SYMBOLCOMMON_NAMEaka. SYNONYMS
win.derusbi (Back to overview)

Derusbi

aka: PHOTO

Actor(s): APT41, Axiom, Leviathan, Stone Panda


A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.

References
2020-12-26CYBER GEEKS All Things InfosecCyberMasterV
@online{cybermasterv:20201226:analyzing:b94f52e, author = {CyberMasterV}, title = {{Analyzing APT19 malware using a step-by-step method}}, date = {2020-12-26}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/}, language = {English}, urldate = {2021-01-01} } Analyzing APT19 malware using a step-by-step method
Derusbi
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c, author = {Jen Miller-Osborn and Mike Harbison}, title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}}, date = {2019-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/}, language = {English}, urldate = {2020-01-08} } Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2016-03-02RSA ConferenceVanja Svajcer
@techreport{svajcer:20160302:dissecting:e8721e3, author = {Vanja Svajcer}, title = {{Dissecting Derusbi}}, date = {2016-03-02}, institution = {RSA Conference}, url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf}, language = {English}, urldate = {2020-02-27} } Dissecting Derusbi
Derusbi
2015-12-15Airbus Defence & SpaceFabien Perigaud
@online{perigaud:20151215:newcomers:73beb0c, author = {Fabien Perigaud}, title = {{Newcomers in the Derusbi family}}, date = {2015-12-15}, organization = {Airbus Defence & Space}, url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family}, language = {English}, urldate = {2020-02-27} } Newcomers in the Derusbi family
Derusbi
2015-10-08Virus BulletinMicky Pun, Eric Leung, Neo Tan
@techreport{pun:20151008:catching:368d81d, author = {Micky Pun and Eric Leung and Neo Tan}, title = {{Catching the silent whisper: Understanding the Derusbi family tree}}, date = {2015-10-08}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf}, language = {English}, urldate = {2020-02-27} } Catching the silent whisper: Understanding the Derusbi family tree
Derusbi
2015-02-27ThreatConnectThreatConnect Research Team
@online{team:20150227:anthem:3576532, author = {ThreatConnect Research Team}, title = {{The Anthem Hack: All Roads Lead to China}}, date = {2015-02-27}, organization = {ThreatConnect}, url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/}, language = {English}, urldate = {2020-01-09} } The Anthem Hack: All Roads Lead to China
Derusbi
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-28NovettaNovetta
@techreport{novetta:20141028:derusbi:aae275a, author = {Novetta}, title = {{Derusbi (Server Variant) Analysis}}, date = {2014-10-28}, institution = {Novetta}, url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf}, language = {English}, urldate = {2020-01-06} } Derusbi (Server Variant) Analysis
Derusbi
2014-01RSARSA Research
@techreport{research:201401:rsa:5fa5815, author = {RSA Research}, title = {{RSA Incident Response: Emerging Threat Profile Shell_Crew}}, date = {2014-01}, institution = {RSA}, url = {https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf}, language = {English}, urldate = {2021-01-29} } RSA Incident Response: Emerging Threat Profile Shell_Crew
Derusbi
Yara Rules
[TLP:WHITE] win_derusbi_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_derusbi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b442418 59 59 3bc7 0f8410030000 69c030020000 50 }
            // n = 7, score = 200
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   3bc7                 | cmp                 eax, edi
            //   0f8410030000         | je                  0x316
            //   69c030020000         | imul                eax, eax, 0x230
            //   50                   | push                eax

        $sequence_1 = { 50 ff15???????? 83f8ff 0fb7442414 750c 889c0414020000 e9???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1
            //   0fb7442414           | movzx               eax, word ptr [esp + 0x14]
            //   750c                 | jne                 0xe
            //   889c0414020000       | mov                 byte ptr [esp + eax + 0x214], bl
            //   e9????????           |                     

        $sequence_2 = { 3bc3 750b 56 ff15???????? 3bc3 747e 68???????? }
            // n = 7, score = 200
            //   3bc3                 | cmp                 eax, ebx
            //   750b                 | jne                 0xd
            //   56                   | push                esi
            //   ff15????????         |                     
            //   3bc3                 | cmp                 eax, ebx
            //   747e                 | je                  0x80
            //   68????????           |                     

        $sequence_3 = { 50 56 56 c7858cfcffff4a000000 89b5a0fcffff ff15???????? 85c0 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   56                   | push                esi
            //   56                   | push                esi
            //   c7858cfcffff4a000000     | mov    dword ptr [ebp - 0x374], 0x4a
            //   89b5a0fcffff         | mov                 dword ptr [ebp - 0x360], esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_4 = { 6689442438 8d4618 89442430 8d8620020000 89442434 8d442428 50 }
            // n = 7, score = 200
            //   6689442438           | mov                 word ptr [esp + 0x38], ax
            //   8d4618               | lea                 eax, [esi + 0x18]
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   8d8620020000         | lea                 eax, [esi + 0x220]
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   50                   | push                eax

        $sequence_5 = { ffd6 8d85fcfbffff 68???????? 50 ffd3 8d85fcfbffff 57 }
            // n = 7, score = 200
            //   ffd6                 | call                esi
            //   8d85fcfbffff         | lea                 eax, [ebp - 0x404]
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   8d85fcfbffff         | lea                 eax, [ebp - 0x404]
            //   57                   | push                edi

        $sequence_6 = { 81f900140000 0f837b010000 8b8640040000 2b8648040000 0558040000 50 8944241c }
            // n = 7, score = 200
            //   81f900140000         | cmp                 ecx, 0x1400
            //   0f837b010000         | jae                 0x181
            //   8b8640040000         | mov                 eax, dword ptr [esi + 0x440]
            //   2b8648040000         | sub                 eax, dword ptr [esi + 0x448]
            //   0558040000           | add                 eax, 0x458
            //   50                   | push                eax
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax

        $sequence_7 = { 8d4608 53 50 c706???????? 895e04 ff15???????? 8b3d???????? }
            // n = 7, score = 200
            //   8d4608               | lea                 eax, [esi + 8]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   c706????????         |                     
            //   895e04               | mov                 dword ptr [esi + 4], ebx
            //   ff15????????         |                     
            //   8b3d????????         |                     

        $sequence_8 = { 58 8985ac9ffeff 6a02 8985949ffeff 8d85bcfdffff 8985a49ffeff 898da89ffeff }
            // n = 7, score = 200
            //   58                   | pop                 eax
            //   8985ac9ffeff         | mov                 dword ptr [ebp - 0x16054], eax
            //   6a02                 | push                2
            //   8985949ffeff         | mov                 dword ptr [ebp - 0x1606c], eax
            //   8d85bcfdffff         | lea                 eax, [ebp - 0x244]
            //   8985a49ffeff         | mov                 dword ptr [ebp - 0x1605c], eax
            //   898da89ffeff         | mov                 dword ptr [ebp - 0x16058], ecx

        $sequence_9 = { 50 898424e4020000 ff15???????? 59 ffb424e0020000 8b4c2424 ff74241c }
            // n = 7, score = 200
            //   50                   | push                eax
            //   898424e4020000       | mov                 dword ptr [esp + 0x2e4], eax
            //   ff15????????         |                     
            //   59                   | pop                 ecx
            //   ffb424e0020000       | push                dword ptr [esp + 0x2e0]
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   ff74241c             | push                dword ptr [esp + 0x1c]

    condition:
        7 of them and filesize < 360448
}
Download all Yara Rules