SYMBOLCOMMON_NAMEaka. SYNONYMS
win.derusbi (Back to overview)

Derusbi

aka: PHOTO

Actor(s): APT41, APT17, Leviathan, Stone Panda


A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.

References
2021-07-07Trend MicroJoseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
@online{chen:20210707:biopass:88dcdc2, author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen}, title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}}, date = {2021-07-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html}, language = {English}, urldate = {2021-07-19} } BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi
2020-12-26CYBER GEEKS All Things InfosecCyberMasterV
@online{cybermasterv:20201226:analyzing:b94f52e, author = {CyberMasterV}, title = {{Analyzing APT19 malware using a step-by-step method}}, date = {2020-12-26}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/}, language = {English}, urldate = {2021-01-01} } Analyzing APT19 malware using a step-by-step method
Derusbi
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c, author = {Jen Miller-Osborn and Mike Harbison}, title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}}, date = {2019-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/}, language = {English}, urldate = {2020-01-08} } Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-09-23MITREMITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7, author = {MITRE ATT&CK}, title = {{APT41}}, date = {2019-09-23}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0096}, language = {English}, urldate = {2022-08-30} } APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:axiom:b181fdb, author = {MITRE ATT&CK}, title = {{Axiom}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0001/}, language = {English}, urldate = {2022-08-30} } Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17
2016-03-02RSA ConferenceVanja Svajcer
@techreport{svajcer:20160302:dissecting:e8721e3, author = {Vanja Svajcer}, title = {{Dissecting Derusbi}}, date = {2016-03-02}, institution = {RSA Conference}, url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf}, language = {English}, urldate = {2020-02-27} } Dissecting Derusbi
Derusbi
2015-12-15Airbus Defence & SpaceFabien Perigaud
@online{perigaud:20151215:newcomers:73beb0c, author = {Fabien Perigaud}, title = {{Newcomers in the Derusbi family}}, date = {2015-12-15}, organization = {Airbus Defence & Space}, url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family}, language = {English}, urldate = {2020-02-27} } Newcomers in the Derusbi family
Derusbi
2015-10-08Virus BulletinMicky Pun, Eric Leung, Neo Tan
@techreport{pun:20151008:catching:368d81d, author = {Micky Pun and Eric Leung and Neo Tan}, title = {{Catching the silent whisper: Understanding the Derusbi family tree}}, date = {2015-10-08}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf}, language = {English}, urldate = {2020-02-27} } Catching the silent whisper: Understanding the Derusbi family tree
Derusbi
2015-02-27ThreatConnectThreatConnect Research Team
@online{team:20150227:anthem:3576532, author = {ThreatConnect Research Team}, title = {{The Anthem Hack: All Roads Lead to China}}, date = {2015-02-27}, organization = {ThreatConnect}, url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/}, language = {English}, urldate = {2020-01-09} } The Anthem Hack: All Roads Lead to China
Derusbi
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-28NovettaNovetta
@techreport{novetta:20141028:derusbi:aae275a, author = {Novetta}, title = {{Derusbi (Server Variant) Analysis}}, date = {2014-10-28}, institution = {Novetta}, url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf}, language = {English}, urldate = {2020-01-06} } Derusbi (Server Variant) Analysis
Derusbi
2014-01RSARSA Research
@techreport{research:201401:rsa:5fa5815, author = {RSA Research}, title = {{RSA Incident Response: Emerging Threat Profile Shell_Crew}}, date = {2014-01}, institution = {RSA}, url = {https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf}, language = {English}, urldate = {2021-01-29} } RSA Incident Response: Emerging Threat Profile Shell_Crew
Derusbi
Yara Rules
[TLP:WHITE] win_derusbi_auto (20230715 | Detects win.derusbi.)
rule win_derusbi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.derusbi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d04c51f000000 83e0e0 99 83e207 8d1c02 c1fb03 0faf5da0 }
            // n = 7, score = 200
            //   8d04c51f000000       | lea                 eax, [eax*8 + 0x1f]
            //   83e0e0               | and                 eax, 0xffffffe0
            //   99                   | cdq                 
            //   83e207               | and                 edx, 7
            //   8d1c02               | lea                 ebx, [edx + eax]
            //   c1fb03               | sar                 ebx, 3
            //   0faf5da0             | imul                ebx, dword ptr [ebp - 0x60]

        $sequence_1 = { 68???????? ffb5f4fbffff c785f8fbffffff030000 ff15???????? 85c0 754f 83bdf0fbffff03 }
            // n = 7, score = 200
            //   68????????           |                     
            //   ffb5f4fbffff         | push                dword ptr [ebp - 0x40c]
            //   c785f8fbffffff030000     | mov    dword ptr [ebp - 0x408], 0x3ff
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   754f                 | jne                 0x51
            //   83bdf0fbffff03       | cmp                 dword ptr [ebp - 0x410], 3

        $sequence_2 = { 8d85bcfcffff 50 68???????? eb40 68???????? 56 ff15???????? }
            // n = 7, score = 200
            //   8d85bcfcffff         | lea                 eax, [ebp - 0x344]
            //   50                   | push                eax
            //   68????????           |                     
            //   eb40                 | jmp                 0x42
            //   68????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_3 = { 7519 8d85fcfeffff 68???????? 50 ffd6 83bde4fdffff06 59 }
            // n = 7, score = 200
            //   7519                 | jne                 0x1b
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   83bde4fdffff06       | cmp                 dword ptr [ebp - 0x21c], 6
            //   59                   | pop                 ecx

        $sequence_4 = { 8b86b4200000 89742410 85c0 7415 6a00 ff7310 8d4b14 }
            // n = 7, score = 200
            //   8b86b4200000         | mov                 eax, dword ptr [esi + 0x20b4]
            //   89742410             | mov                 dword ptr [esp + 0x10], esi
            //   85c0                 | test                eax, eax
            //   7415                 | je                  0x17
            //   6a00                 | push                0
            //   ff7310               | push                dword ptr [ebx + 0x10]
            //   8d4b14               | lea                 ecx, [ebx + 0x14]

        $sequence_5 = { 6a01 ffd7 33c0 40 8b4dfc 5f 5e }
            // n = 7, score = 200
            //   6a01                 | push                1
            //   ffd7                 | call                edi
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_6 = { e8???????? c9 c3 55 8bec 81ec4c020000 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec4c020000         | sub                 esp, 0x24c

        $sequence_7 = { ffb5f4fdffff ff15???????? 59 8bd8 8d85f4fdffff 50 53 }
            // n = 7, score = 200
            //   ffb5f4fdffff         | push                dword ptr [ebp - 0x20c]
            //   ff15????????         |                     
            //   59                   | pop                 ecx
            //   8bd8                 | mov                 ebx, eax
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_8 = { 50 8d8320020000 50 ff15???????? 83c40c 8d8338040000 50 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8d8320020000         | lea                 eax, [ebx + 0x220]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8338040000         | lea                 eax, [ebx + 0x438]
            //   50                   | push                eax

        $sequence_9 = { 5b 8b8c24200a0000 33cc e8???????? 8be5 5d c20800 }
            // n = 7, score = 200
            //   5b                   | pop                 ebx
            //   8b8c24200a0000       | mov                 ecx, dword ptr [esp + 0xa20]
            //   33cc                 | xor                 ecx, esp
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8

    condition:
        7 of them and filesize < 360448
}
Download all Yara Rules