SYMBOLCOMMON_NAMEaka. SYNONYMS
win.downrage (Back to overview)

Downrage

aka: GAMEFISH

Actor(s): Sofacy


simple tool to facilitate download and persistence of a next-stage tool; collects system information and metadata probably in an attempt to tell sandbox-environments apart from real targets on the server-side; uses domains of search engines like Google to check for Internet connectivity; XOR-based string obfuscation with a 16-byte key

References
2019-04-18YoroiZLAB-Yoroi
@online{zlabyoroi:20190418:apt28:709f72a, author = {ZLAB-Yoroi}, title = {{APT28 and Upcoming Elections: Evidence of Possible Interference (Part II)}}, date = {2019-04-18}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/}, language = {English}, urldate = {2020-01-06} } APT28 and Upcoming Elections: Evidence of Possible Interference (Part II)
Downrage
2018-02-20Kaspersky LabsGReAT
@online{great:20180220:slice:0f910f7, author = {GReAT}, title = {{A Slice of 2017 Sofacy Activity}}, date = {2018-02-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-slice-of-2017-sofacy-activity/83930/}, language = {English}, urldate = {2019-12-20} } A Slice of 2017 Sofacy Activity
Downrage Sofacy
2016-06-15CrowdStrikeDmitri Alperovitch
@online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2019-12-20} } Bears in the Midst: Intrusion into the Democratic National Committee
X-Agent ATI-Agent Downrage SEADADDY X-Agent XTunnel Sofacy

There is no Yara-Signature yet.