SYMBOLCOMMON_NAMEaka. SYNONYMS
win.derusbi (Back to overview)

Derusbi

aka: PHOTO

Actor(s): APT41, Axiom, Leviathan, Stone Panda


A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.

References
2021-07-07Trend MicroJoseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
@online{chen:20210707:biopass:88dcdc2, author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen}, title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}}, date = {2021-07-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html}, language = {English}, urldate = {2021-07-19} } BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi
2020-12-26CYBER GEEKS All Things InfosecCyberMasterV
@online{cybermasterv:20201226:analyzing:b94f52e, author = {CyberMasterV}, title = {{Analyzing APT19 malware using a step-by-step method}}, date = {2020-12-26}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/}, language = {English}, urldate = {2021-01-01} } Analyzing APT19 malware using a step-by-step method
Derusbi
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c, author = {Jen Miller-Osborn and Mike Harbison}, title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}}, date = {2019-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/}, language = {English}, urldate = {2020-01-08} } Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2016-03-02RSA ConferenceVanja Svajcer
@techreport{svajcer:20160302:dissecting:e8721e3, author = {Vanja Svajcer}, title = {{Dissecting Derusbi}}, date = {2016-03-02}, institution = {RSA Conference}, url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf}, language = {English}, urldate = {2020-02-27} } Dissecting Derusbi
Derusbi
2015-12-15Airbus Defence & SpaceFabien Perigaud
@online{perigaud:20151215:newcomers:73beb0c, author = {Fabien Perigaud}, title = {{Newcomers in the Derusbi family}}, date = {2015-12-15}, organization = {Airbus Defence & Space}, url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family}, language = {English}, urldate = {2020-02-27} } Newcomers in the Derusbi family
Derusbi
2015-10-08Virus BulletinMicky Pun, Eric Leung, Neo Tan
@techreport{pun:20151008:catching:368d81d, author = {Micky Pun and Eric Leung and Neo Tan}, title = {{Catching the silent whisper: Understanding the Derusbi family tree}}, date = {2015-10-08}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf}, language = {English}, urldate = {2020-02-27} } Catching the silent whisper: Understanding the Derusbi family tree
Derusbi
2015-02-27ThreatConnectThreatConnect Research Team
@online{team:20150227:anthem:3576532, author = {ThreatConnect Research Team}, title = {{The Anthem Hack: All Roads Lead to China}}, date = {2015-02-27}, organization = {ThreatConnect}, url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/}, language = {English}, urldate = {2020-01-09} } The Anthem Hack: All Roads Lead to China
Derusbi
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-28NovettaNovetta
@techreport{novetta:20141028:derusbi:aae275a, author = {Novetta}, title = {{Derusbi (Server Variant) Analysis}}, date = {2014-10-28}, institution = {Novetta}, url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf}, language = {English}, urldate = {2020-01-06} } Derusbi (Server Variant) Analysis
Derusbi
2014-01RSARSA Research
@techreport{research:201401:rsa:5fa5815, author = {RSA Research}, title = {{RSA Incident Response: Emerging Threat Profile Shell_Crew}}, date = {2014-01}, institution = {RSA}, url = {https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf}, language = {English}, urldate = {2021-01-29} } RSA Incident Response: Emerging Threat Profile Shell_Crew
Derusbi
Yara Rules
[TLP:WHITE] win_derusbi_auto (20220516 | Detects win.derusbi.)
rule win_derusbi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.derusbi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 59 59 85c0 750d ff75a8 ff75b0 }
            // n = 6, score = 200
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   ff75a8               | push                dword ptr [ebp - 0x58]
            //   ff75b0               | push                dword ptr [ebp - 0x50]

        $sequence_1 = { 740b 56 ff15???????? 33c0 eb0e 8b85f4fbffff 89b00c010000 }
            // n = 7, score = 200
            //   740b                 | je                  0xd
            //   56                   | push                esi
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   eb0e                 | jmp                 0x10
            //   8b85f4fbffff         | mov                 eax, dword ptr [ebp - 0x40c]
            //   89b00c010000         | mov                 dword ptr [eax + 0x10c], esi

        $sequence_2 = { 50 ffb5f4feffff c785f0feffff04010000 ff15???????? 85c0 7441 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   ffb5f4feffff         | push                dword ptr [ebp - 0x10c]
            //   c785f0feffff04010000     | mov    dword ptr [ebp - 0x110], 0x104
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7441                 | je                  0x43

        $sequence_3 = { 8b85f0fdffff ffb088000000 058c000000 50 ffb5ecfdffff ff15???????? 85c0 }
            // n = 7, score = 200
            //   8b85f0fdffff         | mov                 eax, dword ptr [ebp - 0x210]
            //   ffb088000000         | push                dword ptr [eax + 0x88]
            //   058c000000           | add                 eax, 0x8c
            //   50                   | push                eax
            //   ffb5ecfdffff         | push                dword ptr [ebp - 0x214]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_4 = { 8bbe9c000000 53 c6868b00000000 e8???????? 85c0 7e35 e8???????? }
            // n = 7, score = 200
            //   8bbe9c000000         | mov                 edi, dword ptr [esi + 0x9c]
            //   53                   | push                ebx
            //   c6868b00000000       | mov                 byte ptr [esi + 0x8b], 0
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7e35                 | jle                 0x37
            //   e8????????           |                     

        $sequence_5 = { 50 8b8614020000 ffb5e0fdffff 69c00c030000 8d843024040000 50 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   8b8614020000         | mov                 eax, dword ptr [esi + 0x214]
            //   ffb5e0fdffff         | push                dword ptr [ebp - 0x220]
            //   69c00c030000         | imul                eax, eax, 0x30c
            //   8d843024040000       | lea                 eax, [eax + esi + 0x424]
            //   50                   | push                eax

        $sequence_6 = { 8d8574ffffff 50 ffd6 8d85ecf4ffff 50 ffd7 b900040000 }
            // n = 7, score = 200
            //   8d8574ffffff         | lea                 eax, [ebp - 0x8c]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8d85ecf4ffff         | lea                 eax, [ebp - 0xb14]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   b900040000           | mov                 ecx, 0x400

        $sequence_7 = { 5f 83a5f0f3ffff00 8d85f0f3ffff 50 8d4608 e8???????? 84c0 }
            // n = 7, score = 200
            //   5f                   | pop                 edi
            //   83a5f0f3ffff00       | and                 dword ptr [ebp - 0xc10], 0
            //   8d85f0f3ffff         | lea                 eax, [ebp - 0xc10]
            //   50                   | push                eax
            //   8d4608               | lea                 eax, [esi + 8]
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_8 = { 3bc7 752f 8b442420 69c030020000 50 898424e4020000 ff15???????? }
            // n = 7, score = 200
            //   3bc7                 | cmp                 eax, edi
            //   752f                 | jne                 0x31
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   69c030020000         | imul                eax, eax, 0x230
            //   50                   | push                eax
            //   898424e4020000       | mov                 dword ptr [esp + 0x2e4], eax
            //   ff15????????         |                     

        $sequence_9 = { 0f8451010000 53 6a00 57 ff15???????? 8b8564ffffff 83c40c }
            // n = 7, score = 200
            //   0f8451010000         | je                  0x157
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b8564ffffff         | mov                 eax, dword ptr [ebp - 0x9c]
            //   83c40c               | add                 esp, 0xc

    condition:
        7 of them and filesize < 360448
}
Download all Yara Rules