SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnspionage (Back to overview)

DNSpionage

aka: Agent Drable, AgentDrable, Webmask

Actor(s): DNSpionage


There is no description at this point.

References
2021-04-08CheckpointCheck Point Research
@online{research:20210408:irans:127f349, author = {Check Point Research}, title = {{Iran’s APT34 Returns with an Updated Arsenal}}, date = {2021-04-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/}, language = {English}, urldate = {2021-04-09} } Iran’s APT34 Returns with an Updated Arsenal
DNSpionage SideTwist TONEDEAF
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:4d136fa, author = {SecureWorks}, title = {{COBALT EDGEWATER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-edgewater}, language = {English}, urldate = {2020-05-23} } COBALT EDGEWATER
DNSpionage Karkoff DNSpionage
2019-11-09NSFOCUSMina Hao
@online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } APT34 Event Analysis Report
BONDUPDATER DNSpionage
2019-04-23Marco Ramilli
@online{ramilli:20190423:apt34:e1a7022, author = {Marco Ramilli}, title = {{APT34: webmask project}}, date = {2019-04-23}, url = {https://marcoramilli.com/2019/04/23/apt34-webmask-project/}, language = {English}, urldate = {2019-11-29} } APT34: webmask project
DNSpionage
2019-04-23TalosWarren Mercer, Paul Rascagnères
@online{mercer:20190423:dnspionage:509e055, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage brings out the Karkoff}}, date = {2019-04-23}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html}, language = {English}, urldate = {2019-12-20} } DNSpionage brings out the Karkoff
DNSpionage Karkoff DNSpionage
2019-02-13US-CERTUS-CERT
@online{uscert:20190213:alert:6eb6b3e, author = {US-CERT}, title = {{Alert (AA19-024A): DNS Infrastructure Hijacking Campaign}}, date = {2019-02-13}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/AA19-024A}, language = {English}, urldate = {2020-01-09} } Alert (AA19-024A): DNS Infrastructure Hijacking Campaign
DNSpionage
2019-01-10FireEyeMuks Hirani, Sarah Jones, Ben Read
@online{hirani:20190110:global:a53ec6a, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html}, language = {English}, urldate = {2019-12-20} } Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
DNSpionage DNSpionage
2019-01-10CERT-OPMDCERT-OPMD
@online{certopmd:20190110:dnspionage:88c7100, author = {CERT-OPMD}, title = {{[DNSPIONAGE] – Focus on internal actions}}, date = {2019-01-10}, organization = {CERT-OPMD}, url = {https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/}, language = {English}, urldate = {2020-01-09} } [DNSPIONAGE] – Focus on internal actions
DNSpionage
2018-11-27Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20181127:dnspionage:7f0b0f3, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage Campaign Targets Middle East}}, date = {2018-11-27}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html}, language = {English}, urldate = {2020-05-18} } DNSpionage Campaign Targets Middle East
DNSpionage DNSpionage
2015-09-17F-SecureF-Secure Global
@online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage
Yara Rules
[TLP:WHITE] win_dnspionage_auto (20211008 | Detects win.dnspionage.)
rule win_dnspionage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.dnspionage."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945f8 83cbff 8b450c 56 8b7514 8945f0 8b451c }
            // n = 7, score = 300
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   83cbff               | or                  ebx, 0xffffffff
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   56                   | push                esi
            //   8b7514               | mov                 esi, dword ptr [ebp + 0x14]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b451c               | mov                 eax, dword ptr [ebp + 0x1c]

        $sequence_1 = { c645ff01 8d5101 8a01 41 84c0 75f9 2bca }
            // n = 7, score = 300
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   8d5101               | lea                 edx, dword ptr [ecx + 1]
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   2bca                 | sub                 ecx, edx

        $sequence_2 = { 9f f6c444 8d45e0 7b15 68???????? 50 }
            // n = 6, score = 300
            //   9f                   | lahf                
            //   f6c444               | test                ah, 0x44
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   7b15                 | jnp                 0x17
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_3 = { e8???????? 8bd3 c6041e00 83c40c 8d4a01 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   8bd3                 | mov                 edx, ebx
            //   c6041e00             | mov                 byte ptr [esi + ebx], 0
            //   83c40c               | add                 esp, 0xc
            //   8d4a01               | lea                 ecx, dword ptr [edx + 1]

        $sequence_4 = { eb02 33ff 6a10 e8???????? 8bf0 83c404 85f6 }
            // n = 7, score = 300
            //   eb02                 | jmp                 4
            //   33ff                 | xor                 edi, edi
            //   6a10                 | push                0x10
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c404               | add                 esp, 4
            //   85f6                 | test                esi, esi

        $sequence_5 = { 85db 0f849b000000 85ff 744b b9???????? }
            // n = 5, score = 300
            //   85db                 | test                ebx, ebx
            //   0f849b000000         | je                  0xa1
            //   85ff                 | test                edi, edi
            //   744b                 | je                  0x4d
            //   b9????????           |                     

        $sequence_6 = { 8bc3 56 33f6 0bc2 57 }
            // n = 5, score = 300
            //   8bc3                 | mov                 eax, ebx
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   0bc2                 | or                  eax, edx
            //   57                   | push                edi

        $sequence_7 = { ba04000000 c6430400 e8???????? 8bf0 8bcb 8bd6 e8???????? }
            // n = 7, score = 300
            //   ba04000000           | mov                 edx, 4
            //   c6430400             | mov                 byte ptr [ebx + 4], 0
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8bcb                 | mov                 ecx, ebx
            //   8bd6                 | mov                 edx, esi
            //   e8????????           |                     

        $sequence_8 = { 85d2 7413 2bfe 8a06 8d7601 41 }
            // n = 6, score = 300
            //   85d2                 | test                edx, edx
            //   7413                 | je                  0x15
            //   2bfe                 | sub                 edi, esi
            //   8a06                 | mov                 al, byte ptr [esi]
            //   8d7601               | lea                 esi, dword ptr [esi + 1]
            //   41                   | inc                 ecx

        $sequence_9 = { 33c5 8945fc 8a4508 384120 7512 b001 8b4dfc }
            // n = 7, score = 300
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8a4508               | mov                 al, byte ptr [ebp + 8]
            //   384120               | cmp                 byte ptr [ecx + 0x20], al
            //   7512                 | jne                 0x14
            //   b001                 | mov                 al, 1
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 786432
}
Download all Yara Rules