SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cotx (Back to overview)

Cotx RAT

Actor(s): TA428

There is no description at this point.

References
2022-08-08KasperskyKaspersky Lab ICS CERT
@techreport{cert:20220808:targeted:61c5617, author = {Kaspersky Lab ICS CERT}, title = {{Targeted attack on industrial enterprises and public institutions}}, date = {2022-08-08}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf}, language = {English}, urldate = {2022-08-11} } Targeted attack on industrial enterprises and public institutions
Cotx RAT Logtu nccTrojan PortDoor
2021-11-17Trend MicroMohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque
@online{fahmy:20211117:analyzing:c6c52d1, author = {Mohamed Fahmy and Abdelrhman Sharshar and Sherif Magdy and Ryan Maglaque}, title = {{Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR}}, date = {2021-11-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html}, language = {English}, urldate = {2021-11-18} } Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT
2021-04-02Dr.WebDr.Web
@techreport{drweb:20210402:study:31b191e, author = {Dr.Web}, title = {{Study of targeted attacks on Russian research institutes}}, date = {2021-04-02}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf}, language = {English}, urldate = {2021-04-06} } Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT TA428
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-08Youtube (Virus Bulletin)Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@online{ozawa:20210108:operation:18eec5e, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2021-01-08}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=1WfPlgtfWnQ}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger TA428
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:04593f6, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint (Slides)}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:1efe218, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf}, language = {English}, urldate = {2021-01-25} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-08-28NTTFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200828:operation:e0feab5, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation Lagtime IT: Colourful Panda Footprint}}, date = {2020-08-28}, institution = {NTT}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf}, language = {English}, urldate = {2022-07-25} } Operation Lagtime IT: Colourful Panda Footprint
Cotx RAT Poison Ivy TA428
2020-08-19NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200819:operation:445be8c, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: Colorful Panda Footprint}}, date = {2020-08-19}, institution = {NTT Security}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2022-07-29} } Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2019-07-23ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2021-02-06} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
Yara Rules
[TLP:WHITE] win_cotx_auto (20230715 | Detects win.cotx.)
rule win_cotx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.cotx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 c78504fcffff52643332 c78508fcffff2e657865 e8???????? 83ec20 8d8d00fcffff }
            // n = 6, score = 500
            //   50                   | push                eax
            //   c78504fcffff52643332     | mov    dword ptr [ebp - 0x3fc], 0x32336452
            //   c78508fcffff2e657865     | mov    dword ptr [ebp - 0x3f8], 0x6578652e
            //   e8????????           |                     
            //   83ec20               | sub                 esp, 0x20
            //   8d8d00fcffff         | lea                 ecx, [ebp - 0x400]

        $sequence_1 = { c78504fcffff52643332 c78508fcffff2e657865 e8???????? 83ec20 }
            // n = 4, score = 500
            //   c78504fcffff52643332     | mov    dword ptr [ebp - 0x3fc], 0x32336452
            //   c78508fcffff2e657865     | mov    dword ptr [ebp - 0x3f8], 0x6578652e
            //   e8????????           |                     
            //   83ec20               | sub                 esp, 0x20

        $sequence_2 = { e8???????? 83ec20 8d8d00fcffff e8???????? 68f6030000 8d850af8ffff }
            // n = 6, score = 500
            //   e8????????           |                     
            //   83ec20               | sub                 esp, 0x20
            //   8d8d00fcffff         | lea                 ecx, [ebp - 0x400]
            //   e8????????           |                     
            //   68f6030000           | push                0x3f6
            //   8d850af8ffff         | lea                 eax, [ebp - 0x7f6]

        $sequence_3 = { c705????????0c56aef3 c705????????c8a4ea05 c705????????69e053a4 c705????????120d934e }
            // n = 4, score = 500
            //   c705????????0c56aef3     |     
            //   c705????????c8a4ea05     |     
            //   c705????????69e053a4     |     
            //   c705????????120d934e     |     

        $sequence_4 = { 8d8d00fcffff e8???????? 68f6030000 8d850af8ffff c78500f8ffff52617354 }
            // n = 5, score = 500
            //   8d8d00fcffff         | lea                 ecx, [ebp - 0x400]
            //   e8????????           |                     
            //   68f6030000           | push                0x3f6
            //   8d850af8ffff         | lea                 eax, [ebp - 0x7f6]
            //   c78500f8ffff52617354     | mov    dword ptr [ebp - 0x800], 0x54736152

        $sequence_5 = { 53 6a00 ff75ec ff15???????? }
            // n = 4, score = 500
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff15????????         |                     

        $sequence_6 = { 83c40c 0f1145b0 56 50 8d85b0fbffff }
            // n = 5, score = 500
            //   83c40c               | add                 esp, 0xc
            //   0f1145b0             | movups              xmmword ptr [ebp - 0x50], xmm0
            //   56                   | push                esi
            //   50                   | push                eax
            //   8d85b0fbffff         | lea                 eax, [ebp - 0x450]

        $sequence_7 = { 6a00 ff7508 ff75e4 ff15???????? ff75e4 }
            // n = 5, score = 500
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   ff15????????         |                     
            //   ff75e4               | push                dword ptr [ebp - 0x1c]

        $sequence_8 = { e8???????? 0f2805???????? 8d45b0 83c40c }
            // n = 4, score = 500
            //   e8????????           |                     
            //   0f2805????????       |                     
            //   8d45b0               | lea                 eax, [ebp - 0x50]
            //   83c40c               | add                 esp, 0xc

        $sequence_9 = { e8???????? 83c40c 8d85c0f2ffff 50 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85c0f2ffff         | lea                 eax, [ebp - 0xd40]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules