SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnspionage (Back to overview)

DNSpionage

aka: Agent Drable, AgentDrable, Webmask

Actor(s): DNSpionage

There is no description at this point.

References
2021-04-08CheckpointCheck Point Research
@online{research:20210408:irans:127f349, author = {Check Point Research}, title = {{Iran’s APT34 Returns with an Updated Arsenal}}, date = {2021-04-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/}, language = {English}, urldate = {2021-04-09} } Iran’s APT34 Returns with an Updated Arsenal
DNSpionage SideTwist TONEDEAF
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:4d136fa, author = {SecureWorks}, title = {{COBALT EDGEWATER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-edgewater}, language = {English}, urldate = {2020-05-23} } COBALT EDGEWATER
DNSpionage Karkoff DNSpionage
2019-11-09NSFOCUSMina Hao
@online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } APT34 Event Analysis Report
BONDUPDATER DNSpionage
2019-04-23TalosWarren Mercer, Paul Rascagnères
@online{mercer:20190423:dnspionage:509e055, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage brings out the Karkoff}}, date = {2019-04-23}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html}, language = {English}, urldate = {2019-12-20} } DNSpionage brings out the Karkoff
DNSpionage Karkoff DNSpionage
2019-04-23Marco Ramilli
@online{ramilli:20190423:apt34:e1a7022, author = {Marco Ramilli}, title = {{APT34: webmask project}}, date = {2019-04-23}, url = {https://marcoramilli.com/2019/04/23/apt34-webmask-project/}, language = {English}, urldate = {2019-11-29} } APT34: webmask project
DNSpionage
2019-02-13US-CERTUS-CERT
@online{uscert:20190213:alert:6eb6b3e, author = {US-CERT}, title = {{Alert (AA19-024A): DNS Infrastructure Hijacking Campaign}}, date = {2019-02-13}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/AA19-024A}, language = {English}, urldate = {2020-01-09} } Alert (AA19-024A): DNS Infrastructure Hijacking Campaign
DNSpionage
2019-01-10FireEyeMuks Hirani, Sarah Jones, Ben Read
@online{hirani:20190110:global:a53ec6a, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html}, language = {English}, urldate = {2019-12-20} } Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
DNSpionage DNSpionage
2019-01-10CERT-OPMDCERT-OPMD
@online{certopmd:20190110:dnspionage:88c7100, author = {CERT-OPMD}, title = {{[DNSPIONAGE] – Focus on internal actions}}, date = {2019-01-10}, organization = {CERT-OPMD}, url = {https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/}, language = {English}, urldate = {2020-01-09} } [DNSPIONAGE] – Focus on internal actions
DNSpionage
2018-11-27Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20181127:dnspionage:7f0b0f3, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage Campaign Targets Middle East}}, date = {2018-11-27}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html}, language = {English}, urldate = {2020-05-18} } DNSpionage Campaign Targets Middle East
DNSpionage DNSpionage
2015-09-17F-SecureF-Secure Global
@online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage
Yara Rules
[TLP:WHITE] win_dnspionage_auto (20221125 | Detects win.dnspionage.)
rule win_dnspionage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.dnspionage."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8be5 5d c3 8d045b 99 83e203 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8d045b               | lea                 eax, [ebx + ebx*2]
            //   99                   | cdq                 
            //   83e203               | and                 edx, 3

        $sequence_1 = { 51 e8???????? 8bc8 83c404 8bc7 }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   83c404               | add                 esp, 4
            //   8bc7                 | mov                 eax, edi

        $sequence_2 = { 81e7fffdffff f7460c00020000 7511 8b4620 85c0 740a }
            // n = 6, score = 300
            //   81e7fffdffff         | and                 edi, 0xfffffdff
            //   f7460c00020000       | test                dword ptr [esi + 0xc], 0x200
            //   7511                 | jne                 0x13
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc

        $sequence_3 = { 50 eb32 83f8fe 752c 6aff 53 ff15???????? }
            // n = 7, score = 300
            //   50                   | push                eax
            //   eb32                 | jmp                 0x34
            //   83f8fe               | cmp                 eax, -2
            //   752c                 | jne                 0x2e
            //   6aff                 | push                -1
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_4 = { 884df9 85f6 7e1b 56 8d4df8 }
            // n = 5, score = 300
            //   884df9               | mov                 byte ptr [ebp - 7], cl
            //   85f6                 | test                esi, esi
            //   7e1b                 | jle                 0x1d
            //   56                   | push                esi
            //   8d4df8               | lea                 ecx, [ebp - 8]

        $sequence_5 = { 75a5 5f 5e 8b4dfc 33c0 }
            // n = 5, score = 300
            //   75a5                 | jne                 0xffffffa7
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { 0f57c0 0f1106 0f114610 660fd64620 f20f1005???????? c7460c08000000 }
            // n = 6, score = 300
            //   0f57c0               | xorps               xmm0, xmm0
            //   0f1106               | movups              xmmword ptr [esi], xmm0
            //   0f114610             | movups              xmmword ptr [esi + 0x10], xmm0
            //   660fd64620           | movq                qword ptr [esi + 0x20], xmm0
            //   f20f1005????????     |                     
            //   c7460c08000000       | mov                 dword ptr [esi + 0xc], 8

        $sequence_7 = { 0f114610 660fd64620 f20f1005???????? c7460c08000000 f20f114618 c74614ffffffff }
            // n = 6, score = 300
            //   0f114610             | movups              xmmword ptr [esi + 0x10], xmm0
            //   660fd64620           | movq                qword ptr [esi + 0x20], xmm0
            //   f20f1005????????     |                     
            //   c7460c08000000       | mov                 dword ptr [esi + 0xc], 8
            //   f20f114618           | movsd               qword ptr [esi + 0x18], xmm0
            //   c74614ffffffff       | mov                 dword ptr [esi + 0x14], 0xffffffff

        $sequence_8 = { 51 e8???????? 8b4de4 83c414 8b45ec }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   83c414               | add                 esp, 0x14
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_9 = { ff15???????? 83bdf8feffff00 764a ff15???????? 85c0 7540 8b85f8feffff }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   83bdf8feffff00       | cmp                 dword ptr [ebp - 0x108], 0
            //   764a                 | jbe                 0x4c
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7540                 | jne                 0x42
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]

    condition:
        7 of them and filesize < 786432
}
Download all Yara Rules