SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dustman (Back to overview)

DUSTMAN


In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named "DUSTMAN" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack "DUSTMAN" after the filename and string embedded in the malware. "DUSTMAN" can be considered as a new variant of "ZeroCleare" malware,
published in December 2019.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2022-08-15} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-01-20The Vault Bloghfiref0x
@online{hfiref0x:20200120:dustman:70f16bf, author = {hfiref0x}, title = {{Dustman APT: Art of Copy-Paste}}, date = {2020-01-20}, organization = {The Vault Blog}, url = {https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html}, language = {English}, urldate = {2020-01-22} } Dustman APT: Art of Copy-Paste
DUSTMAN
2020-01-04Twitter (@Irfan_Asrar)Irfan Asrar
@online{asrar:20200104:dustman:8df5168, author = {Irfan Asrar}, title = {{Tweet on Dustman}}, date = {2020-01-04}, organization = {Twitter (@Irfan_Asrar)}, url = {https://twitter.com/Irfan_Asrar/status/1213544175355908096}, language = {English}, urldate = {2020-01-09} } Tweet on Dustman
DUSTMAN
2019-01Saudi Arabia CNASaudi Arabia CNA
@online{cna:201901:destructive:38ed2c3, author = {Saudi Arabia CNA}, title = {{Destructive Attack “DUSTMAN” Technical Report}}, date = {2019-01}, organization = {Saudi Arabia CNA}, url = {https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report}, language = {English}, urldate = {2020-01-13} } Destructive Attack “DUSTMAN” Technical Report
DUSTMAN
2019-01LinkedIn Irfan AsrarIrfan Asrar
@online{asrar:201901:destructive:f4cc200, author = {Irfan Asrar}, title = {{Destructive Attack "Dustman" Technical Report}}, date = {2019-01}, organization = {LinkedIn Irfan Asrar}, url = {https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/}, language = {English}, urldate = {2020-01-13} } Destructive Attack "Dustman" Technical Report
DUSTMAN
Yara Rules
[TLP:WHITE] win_dustman_auto (20221125 | Detects win.dustman.)
rule win_dustman_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.dustman."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8296f5ffff 488b8570010000 488b4008 0fbe18 660f6f05???????? f30f7f8590010000 664489b580010000 }
            // n = 7, score = 100
            //   0f8296f5ffff         | dec                 eax
            //   488b8570010000       | lea                 eax, [0xffff1fd2]
            //   488b4008             | dec                 edx
            //   0fbe18               | mov                 edx, dword ptr [eax + 0x1c960]
            //   660f6f05????????     |                     
            //   f30f7f8590010000     | inc                 edx
            //   664489b580010000     | mov                 cl, byte ptr [edx + esi*8 + 0x3d]

        $sequence_1 = { 4053 4883ec20 488bd9 4c8d0d54b30000 33c9 }
            // n = 5, score = 100
            //   4053                 | dec                 esp
            //   4883ec20             | lea                 ebx, [ebp + 0x1ec]
            //   488bd9               | dec                 ecx
            //   4c8d0d54b30000       | add                 ecx, ebx
            //   33c9                 | dec                 eax

        $sequence_2 = { 488b4d50 0fb60c01 88482a 488b4d58 0fb60c01 88482b }
            // n = 6, score = 100
            //   488b4d50             | add                 ecx, edx
            //   0fb60c01             | dec                 eax
            //   88482a               | mov                 dword ptr [ebp + 0x168], ecx
            //   488b4d58             | dec                 eax
            //   0fb60c01             | mov                 edx, dword ptr [esp + 0x30]
            //   88482b               | dec                 esp

        $sequence_3 = { 8bd0 e8???????? 488d152f900100 488d4c2420 e8???????? }
            // n = 5, score = 100
            //   8bd0                 | je                  0xcac
            //   e8????????           |                     
            //   488d152f900100       | mov                 eax, dword ptr [esp + 0x74]
            //   488d4c2420           | dec                 eax
            //   e8????????           |                     

        $sequence_4 = { 75dd 488d056be30000 483bd8 74d1 }
            // n = 4, score = 100
            //   75dd                 | lea                 edx, [0x7cb2]
            //   488d056be30000       | movsd               xmm2, qword ptr [edx + eax*8]
            //   483bd8               | vaddsd              xmm2, xmm2, xmm5
            //   74d1                 | dec                 eax

        $sequence_5 = { 782e 3b0d???????? 7326 4863c9 488d153cde0000 488bc1 83e13f }
            // n = 7, score = 100
            //   782e                 | xor                 edx, edx
            //   3b0d????????         |                     
            //   7326                 | dec                 eax
            //   4863c9               | lea                 esi, [ebx + 0x128]
            //   488d153cde0000       | mov                 ebp, 6
            //   488bc1               | dec                 eax
            //   83e13f               | lea                 edi, [ebx + 0x38]

        $sequence_6 = { 488d05a8600000 483bc8 7410 b801000000 }
            // n = 4, score = 100
            //   488d05a8600000       | cmp                 eax, edi
            //   483bc8               | dec                 eax
            //   7410                 | mov                 dword ptr [ecx + 0x90], eax
            //   b801000000           | dec                 eax

        $sequence_7 = { 0f280d???????? 0f298dd0010000 f20f1005???????? f20f1185e0010000 8b05???????? }
            // n = 5, score = 100
            //   0f280d????????       |                     
            //   0f298dd0010000       | add                 ecx, ebx
            //   f20f1005????????     |                     
            //   f20f1185e0010000     | dec                 eax
            //   8b05????????         |                     

        $sequence_8 = { 420fb60c10 884808 420fb60c18 884809 488b4c2450 0fb60c08 88480a }
            // n = 7, score = 100
            //   420fb60c10           | mov                 byte ptr [eax + 0x47], cl
            //   884808               | dec                 eax
            //   420fb60c18           | mov                 ecx, dword ptr [ebp + 0x140]
            //   884809               | movzx               ecx, byte ptr [ecx + eax]
            //   488b4c2450           | mov                 byte ptr [eax + 0x48], cl
            //   0fb60c08             | dec                 eax
            //   88480a               | mov                 ecx, dword ptr [ebp + 0x140]

        $sequence_9 = { 4803fe e9???????? 0fb606 4d8bc5 4c2bc6 4a0fbebc3800b90100 8d4f01 }
            // n = 7, score = 100
            //   4803fe               | dec                 ecx
            //   e9????????           |                     
            //   0fb606               | sub                 ecx, edx
            //   4d8bc5               | dec                 esp
            //   4c2bc6               | lea                 ebx, [ebp + 0x1a8]
            //   4a0fbebc3800b90100     | dec    ecx
            //   8d4f01               | add                 ecx, ebx

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules