SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnspionage (Back to overview)

DNSpionage

aka: Agent Drable, AgentDrable, Webmask

Actor(s): DNSpionage

VTCollection    

There is no description at this point.

References
2021-04-08CheckpointCheck Point Research
Iran’s APT34 Returns with an Updated Arsenal
DNSpionage SideTwist TONEDEAF
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
COBALT EDGEWATER
DNSpionage Karkoff DNSpionage
2019-11-09NSFOCUSMina Hao
APT34 Event Analysis Report
BONDUPDATER DNSpionage
2019-11-07Virus BulletinPaul Rascagnères, Warren Mercer
DNS on FIre
DNSpionage Sea Turtle
2019-11-07Virus BulletinPaul Rascagnères, Warren Mercer
DNS on Fire
DNSpionage Sea Turtle
2019-04-23Marco Ramilli
APT34: webmask project
DNSpionage
2019-04-23TalosPaul Rascagnères, Warren Mercer
DNSpionage brings out the Karkoff
DNSpionage Karkoff DNSpionage
2019-02-13US-CERTUS-CERT
Alert (AA19-024A): DNS Infrastructure Hijacking Campaign
DNSpionage
2019-01-10CERT-OPMDCERT-OPMD
[DNSPIONAGE] – Focus on internal actions
DNSpionage
2019-01-10FireEyeBen Read, Muks Hirani, Sarah Jones
Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
DNSpionage DNSpionage
2019-01-09MandiantBen Read, Muks Hirani, Sarah Jones
Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
DNSpionage Sea Turtle
2018-11-27Cisco TalosPaul Rascagnères, Warren Mercer
DNSpionage Campaign Targets Middle East
DNSpionage DNSpionage
2015-09-17F-SecureF-Secure Global
The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage
Yara Rules
[TLP:WHITE] win_dnspionage_auto (20230808 | Detects win.dnspionage.)
rule win_dnspionage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.dnspionage."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7470c00020000 7507 8bc8 e8???????? 894320 85c0 }
            // n = 6, score = 300
            //   f7470c00020000       | test                dword ptr [edi + 0xc], 0x200
            //   7507                 | jne                 9
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   894320               | mov                 dword ptr [ebx + 0x20], eax
            //   85c0                 | test                eax, eax

        $sequence_1 = { 50 8d45f4 50 6a13 57 }
            // n = 5, score = 300
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   6a13                 | push                0x13
            //   57                   | push                edi

        $sequence_2 = { 0f1f8000000000 8bc7 8d5001 8a08 40 84c9 75f9 }
            // n = 7, score = 300
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   8bc7                 | mov                 eax, edi
            //   8d5001               | lea                 edx, [eax + 1]
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f9                 | jne                 0xfffffffb

        $sequence_3 = { c7450c00000000 8d4d0c ba???????? 51 8d4df4 51 }
            // n = 6, score = 300
            //   c7450c00000000       | mov                 dword ptr [ebp + 0xc], 0
            //   8d4d0c               | lea                 ecx, [ebp + 0xc]
            //   ba????????           |                     
            //   51                   | push                ecx
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx

        $sequence_4 = { 83f97f 7307 be7f000000 eb11 8bf7 8d4e01 0f1f00 }
            // n = 7, score = 300
            //   83f97f               | cmp                 ecx, 0x7f
            //   7307                 | jae                 9
            //   be7f000000           | mov                 esi, 0x7f
            //   eb11                 | jmp                 0x13
            //   8bf7                 | mov                 esi, edi
            //   8d4e01               | lea                 ecx, [esi + 1]
            //   0f1f00               | nop                 dword ptr [eax]

        $sequence_5 = { 33f6 397510 762c 8b45f0 }
            // n = 4, score = 300
            //   33f6                 | xor                 esi, esi
            //   397510               | cmp                 dword ptr [ebp + 0x10], esi
            //   762c                 | jbe                 0x2e
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_6 = { 8b4810 e8???????? a3???????? e9???????? }
            // n = 4, score = 300
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   e8????????           |                     
            //   a3????????           |                     
            //   e9????????           |                     

        $sequence_7 = { 57 8bfa 85f6 0f8487000000 85ff 0f847f000000 }
            // n = 6, score = 300
            //   57                   | push                edi
            //   8bfa                 | mov                 edi, edx
            //   85f6                 | test                esi, esi
            //   0f8487000000         | je                  0x8d
            //   85ff                 | test                edi, edi
            //   0f847f000000         | je                  0x85

        $sequence_8 = { 7202 8b12 56 52 8d8518feffff }
            // n = 5, score = 300
            //   7202                 | jb                  4
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   56                   | push                esi
            //   52                   | push                edx
            //   8d8518feffff         | lea                 eax, [ebp - 0x1e8]

        $sequence_9 = { 8bce 8903 83c408 c1e902 }
            // n = 4, score = 300
            //   8bce                 | mov                 ecx, esi
            //   8903                 | mov                 dword ptr [ebx], eax
            //   83c408               | add                 esp, 8
            //   c1e902               | shr                 ecx, 2

    condition:
        7 of them and filesize < 786432
}
Download all Yara Rules