, urldate = {2022-11-22} } Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-07-19R136a1Dominik Reichel
@online{reichel:20220719:look:84e1e01, author = {Dominik Reichel}, title = {{A look into APT29's new early-stage Google Drive downloader}}, date = {2022-07-19}, organization = {R136a1}, url = {https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/}, language = {English}, urldate = {2022-10-19} } A look into APT29's new early-stage Google Drive downloader
BEATDROP BOOMBOX Gdrive Unidentified 098 (APT29 Slack Downloader)
2022-04-29MandiantJohn Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby
@online{wolfram:20220429:trello:c078513, author = {John Wolfram and Sarah Hawley and Tyler McLellan and Nick Simonian and Anders Vejlby}, title = {{Trello From the Other Side: Tracking APT29 Phishing Campaigns}}, date = {2022-04-29}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns}, language = {English}, urldate = {2022-10-19} } Trello From the Other Side: Tracking APT29 Phishing Campaigns
BEATDROP VaporRage
Yara Rules
[TLP:WHITE] win_beatdrop_auto (20230407 | Detects win.beatdrop.)
rule win_beatdrop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.beatdrop."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883f90f 761c 488d542428 4531c0 4889d9 e8???????? }
            // n = 6, score = 400
            //   4883f90f             | mov                 eax, ebp
            //   761c                 | dec                 esp
            //   488d542428           | mov                 edx, edi
            //   4531c0               | dec                 eax
            //   4889d9               | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_1 = { c1ee10 0fb69c9800040000 400fb6f6 0fb6b4b000040000 338cb200040000 338c9a00080000 418b5b04 }
            // n = 7, score = 400
            //   c1ee10               | lea                 edx, [0x2ee4b]
            //   0fb69c9800040000     | dec                 esp
            //   400fb6f6             | mov                 ecx, ebp
            //   0fb6b4b000040000     | dec                 eax
            //   338cb200040000       | lea                 ebx, [esp + 0x2f0]
            //   338c9a00080000       | dec                 eax
            //   418b5b04             | mov                 edx, eax

        $sequence_2 = { 48894308 c6040200 4883c438 5b 5e 5f }
            // n = 6, score = 400
            //   48894308             | dec                 eax
            //   c6040200             | lea                 edx, [0x10fbd]
            //   4883c438             | dec                 esp
            //   5b                   | mov                 ecx, esi
            //   5e                   | dec                 ebp
            //   5f                   | mov                 ecx, esp

        $sequence_3 = { 4431f9 478b0c8c 47338c9c000c0000 4189d3 c1ea18 41c1eb10 44334e48 }
            // n = 7, score = 400
            //   4431f9               | mov                 eax, dword ptr [esp + 0x2c]
            //   478b0c8c             | test                eax, eax
            //   47338c9c000c0000     | jne                 0xf27
            //   4189d3               | dec                 eax
            //   c1ea18               | lea                 ecx, [0x1259d]
            //   41c1eb10             | dec                 eax
            //   44334e48             | cmp                 dword ptr [ebx + 0x20], 0

        $sequence_4 = { 4133948c00080000 89c1 440fb6c2 c1e918 0fb6ee 418b0c8c 43338c84000c0000 }
            // n = 7, score = 400
            //   4133948c00080000     | dec                 eax
            //   89c1                 | mov                 dword ptr [esi + 0x20], ebx
            //   440fb6c2             | dec                 eax
            //   c1e918               | mov                 ecx, dword ptr [esp + 0x38]
            //   0fb6ee               | dec                 eax
            //   418b0c8c             | mov                 ebx, dword ptr [ebx]
            //   43338c84000c0000     | mov                 edx, dword ptr [esp + 0x1b8]

        $sequence_5 = { 89f3 400fb6f6 c1eb10 44334d44 0fb6db 45338c9d00040000 0fb6de }
            // n = 7, score = 400
            //   89f3                 | mov                 ecx, edi
            //   400fb6f6             | dec                 eax
            //   c1eb10               | mov                 eax, dword ptr [ebx]
            //   44334d44             | mov                 dl, byte ptr [eax]
            //   0fb6db               | cmp                 dl, 1
            //   45338c9d00040000     | je                  0x1818
            //   0fb6de               | cmp                 dl, 2

        $sequence_6 = { 4489c3 450fb6c0 c1eb10 44338d84000000 }
            // n = 4, score = 400
            //   4489c3               | inc                 ecx
            //   450fb6c0             | mov                 ebx, dword ptr [ebp + ebx*4]
            //   c1eb10               | inc                 ecx
            //   44338d84000000       | xor                 ebx, dword ptr [ebp + edi*4 + 0xc00]

        $sequence_7 = { 4899 48f7f9 488d4c2428 4889442428 ff15???????? 4c89e1 4889c2 }
            // n = 7, score = 400
            //   4899                 | lea                 esi, [esp + 0x60]
            //   48f7f9               | dec                 eax
            //   488d4c2428           | lea                 edx, [0x12c7f]
            //   4889442428           | dec                 esp
            //   ff15????????         |                     
            //   4c89e1               | mov                 ecx, esi
            //   4889c2               | dec                 esp

        $sequence_8 = { 4489c8 478b749d00 c1e818 4489d1 450fb6da 418b448500 41338495000c0000 }
            // n = 7, score = 400
            //   4489c8               | call                ebx
            //   478b749d00           | dec                 eax
            //   c1e818               | lea                 ecx, [0x11ad0]
            //   4489d1               | jmp                 0x16fe
            //   450fb6da             | inc                 ecx
            //   418b448500           | mov                 eax, 0x1970
            //   41338495000c0000     | dec                 eax

        $sequence_9 = { c1e818 4533949500040000 0fb6d3 473394b500080000 }
            // n = 4, score = 400
            //   c1e818               | dec                 eax
            //   4533949500040000     | mov                 ecx, esi
            //   0fb6d3               | dec                 eax
            //   473394b500080000     | lea                 esi, [esp + 0x240]

    condition:
        7 of them and filesize < 584704
}
Download all Yara Rules