DevilsTongue (Malware Family)

DevilsTongue

VTCollection

According to Microsoft, DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities.
For files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has a unique hash. The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder. DevilsTongue has both user mode and kernel mode capabilities.

References

2021-07-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware
DevilsTongue Caramel Tsunami

Yara Rules

[TLP:WHITE] win_devilstongue_auto (20260504 | Detects win.devilstongue.)

rule win_devilstongue_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.devilstongue."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.devilstongue"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3d2cdd096e 0f846d010000 3d3dbb976f 759a e9???????? 4889742428 488b7c2428 }
            // n = 7, score = 100
            //   3d2cdd096e           | xor                 ecx, ecx
            //   0f846d010000         | dec                 eax
            //   3d3dbb976f           | mov                 edx, edi
            //   759a                 | dec                 ecx
            //   e9????????           |                     
            //   4889742428           | mov                 eax, esi
            //   488b7c2428           | mov                 eax, 0xde9defd7

        $sequence_1 = { 410f45c5 e9???????? b88c5552d1 e9???????? 488b442440 0fb710 4889d9 }
            // n = 7, score = 100
            //   410f45c5             | jne                 0x144c
            //   e9????????           |                     
            //   b88c5552d1           | dec                 eax
            //   e9????????           |                     
            //   488b442440           | mov                 eax, dword ptr [esp + 0x38]
            //   0fb710               | dec                 eax
            //   4889d9               | mov                 dword ptr [esp + 0x60], eax

        $sequence_2 = { 81f97feb91bd 740a 81f993a42c33 75f0 eb0b 488945c8 b993a42c33 }
            // n = 7, score = 100
            //   81f97feb91bd         | cmp                 eax, 0xdc0e6a86
            //   740a                 | je                  0xe07
            //   81f993a42c33         | cmp                 eax, 0xe4c738d5
            //   75f0                 | jne                 0xc7a
            //   eb0b                 | jg                  0xd21
            //   488945c8             | cmp                 ecx, 0x8a195a75
            //   b993a42c33           | je                  0xd81

        $sequence_3 = { 0f84ba010000 3dbfb3c1e3 0f84cb010000 3d7138f0ec 0f85b6feffff 8b44244c 8944245c }
            // n = 7, score = 100
            //   0f84ba010000         | mov                 eax, dword ptr [esp + 0x40]
            //   3dbfb3c1e3           | dec                 eax
            //   0f84cb010000         | mov                 ecx, esi
            //   3d7138f0ec           | dec                 eax
            //   0f85b6feffff         | mov                 edx, ebx
            //   8b44244c             | inc                 ecx
            //   8944245c             | mov                 eax, 0x104

        $sequence_4 = { b856061272 31db ebcc 3d7dc1b65d 7e67 3d7ec1b65d 0f84b7000000 }
            // n = 7, score = 100
            //   b856061272           | arpl                word ptr [ecx + 0x18], dx
            //   31db                 | dec                 ecx
            //   ebcc                 | mov                 ecx, edx
            //   3d7dc1b65d           | dec                 esp
            //   7e67                 | lea                 ecx, [0x34939]
            //   3d7ec1b65d           | test                al, 9
            //   0f84b7000000         | je                  0x1d03

        $sequence_5 = { b84ca412c0 e9???????? 3db31f6708 0f84b1010000 3dc98f7215 0f85f0fdffff b819f28c8b }
            // n = 7, score = 100
            //   b84ca412c0           | mov                 ebx, ecx
            //   e9????????           |                     
            //   3db31f6708           | dec                 esp
            //   0f84b1010000         | lea                 ecx, [0x16dd9]
            //   3dc98f7215           | mov                 ecx, 2
            //   0f85f0fdffff         | dec                 esp
            //   b819f28c8b           | lea                 eax, [0x16dc5]

        $sequence_6 = { 75ee b85792143b 4889ee 4881fe00100000 bf59f344aa 410f43fe 3daea7d7d8 }
            // n = 7, score = 100
            //   75ee                 | test                eax, eax
            //   b85792143b           | je                  0x100d
            //   4889ee               | jmp                 0xdc1
            //   4881fe00100000       | je                  0xddd
            //   bf59f344aa           | movzx               eax, dx
            //   410f43fe             | inc                 esp
            //   3daea7d7d8           | movzx               ecx, cx

        $sequence_7 = { b8021d4c78 3d021d4c78 7409 3db59140dc 75f2 eb07 b8b59140dc }
            // n = 7, score = 100
            //   b8021d4c78           | je                  0xe4
            //   3d021d4c78           | dec                 eax
            //   7409                 | mov                 ecx, dword ptr [ebp + 0x20]
            //   3db59140dc           | call                dword ptr [eax + 0x160]
            //   75f2                 | cmp                 byte ptr [ebp + 0x2f], 0
            //   eb07                 | test                esi, esi
            //   b8b59140dc           | je                  0x52

        $sequence_8 = { 4883ec10 4889c8 b97b298f6d 81f97b298f6d 740a 81f9c942a44b 75f0 }
            // n = 7, score = 100
            //   4883ec10             | mov                 eax, 0x7d
            //   4889c8               | mov                 ecx, 0xe4b6def8
            //   b97b298f6d           | mov                 al, byte ptr [ebp + 0x408]
            //   81f97b298f6d         | cmp                 ecx, 0xe4b6def8
            //   740a                 | je                  0x199
            //   81f9c942a44b         | cmp                 ecx, 0xc6290c57
            //   75f0                 | inc                 ecx

        $sequence_9 = { 488b442408 488b00 488b4c2418 488908 488b442418 4883c008 4889442410 }
            // n = 7, score = 100
            //   488b442408           | dec                 eax
            //   488b00               | mov                 ecx, edi
            //   488b4c2418           | dec                 eax
            //   488908               | mov                 ecx, edi
            //   488b442418           | dec                 eax
            //   4883c008             | mov                 dword ptr [eax], ebx
            //   4889442410           | dec                 eax

    condition:
        7 of them and filesize < 990208
}

Download all Yara Rules

DevilsTongue Propose Change

References

Yara Rules

DevilsTongue