SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doubleback (Back to overview)

DOUBLEBACK


DOUBLEBACK is a newly discovered fileless malware deployed as part of an attack campaign that took place in December 2020. The threat actors responsible for the operations are tracked as UNC2529 by researchers. According to their findings, DOUBLEBACK is the final payload delivered onto the compromised systems. Its task is to establish and maintain a backdoor on the victim's machine.

References
2023-03-30loginsoftSaharsh Agrawal
@online{agrawal:20230330:from:7b46ae0, author = {Saharsh Agrawal}, title = {{From Innocence to Malice: The OneNote Malware Campaign Uncovered}}, date = {2023-03-30}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/}, language = {English}, urldate = {2023-04-14} } From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2021-05-04FireEyeNick Richard, Dimiter Andonov
@online{richard:20210504:unc2529:4213d1c, author = {Nick Richard and Dimiter Andonov}, title = {{The UNC2529 Triple Double: A Trifecta Phishing Campaign}}, date = {2021-05-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html}, language = {English}, urldate = {2021-05-19} } The UNC2529 Triple Double: A Trifecta Phishing Campaign
DOUBLEBACK
Yara Rules
[TLP:WHITE] win_doubleback_auto (20230715 | Detects win.doubleback.)
rule win_doubleback_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.doubleback."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b9e3050000 eb3b b90b070000 eb34 2d63450000 }
            // n = 5, score = 400
            //   b9e3050000           | pop                 ecx
            //   eb3b                 | mov                 dword ptr [ebp - 8], ecx
            //   b90b070000           | cmp                 eax, 2
            //   eb34                 | jl                  0xb14
            //   2d63450000           | jmp                 0xba3

        $sequence_1 = { 740e 3dab3f0000 755e b9ad060000 }
            // n = 4, score = 400
            //   740e                 | dec                 esp
            //   3dab3f0000           | mov                 dword ptr [ebp - 0x38], esp
            //   755e                 | dec                 eax
            //   b9ad060000           | lea                 ecx, [esi + 0xb5c]

        $sequence_2 = { 742a 3d39380000 741c 3dd73a0000 740e 3dab3f0000 755e }
            // n = 7, score = 400
            //   742a                 | push                dword ptr [ebp - 0xc]
            //   3d39380000           | push                dword ptr [ebp - 4]
            //   741c                 | push                esi
            //   3dd73a0000           | push                edi
            //   740e                 | push                edi
            //   3dab3f0000           | push                4
            //   755e                 | push                dword ptr [ebp - 4]

        $sequence_3 = { b9e7050000 eb42 b9e3050000 eb3b b90b070000 eb34 2d63450000 }
            // n = 7, score = 400
            //   b9e7050000           | mov                 ecx, dword ptr [edi - 4]
            //   eb42                 | dec                 ecx
            //   b9e3050000           | mov                 ecx, dword ptr [esi]
            //   eb3b                 | dec                 eax
            //   b90b070000           | mov                 dword ptr [esp + 0x20], ebx
            //   eb34                 | mov                 edi, eax
            //   2d63450000           | dec                 eax

        $sequence_4 = { 774f 7446 3d00280000 7438 }
            // n = 4, score = 400
            //   774f                 | mov                 byte ptr [eax + esi], bl
            //   7446                 | push                dword ptr [edi + 0x480]
            //   3d00280000           | push                eax
            //   7438                 | push                esi

        $sequence_5 = { b975070000 eb0c b96f070000 eb05 b911070000 }
            // n = 5, score = 400
            //   b975070000           | jle                 0xafd
            //   eb0c                 | push                0x8000
            //   b96f070000           | push                0
            //   eb05                 | pop                 ecx
            //   b911070000           | test                eax, eax

        $sequence_6 = { b947060000 eb49 b9e7050000 eb42 b9e3050000 }
            // n = 5, score = 400
            //   b947060000           | pop                 ecx
            //   eb49                 | push                0x65
            //   b9e7050000           | mov                 word ptr [esi + edi*2 + 0x6b0], cx
            //   eb42                 | pop                 ecx
            //   b9e3050000           | push                0x74

        $sequence_7 = { b9e3050000 eb3b b90b070000 eb34 }
            // n = 4, score = 400
            //   b9e3050000           | dec                 eax
            //   eb3b                 | arpl                ax, cx
            //   b90b070000           | add                 eax, 9
            //   eb34                 | ret                 

        $sequence_8 = { b9ad060000 eb57 b9a7060000 eb50 b947060000 eb49 }
            // n = 6, score = 400
            //   b9ad060000           | mov                 eax, dword ptr [ebp + 0x6f]
            //   eb57                 | dec                 esp
            //   b9a7060000           | lea                 eax, [ebp - 0x29]
            //   eb50                 | dec                 eax
            //   b947060000           | shl                 eax, 5
            //   eb49                 | dec                 esp

        $sequence_9 = { 81f962647365 7511 3d72766963 750a }
            // n = 4, score = 400
            //   81f962647365         | push                edx
            //   7511                 | lea                 eax, [esi + 4]
            //   3d72766963           | push                eax
            //   750a                 | push                edx

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules