SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnspionage (Back to overview)

DNSpionage

aka: Agent Drable, AgentDrable, Webmask

Actor(s): DNSpionage

There is no description at this point.

References
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:4d136fa, author = {SecureWorks}, title = {{COBALT EDGEWATER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-edgewater}, language = {English}, urldate = {2020-05-23} } COBALT EDGEWATER
DNSpionage Karkoff DNSpionage
2019-11-09NSFOCUSMina Hao
@online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } APT34 Event Analysis Report
BONDUPDATER DNSpionage
2019-04-23Marco Ramilli
@online{ramilli:20190423:apt34:e1a7022, author = {Marco Ramilli}, title = {{APT34: webmask project}}, date = {2019-04-23}, url = {https://marcoramilli.com/2019/04/23/apt34-webmask-project/}, language = {English}, urldate = {2019-11-29} } APT34: webmask project
DNSpionage
2019-04-23TalosWarren Mercer, Paul Rascagnères
@online{mercer:20190423:dnspionage:509e055, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage brings out the Karkoff}}, date = {2019-04-23}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html}, language = {English}, urldate = {2019-12-20} } DNSpionage brings out the Karkoff
DNSpionage Karkoff DNSpionage
2019-02-13US-CERTUS-CERT
@online{uscert:20190213:alert:6eb6b3e, author = {US-CERT}, title = {{Alert (AA19-024A): DNS Infrastructure Hijacking Campaign}}, date = {2019-02-13}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/AA19-024A}, language = {English}, urldate = {2020-01-09} } Alert (AA19-024A): DNS Infrastructure Hijacking Campaign
DNSpionage
2019-01-10FireEyeMuks Hirani, Sarah Jones, Ben Read
@online{hirani:20190110:global:a53ec6a, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html}, language = {English}, urldate = {2019-12-20} } Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
DNSpionage DNSpionage
2019-01-10CERT-OPMDCERT-OPMD
@online{certopmd:20190110:dnspionage:88c7100, author = {CERT-OPMD}, title = {{[DNSPIONAGE] – Focus on internal actions}}, date = {2019-01-10}, organization = {CERT-OPMD}, url = {https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/}, language = {English}, urldate = {2020-01-09} } [DNSPIONAGE] – Focus on internal actions
DNSpionage
2018-11-27Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20181127:dnspionage:7f0b0f3, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage Campaign Targets Middle East}}, date = {2018-11-27}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html}, language = {English}, urldate = {2020-05-18} } DNSpionage Campaign Targets Middle East
DNSpionage DNSpionage
2015-09-17F-SecureF-Secure Global
@online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage
Yara Rules
[TLP:WHITE] win_dnspionage_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_dnspionage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 81ec00020000 a1???????? 33c5 8945fc 56 8d8500feffff 8bf1 }
            // n = 7, score = 200
            //   81ec00020000         | sub                 esp, 0x200
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   8d8500feffff         | lea                 eax, [ebp - 0x200]
            //   8bf1                 | mov                 esi, ecx

        $sequence_1 = { 885102 83c103 894df0 33f6 }
            // n = 4, score = 200
            //   885102               | mov                 byte ptr [ecx + 2], dl
            //   83c103               | add                 ecx, 3
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   33f6                 | xor                 esi, esi

        $sequence_2 = { 84c0 75f9 2bd1 8bc7 33c9 03c2 }
            // n = 6, score = 200
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   2bd1                 | sub                 edx, ecx
            //   8bc7                 | mov                 eax, edi
            //   33c9                 | xor                 ecx, ecx
            //   03c2                 | add                 eax, edx

        $sequence_3 = { 8d4e01 51 e8???????? 83c404 8bd8 56 57 }
            // n = 7, score = 200
            //   8d4e01               | lea                 ecx, [esi + 1]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bd8                 | mov                 ebx, eax
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_4 = { 46 84c0 75f9 2bf1 3bde 0f8da0000000 0fbe043b }
            // n = 7, score = 200
            //   46                   | inc                 esi
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   2bf1                 | sub                 esi, ecx
            //   3bde                 | cmp                 ebx, esi
            //   0f8da0000000         | jge                 0xa6
            //   0fbe043b             | movsx               eax, byte ptr [ebx + edi]

        $sequence_5 = { 3bc2 730e 803c0820 7706 40 8945e4 }
            // n = 6, score = 200
            //   3bc2                 | cmp                 eax, edx
            //   730e                 | jae                 0x10
            //   803c0820             | cmp                 byte ptr [eax + ecx], 0x20
            //   7706                 | ja                  8
            //   40                   | inc                 eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_6 = { c0fa04 8ac8 c0e102 80e203 02d1 8345ec03 8b5de0 }
            // n = 7, score = 200
            //   c0fa04               | sar                 dl, 4
            //   8ac8                 | mov                 cl, al
            //   c0e102               | shl                 cl, 2
            //   80e203               | and                 dl, 3
            //   02d1                 | add                 dl, cl
            //   8345ec03             | add                 dword ptr [ebp - 0x14], 3
            //   8b5de0               | mov                 ebx, dword ptr [ebp - 0x20]

        $sequence_7 = { be7f000000 eb11 8bf7 8d4e01 0f1f00 }
            // n = 5, score = 200
            //   be7f000000           | mov                 esi, 0x7f
            //   eb11                 | jmp                 0x13
            //   8bf7                 | mov                 esi, edi
            //   8d4e01               | lea                 ecx, [esi + 1]
            //   0f1f00               | nop                 dword ptr [eax]

        $sequence_8 = { 51 e8???????? 8b4de4 83c414 8b45ec }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   83c414               | add                 esp, 0x14
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_9 = { 57 8b7d08 85db 7534 6a01 }
            // n = 5, score = 200
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   85db                 | test                ebx, ebx
            //   7534                 | jne                 0x36
            //   6a01                 | push                1

    condition:
        7 of them and filesize < 786432
}
Download all Yara Rules