Contopee (Malware Family)

Contopee

aka: WHITEOUT

VTCollection

FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

References

2018-01-01 ⋅ FireEye ⋅ FireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group

2016-05-26 ⋅ Symantec ⋅ Symantec Security Response
SWIFT attackers’ malware linked to more financial attacks
Contopee Lazarus Group

2016-05-26 ⋅ Symantec ⋅ Security Response
SWIFT attackers’ malware linked to more financial attacks
Contopee DYEPACK Sierra(Alfa,Bravo, ...) Lazarus Group

Yara Rules

[TLP:WHITE] win_contopee_auto (20230808 | Detects win.contopee.)

rule win_contopee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.contopee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 8bac244c020000 55 6a00 }
            // n = 4, score = 100
            //   c3                   | ret                 
            //   8bac244c020000       | mov                 ebp, dword ptr [esp + 0x24c]
            //   55                   | push                ebp
            //   6a00                 | push                0

        $sequence_1 = { 83c41c eb35 8b5614 8b442430 6a00 6aff 42 }
            // n = 7, score = 100
            //   83c41c               | add                 esp, 0x1c
            //   eb35                 | jmp                 0x37
            //   8b5614               | mov                 edx, dword ptr [esi + 0x14]
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   6a00                 | push                0
            //   6aff                 | push                -1
            //   42                   | inc                 edx

        $sequence_2 = { 6880000000 50 8d8e6a050000 6880000000 51 }
            // n = 5, score = 100
            //   6880000000           | push                0x80
            //   50                   | push                eax
            //   8d8e6a050000         | lea                 ecx, [esi + 0x56a]
            //   6880000000           | push                0x80
            //   51                   | push                ecx

        $sequence_3 = { 66896c240c 8d842414020000 50 57 ff15???????? }
            // n = 5, score = 100
            //   66896c240c           | mov                 word ptr [esp + 0xc], bp
            //   8d842414020000       | lea                 eax, [esp + 0x214]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_4 = { 7510 ff15???????? 5f 5d 5b 81c4dc040000 c3 }
            // n = 7, score = 100
            //   7510                 | jne                 0x12
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   81c4dc040000         | add                 esp, 0x4dc
            //   c3                   | ret                 

        $sequence_5 = { 8bf8 ebc8 ff15???????? 8bf8 ebd1 5f }
            // n = 6, score = 100
            //   8bf8                 | mov                 edi, eax
            //   ebc8                 | jmp                 0xffffffca
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   ebd1                 | jmp                 0xffffffd3
            //   5f                   | pop                 edi

        $sequence_6 = { 7432 6a0f 51 50 e8???????? 8bf0 }
            // n = 6, score = 100
            //   7432                 | je                  0x34
            //   6a0f                 | push                0xf
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_7 = { 8bd8 8b4608 83f802 8b44242c 0f858e000000 eb04 8b7c2418 }
            // n = 7, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   83f802               | cmp                 eax, 2
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   0f858e000000         | jne                 0x94
            //   eb04                 | jmp                 6
            //   8b7c2418             | mov                 edi, dword ptr [esp + 0x18]

        $sequence_8 = { 68???????? 51 ff15???????? 8b84243c020000 8d542428 52 50 }
            // n = 7, score = 100
            //   68????????           |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b84243c020000       | mov                 eax, dword ptr [esp + 0x23c]
            //   8d542428             | lea                 edx, [esp + 0x28]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_9 = { 52 e8???????? 83c430 5f 5e }
            // n = 5, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 180224
}

Download all Yara Rules

Contopee Propose Change

References

Yara Rules

Contopee