SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloud_duke (Back to overview)

CloudDuke

aka: MiniDionis, CloudLook

Actor(s): APT29


F-Secure describes CloudDuke as a malware toolset known to consist of, at least, a downloader, a loader and two backdoor variants. The CloudDuke downloader will download and execute additional malware from a preconfigured location. Interestingly, that location may be either a web address or a Microsoft OneDrive account. Both CloudDuke backdoor variants support simple backdoor functionality, similar to SeaDuke. While one variant will use a preconfigured C&C server over HTTP or HTTPS, the other variant will use a Microsoft OneDrive account to exchange commands and stolen data with its operators.

References
2015-07-22F-SecureArtturi Lehtiö
@online{lehti:20150722:duke:8f54e8b, author = {Artturi Lehtiö}, title = {{Duke APT group's latest tools: cloud services and Linux support}}, date = {2015-07-22}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002822.html}, language = {English}, urldate = {2019-10-15} } Duke APT group's latest tools: cloud services and Linux support
CloudDuke
Yara Rules
[TLP:WHITE] win_cloud_duke_auto (20221125 | Detects win.cloud_duke.)
rule win_cloud_duke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.cloud_duke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 44 3b483b 4c 3b543b6c }
            // n = 4, score = 100
            //   44                   | inc                 esp
            //   3b483b               | cmp                 ecx, dword ptr [eax + 0x3b]
            //   4c                   | dec                 esp
            //   3b543b6c             | cmp                 edx, dword ptr [ebx + edi + 0x6c]

        $sequence_1 = { 8d8c240c010000 e8???????? 8d4c2460 e8???????? }
            // n = 4, score = 100
            //   8d8c240c010000       | lea                 ecx, [esp + 0x10c]
            //   e8????????           |                     
            //   8d4c2460             | lea                 ecx, [esp + 0x60]
            //   e8????????           |                     

        $sequence_2 = { 50 8d8d4cf0ffff e8???????? 8d8d44ecffff 8885afecffff c645fc26 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8d8d4cf0ffff         | lea                 ecx, [ebp - 0xfb4]
            //   e8????????           |                     
            //   8d8d44ecffff         | lea                 ecx, [ebp - 0x13bc]
            //   8885afecffff         | mov                 byte ptr [ebp - 0x1351], al
            //   c645fc26             | mov                 byte ptr [ebp - 4], 0x26

        $sequence_3 = { 51 0f43842444010000 8b4c2424 50 ff750c e8???????? 83c40c }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   0f43842444010000     | cmovae              eax, dword ptr [esp + 0x144]
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_4 = { 8d642400 c60100 8d4901 4a 75f7 50 }
            // n = 6, score = 100
            //   8d642400             | lea                 esp, [esp]
            //   c60100               | mov                 byte ptr [ecx], 0
            //   8d4901               | lea                 ecx, [ecx + 1]
            //   4a                   | dec                 edx
            //   75f7                 | jne                 0xfffffff9
            //   50                   | push                eax

        $sequence_5 = { 2bc1 83f801 0f868c000000 8d7901 81fffeffff7f 0f8787000000 }
            // n = 6, score = 100
            //   2bc1                 | sub                 eax, ecx
            //   83f801               | cmp                 eax, 1
            //   0f868c000000         | jbe                 0x92
            //   8d7901               | lea                 edi, [ecx + 1]
            //   81fffeffff7f         | cmp                 edi, 0x7ffffffe
            //   0f8787000000         | ja                  0x8d

        $sequence_6 = { 7504 33c9 eb18 8d8db8f9ffff 8d5102 668b01 83c102 }
            // n = 7, score = 100
            //   7504                 | jne                 6
            //   33c9                 | xor                 ecx, ecx
            //   eb18                 | jmp                 0x1a
            //   8d8db8f9ffff         | lea                 ecx, [ebp - 0x648]
            //   8d5102               | lea                 edx, [ecx + 2]
            //   668b01               | mov                 ax, word ptr [ecx]
            //   83c102               | add                 ecx, 2

        $sequence_7 = { c785f0f2ffff00000000 668985e0f2ffff 8d85a0f3ffff c645fc07 50 8d8de0f2ffff e8???????? }
            // n = 7, score = 100
            //   c785f0f2ffff00000000     | mov    dword ptr [ebp - 0xd10], 0
            //   668985e0f2ffff       | mov                 word ptr [ebp - 0xd20], ax
            //   8d85a0f3ffff         | lea                 eax, [ebp - 0xc60]
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7
            //   50                   | push                eax
            //   8d8de0f2ffff         | lea                 ecx, [ebp - 0xd20]
            //   e8????????           |                     

        $sequence_8 = { 7409 c60100 8d4901 4a 75f7 56 57 }
            // n = 7, score = 100
            //   7409                 | je                  0xb
            //   c60100               | mov                 byte ptr [ecx], 0
            //   8d4901               | lea                 ecx, [ecx + 1]
            //   4a                   | dec                 edx
            //   75f7                 | jne                 0xfffffff9
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_9 = { 7407 50 ff15???????? 807c241700 8b7c2418 8b54242c 0f845cfbffff }
            // n = 7, score = 100
            //   7407                 | je                  9
            //   50                   | push                eax
            //   ff15????????         |                     
            //   807c241700           | cmp                 byte ptr [esp + 0x17], 0
            //   8b7c2418             | mov                 edi, dword ptr [esp + 0x18]
            //   8b54242c             | mov                 edx, dword ptr [esp + 0x2c]
            //   0f845cfbffff         | je                  0xfffffb62

    condition:
        7 of them and filesize < 360448
}
[TLP:WHITE] win_cloud_duke_w0   (20170521 | Detects CloudDuke Malware)
rule win_cloud_duke_w0 {
	meta:
		description = "Detects CloudDuke Malware"
		author = "Florian Roth"
		reference = "https://www.f-secure.com/weblog/archives/00002822.html"
		date = "2015-07-22"
		score = 60
		hash = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
		hash = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
		hash = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7"
		hash = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
		hash = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
		hash = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
		hash = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke"
        malpedia_version = "20170521"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "ProcDataWrap" fullword ascii
		$s2 = "imagehlp.dll" fullword ascii
		$s3 = "dnlibsh" fullword ascii
		$s4 = "%ws_out%ws" fullword wide
		$s5 = "Akernel32.dll" fullword wide

		$op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */
		$op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */
		$op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */
	condition:
		filesize < 720KB and 4 of ($s*) and 1 of ($op*)
}
Download all Yara Rules