SYMBOLCOMMON_NAMEaka. SYNONYMS
win.devilstongue (Back to overview)

DevilsTongue

Actor(s): Caramel Tsunami


According to Microsoft, DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities.
For files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has a unique hash. The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder. DevilsTongue has both user mode and kernel mode capabilities.

References
2021-07-15MicrosoftMicrosoft Threat Intelligence
Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware
DevilsTongue Caramel Tsunami

There is no Yara-Signature yet.