SYMBOLCOMMON_NAMEaka. SYNONYMS
win.derusbi (Back to overview)

Derusbi

aka: PHOTO

Actor(s): APT41, Axiom, Leviathan, Stone Panda


A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.

References
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c, author = {Jen Miller-Osborn and Mike Harbison}, title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}}, date = {2019-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/}, language = {English}, urldate = {2020-01-08} } Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2016-03-02RSA ConferenceVanja Svajcer
@techreport{svajcer:20160302:dissecting:e8721e3, author = {Vanja Svajcer}, title = {{Dissecting Derusbi}}, date = {2016-03-02}, institution = {RSA Conference}, url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf}, language = {English}, urldate = {2020-02-27} } Dissecting Derusbi
Derusbi
2015-12-15Airbus Defence & SpaceFabien Perigaud
@online{perigaud:20151215:newcomers:73beb0c, author = {Fabien Perigaud}, title = {{Newcomers in the Derusbi family}}, date = {2015-12-15}, organization = {Airbus Defence & Space}, url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family}, language = {English}, urldate = {2020-02-27} } Newcomers in the Derusbi family
Derusbi
2015-10-08Virus BulletinMicky Pun, Eric Leung, Neo Tan
@techreport{pun:20151008:catching:368d81d, author = {Micky Pun and Eric Leung and Neo Tan}, title = {{Catching the silent whisper: Understanding the Derusbi family tree}}, date = {2015-10-08}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf}, language = {English}, urldate = {2020-02-27} } Catching the silent whisper: Understanding the Derusbi family tree
Derusbi
2015-02-27ThreatConnectThreatConnect Research Team
@online{team:20150227:anthem:3576532, author = {ThreatConnect Research Team}, title = {{The Anthem Hack: All Roads Lead to China}}, date = {2015-02-27}, organization = {ThreatConnect}, url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/}, language = {English}, urldate = {2020-01-09} } The Anthem Hack: All Roads Lead to China
Derusbi
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-28NovettaNovetta
@techreport{novetta:20141028:derusbi:aae275a, author = {Novetta}, title = {{Derusbi (Server Variant) Analysis}}, date = {2014-10-28}, institution = {Novetta}, url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf}, language = {English}, urldate = {2020-01-06} } Derusbi (Server Variant) Analysis
Derusbi
Yara Rules
[TLP:WHITE] win_derusbi_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_derusbi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 899fbc500000 899fb4500000 ffd6 6814010000 895f08 ff15???????? 83c410 }
            // n = 7, score = 100
            //   899fbc500000         | mov                 dword ptr [edi + 0x50bc], ebx
            //   899fb4500000         | mov                 dword ptr [edi + 0x50b4], ebx
            //   ffd6                 | call                esi
            //   6814010000           | push                0x114
            //   895f08               | mov                 dword ptr [edi + 8], ebx
            //   ff15????????         |                     
            //   83c410               | add                 esp, 0x10

        $sequence_1 = { 751a ff15???????? ff75e8 8bf0 ff15???????? 56 ff15???????? }
            // n = 7, score = 100
            //   751a                 | jne                 0x1c
            //   ff15????????         |                     
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_2 = { 50 6a00 6a00 68???????? ffb5f4feffff c785f8feffffff000000 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     
            //   ffb5f4feffff         | push                dword ptr [ebp - 0x10c]
            //   c785f8feffffff000000     | mov    dword ptr [ebp - 0x108], 0xff

        $sequence_3 = { 47 9f b676 52 9f af 7613 }
            // n = 7, score = 100
            //   47                   | inc                 edi
            //   9f                   | lahf                
            //   b676                 | mov                 dh, 0x76
            //   52                   | push                edx
            //   9f                   | lahf                
            //   af                   | scasd               eax, dword ptr es:[edi]
            //   7613                 | jbe                 0x15

        $sequence_4 = { 85c0 7569 3bb5d8f8ffff 734d 8b85e4f8ffff 69c038080000 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   7569                 | jne                 0x6b
            //   3bb5d8f8ffff         | cmp                 esi, dword ptr [ebp - 0x728]
            //   734d                 | jae                 0x4f
            //   8b85e4f8ffff         | mov                 eax, dword ptr [ebp - 0x71c]
            //   69c038080000         | imul                eax, eax, 0x838

        $sequence_5 = { 7436 48 742c 48 7422 48 }
            // n = 6, score = 100
            //   7436                 | je                  0x38
            //   48                   | dec                 eax
            //   742c                 | je                  0x2e
            //   48                   | dec                 eax
            //   7422                 | je                  0x24
            //   48                   | dec                 eax

        $sequence_6 = { 8d85b8fdffff 50 ffd6 8d85b8fdffff 68???????? 50 ffd6 }
            // n = 7, score = 100
            //   8d85b8fdffff         | lea                 eax, [ebp - 0x248]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8d85b8fdffff         | lea                 eax, [ebp - 0x248]
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi

        $sequence_7 = { 8b4808 85c9 75f7 214e08 897008 ebd9 55 }
            // n = 7, score = 100
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   85c9                 | test                ecx, ecx
            //   75f7                 | jne                 0xfffffff9
            //   214e08               | and                 dword ptr [esi + 8], ecx
            //   897008               | mov                 dword ptr [eax + 8], esi
            //   ebd9                 | jmp                 0xffffffdb
            //   55                   | push                ebp

        $sequence_8 = { c7001c000000 c7400402000000 c7400801000000 8b4b0c 89480c e9???????? 39b75c200000 }
            // n = 7, score = 100
            //   c7001c000000         | mov                 dword ptr [eax], 0x1c
            //   c7400402000000       | mov                 dword ptr [eax + 4], 2
            //   c7400801000000       | mov                 dword ptr [eax + 8], 1
            //   8b4b0c               | mov                 ecx, dword ptr [ebx + 0xc]
            //   89480c               | mov                 dword ptr [eax + 0xc], ecx
            //   e9????????           |                     
            //   39b75c200000         | cmp                 dword ptr [edi + 0x205c], esi

        $sequence_9 = { 3985d8f2ffff 0f84b2010000 8b85e0f2ffff 85c0 0f8440040000 803800 0f8437040000 }
            // n = 7, score = 100
            //   3985d8f2ffff         | cmp                 dword ptr [ebp - 0xd28], eax
            //   0f84b2010000         | je                  0x1b8
            //   8b85e0f2ffff         | mov                 eax, dword ptr [ebp - 0xd20]
            //   85c0                 | test                eax, eax
            //   0f8440040000         | je                  0x446
            //   803800               | cmp                 byte ptr [eax], 0
            //   0f8437040000         | je                  0x43d

    condition:
        7 of them and filesize < 360448
}
Download all Yara Rules