Derusbi (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.derusbi (Back to overview)

Derusbi

aka: PHOTO

Actor(s): APT41, APT17, Leviathan, Stone Panda

VTCollection

A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.

References

2021-07-07 ⋅ Trend Micro ⋅ Gloria Chen, Jaromír Hořejší, Joseph C Chen, Kenney Lu
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi

2020-12-26 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
Analyzing APT19 malware using a step-by-step method
Derusbi

2020-10-30 ⋅ YouTube (Kaspersky Tech) ⋅ Kris McConkey
Around the world in 80 days 4.2bn packets
Cobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti

2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19

2019-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Mike Harbison
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT

2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell

2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41

2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17

2016-03-02 ⋅ RSA Conference ⋅ Vanja Svajcer
Dissecting Derusbi
Derusbi

2015-12-15 ⋅ Airbus Defence & Space ⋅ Fabien Perigaud
Newcomers in the Derusbi family
Derusbi

2015-10-08 ⋅ Virus Bulletin ⋅ Eric Leung, Micky Pun, Neo Tan
Catching the silent whisper: Understanding the Derusbi family tree
Derusbi

2015-02-27 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
The Anthem Hack: All Roads Lead to China
Derusbi

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

2014-10-28 ⋅ Novetta ⋅ Novetta
Derusbi (Server Variant) Analysis
Derusbi

2014-01-01 ⋅ RSA ⋅ RSA Research
RSA Incident Response: Emerging Threat Profile Shell_Crew
Derusbi

Yara Rules

[TLP:WHITE] win_derusbi_auto (20230808 | Detects win.derusbi.)

rule win_derusbi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.derusbi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b819c000000 8d4de8 51 8d4dec 51 ffb00c010000 c745e810000000 }
            // n = 7, score = 200
            //   8b819c000000         | mov                 eax, dword ptr [ecx + 0x9c]
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   51                   | push                ecx
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   51                   | push                ecx
            //   ffb00c010000         | push                dword ptr [eax + 0x10c]
            //   c745e810000000       | mov                 dword ptr [ebp - 0x18], 0x10

        $sequence_1 = { 8d55ec e8???????? 8d4f08 56 8d55f3 e8???????? 59 }
            // n = 7, score = 200
            //   8d55ec               | lea                 edx, [ebp - 0x14]
            //   e8????????           |                     
            //   8d4f08               | lea                 ecx, [edi + 8]
            //   56                   | push                esi
            //   8d55f3               | lea                 edx, [ebp - 0xd]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_2 = { 8913 ff15???????? 83c40c e8???????? b301 57 ff15???????? }
            // n = 7, score = 200
            //   8913                 | mov                 dword ptr [ebx], edx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   e8????????           |                     
            //   b301                 | mov                 bl, 1
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_3 = { 33c5 8945f8 8b4508 66833800 53 56 57 }
            // n = 7, score = 200
            //   33c5                 | xor                 eax, ebp
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   66833800             | cmp                 word ptr [eax], 0
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_4 = { 8945f8 8b4508 56 57 50 8d8de4fbffff 899590f9ffff }
            // n = 7, score = 200
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   57                   | push                edi
            //   50                   | push                eax
            //   8d8de4fbffff         | lea                 ecx, [ebp - 0x41c]
            //   899590f9ffff         | mov                 dword ptr [ebp - 0x670], edx

        $sequence_5 = { 64a300000000 8b5d0c 8b4508 894c2414 89442418 85db 0f8457050000 }
            // n = 7, score = 200
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   85db                 | test                ebx, ebx
            //   0f8457050000         | je                  0x55d

        $sequence_6 = { 50 ffd6 b903010000 2bc8 51 8d85ecfdffff 68???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   b903010000           | mov                 ecx, 0x103
            //   2bc8                 | sub                 ecx, eax
            //   51                   | push                ecx
            //   8d85ecfdffff         | lea                 eax, [ebp - 0x214]
            //   68????????           |                     

        $sequence_7 = { 56 56 56 6a03 56 68???????? 6800040000 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   56                   | push                esi
            //   56                   | push                esi
            //   6a03                 | push                3
            //   56                   | push                esi
            //   68????????           |                     
            //   6800040000           | push                0x400

        $sequence_8 = { ffd3 50 57 ffb5f8fbffff ff15???????? 83c410 85c0 }
            // n = 7, score = 200
            //   ffd3                 | call                ebx
            //   50                   | push                eax
            //   57                   | push                edi
            //   ffb5f8fbffff         | push                dword ptr [ebp - 0x408]
            //   ff15????????         |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax

        $sequence_9 = { ffb5d4fdffff 898db8fdffff ffb5ecfdffff ffb5f0fdffff ff15???????? 3bc7 }
            // n = 6, score = 200
            //   ffb5d4fdffff         | push                dword ptr [ebp - 0x22c]
            //   898db8fdffff         | mov                 dword ptr [ebp - 0x248], ecx
            //   ffb5ecfdffff         | push                dword ptr [ebp - 0x214]
            //   ffb5f0fdffff         | push                dword ptr [ebp - 0x210]
            //   ff15????????         |                     
            //   3bc7                 | cmp                 eax, edi

    condition:
        7 of them and filesize < 360448
}

Download all Yara Rules

Derusbi Propose Change

References

Yara Rules

Derusbi