SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnspionage (Back to overview)

DNSpionage

aka: Agent Drable, AgentDrable, Webmask

Actor(s): DNSpionage


There is no description at this point.

References
2021-04-08CheckpointCheck Point Research
@online{research:20210408:irans:127f349, author = {Check Point Research}, title = {{Iran’s APT34 Returns with an Updated Arsenal}}, date = {2021-04-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/}, language = {English}, urldate = {2021-04-09} } Iran’s APT34 Returns with an Updated Arsenal
DNSpionage SideTwist TONEDEAF
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:4d136fa, author = {SecureWorks}, title = {{COBALT EDGEWATER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-edgewater}, language = {English}, urldate = {2020-05-23} } COBALT EDGEWATER
DNSpionage Karkoff DNSpionage
2019-11-09NSFOCUSMina Hao
@online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } APT34 Event Analysis Report
BONDUPDATER DNSpionage
2019-04-23Marco Ramilli
@online{ramilli:20190423:apt34:e1a7022, author = {Marco Ramilli}, title = {{APT34: webmask project}}, date = {2019-04-23}, url = {https://marcoramilli.com/2019/04/23/apt34-webmask-project/}, language = {English}, urldate = {2019-11-29} } APT34: webmask project
DNSpionage
2019-04-23TalosWarren Mercer, Paul Rascagnères
@online{mercer:20190423:dnspionage:509e055, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage brings out the Karkoff}}, date = {2019-04-23}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html}, language = {English}, urldate = {2019-12-20} } DNSpionage brings out the Karkoff
DNSpionage Karkoff DNSpionage
2019-02-13US-CERTUS-CERT
@online{uscert:20190213:alert:6eb6b3e, author = {US-CERT}, title = {{Alert (AA19-024A): DNS Infrastructure Hijacking Campaign}}, date = {2019-02-13}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/AA19-024A}, language = {English}, urldate = {2020-01-09} } Alert (AA19-024A): DNS Infrastructure Hijacking Campaign
DNSpionage
2019-01-10FireEyeMuks Hirani, Sarah Jones, Ben Read
@online{hirani:20190110:global:a53ec6a, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html}, language = {English}, urldate = {2019-12-20} } Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
DNSpionage DNSpionage
2019-01-10CERT-OPMDCERT-OPMD
@online{certopmd:20190110:dnspionage:88c7100, author = {CERT-OPMD}, title = {{[DNSPIONAGE] – Focus on internal actions}}, date = {2019-01-10}, organization = {CERT-OPMD}, url = {https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/}, language = {English}, urldate = {2020-01-09} } [DNSPIONAGE] – Focus on internal actions
DNSpionage
2018-11-27Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20181127:dnspionage:7f0b0f3, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage Campaign Targets Middle East}}, date = {2018-11-27}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html}, language = {English}, urldate = {2020-05-18} } DNSpionage Campaign Targets Middle East
DNSpionage DNSpionage
2015-09-17F-SecureF-Secure Global
@online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage
Yara Rules
[TLP:WHITE] win_dnspionage_auto (20210616 | Detects win.dnspionage.)
rule win_dnspionage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.dnspionage."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b8abaaaaaa f7e1 d1ea 42 8bc2 2503000080 }
            // n = 6, score = 300
            //   b8abaaaaaa           | mov                 eax, 0xaaaaaaab
            //   f7e1                 | mul                 ecx
            //   d1ea                 | shr                 edx, 1
            //   42                   | inc                 edx
            //   8bc2                 | mov                 eax, edx
            //   2503000080           | and                 eax, 0x80000003

        $sequence_1 = { 85f6 7e14 8bcb 2bfb 8bd6 }
            // n = 5, score = 300
            //   85f6                 | test                esi, esi
            //   7e14                 | jle                 0x16
            //   8bcb                 | mov                 ecx, ebx
            //   2bfb                 | sub                 edi, ebx
            //   8bd6                 | mov                 edx, esi

        $sequence_2 = { 0bf1 0bf8 83eb01 75e1 8bc7 99 33c2 }
            // n = 7, score = 300
            //   0bf1                 | or                  esi, ecx
            //   0bf8                 | or                  edi, eax
            //   83eb01               | sub                 ebx, 1
            //   75e1                 | jne                 0xffffffe3
            //   8bc7                 | mov                 eax, edi
            //   99                   | cdq                 
            //   33c2                 | xor                 eax, edx

        $sequence_3 = { 8d4e01 0f94c3 0f1f4000 8a06 46 84c0 75f9 }
            // n = 7, score = 300
            //   8d4e01               | lea                 ecx, dword ptr [esi + 1]
            //   0f94c3               | sete                bl
            //   0f1f4000             | nop                 dword ptr [eax]
            //   8a06                 | mov                 al, byte ptr [esi]
            //   46                   | inc                 esi
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb

        $sequence_4 = { 46 84c0 75f9 2bf1 3bde 0f8da0000000 0fbe043b }
            // n = 7, score = 300
            //   46                   | inc                 esi
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   2bf1                 | sub                 esi, ecx
            //   3bde                 | cmp                 ebx, esi
            //   0f8da0000000         | jge                 0xa6
            //   0fbe043b             | movsx               eax, byte ptr [ebx + edi]

        $sequence_5 = { c6000a 40 015e08 c60000 8b3f }
            // n = 5, score = 300
            //   c6000a               | mov                 byte ptr [eax], 0xa
            //   40                   | inc                 eax
            //   015e08               | add                 dword ptr [esi + 8], ebx
            //   c60000               | mov                 byte ptr [eax], 0
            //   8b3f                 | mov                 edi, dword ptr [edi]

        $sequence_6 = { 4e c0fa04 c0e102 80e203 }
            // n = 4, score = 300
            //   4e                   | dec                 esi
            //   c0fa04               | sar                 dl, 4
            //   c0e102               | shl                 cl, 2
            //   80e203               | and                 dl, 3

        $sequence_7 = { e8???????? 50 ba50000000 b9???????? }
            // n = 4, score = 300
            //   e8????????           |                     
            //   50                   | push                eax
            //   ba50000000           | mov                 edx, 0x50
            //   b9????????           |                     

        $sequence_8 = { e8???????? 8b4d08 8d7bff 83c404 c745f800000000 c645ff00 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d7bff               | lea                 edi, dword ptr [ebx - 1]
            //   83c404               | add                 esp, 4
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   c645ff00             | mov                 byte ptr [ebp - 1], 0

        $sequence_9 = { babb010000 b9???????? e8???????? 83c420 }
            // n = 4, score = 300
            //   babb010000           | mov                 edx, 0x1bb
            //   b9????????           |                     
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20

    condition:
        7 of them and filesize < 786432
}
Download all Yara Rules