SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dustman (Back to overview)

DUSTMAN

VTCollection    

In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named "DUSTMAN" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack "DUSTMAN" after the filename and string embedded in the malware. "DUSTMAN" can be considered as a new variant of "ZeroCleare" malware,
published in December 2019.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-01-20The Vault Bloghfiref0x
Dustman APT: Art of Copy-Paste
DUSTMAN
2020-01-04Twitter (@Irfan_Asrar)Irfan Asrar
Tweet on Dustman
DUSTMAN
2019-01-01LinkedIn Irfan AsrarIrfan Asrar
Destructive Attack "Dustman" Technical Report
DUSTMAN
2019-01-01Saudi Arabia CNASaudi Arabia CNA
Destructive Attack “DUSTMAN” Technical Report
DUSTMAN
Yara Rules
[TLP:WHITE] win_dustman_auto (20230808 | Detects win.dustman.)
rule win_dustman_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.dustman."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d150d620100 4b8d1c36 4c897710 4c8bc3 488bce }
            // n = 5, score = 100
            //   488d150d620100       | ret                 
            //   4b8d1c36             | dec                 eax
            //   4c897710             | mov                 dword ptr [esp + 8], ebx
            //   4c8bc3               | vmulsd              xmm1, xmm1, qword ptr [ecx + eax*8]
            //   488bce               | dec                 esp

        $sequence_1 = { 448d4303 895c2428 488d0ddb720000 4533c9 4489442420 }
            // n = 5, score = 100
            //   448d4303             | dec                 eax
            //   895c2428             | mov                 ebx, dword ptr [esp + 0x50]
            //   488d0ddb720000       | dec                 eax
            //   4533c9               | mov                 ebp, dword ptr [esp + 0x58]
            //   4489442420           | dec                 ebx

        $sequence_2 = { 4903cb 48894d48 488bca 492bca 4c8d9dca010000 4903cb 48894d50 }
            // n = 7, score = 100
            //   4903cb               | lea                 ebx, [ebp + 0x1d8]
            //   48894d48             | dec                 ecx
            //   488bca               | add                 ecx, ebx
            //   492bca               | dec                 eax
            //   4c8d9dca010000       | mov                 dword ptr [ebp + 0xc0], ecx
            //   4903cb               | dec                 eax
            //   48894d50             | mov                 ecx, edx

        $sequence_3 = { 884803 420fb60c20 884804 420fb60c28 884805 0fb60c10 }
            // n = 6, score = 100
            //   884803               | dec                 esp
            //   420fb60c20           | lea                 eax, [0xb343]
            //   884804               | inc                 eax
            //   420fb60c28           | push                ebx
            //   884805               | dec                 eax
            //   0fb60c10             | sub                 esp, 0x20

        $sequence_4 = { f20f102d???????? f20f590d???????? f20f59ee f20f5ce9 f2410f1004c1 488d15767f0000 f20f1014c2 }
            // n = 7, score = 100
            //   f20f102d????????     |                     
            //   f20f590d????????     |                     
            //   f20f59ee             | mov                 byte ptr [eax + 0x44], cl
            //   f20f5ce9             | dec                 eax
            //   f2410f1004c1         | mov                 ecx, dword ptr [ebp + 0x128]
            //   488d15767f0000       | movzx               ecx, byte ptr [ecx + eax]
            //   f20f1014c2           | mov                 byte ptr [eax + 0x45], cl

        $sequence_5 = { 7405 e8???????? b001 4883c428 c3 488d158ba50000 }
            // n = 6, score = 100
            //   7405                 | add                 ecx, 0x4e
            //   e8????????           |                     
            //   b001                 | dec                 eax
            //   4883c428             | lea                 eax, [eax + 0x4e]
            //   c3                   | inc                 ecx
            //   488d158ba50000       | cmp                 eax, 0x4e

        $sequence_6 = { 492bca 4c8d9dcd010000 4903cb 48894d68 488bca 492bca 4c8d9dce010000 }
            // n = 7, score = 100
            //   492bca               | mov                 edi, eax
            //   4c8d9dcd010000       | repne scasd         eax, dword ptr es:[edi]
            //   4903cb               | dec                 eax
            //   48894d68             | not                 ecx
            //   488bca               | dec                 eax
            //   492bca               | lea                 edi, [ecx - 1]
            //   4c8d9dce010000       | jmp                 0x10eb

        $sequence_7 = { 488d053f1f0000 498b0b 4889442450 488b85e0040000 4889442460 486385f0040000 }
            // n = 6, score = 100
            //   488d053f1f0000       | sub                 ecx, edx
            //   498b0b               | dec                 esp
            //   4889442450           | lea                 ebx, [ebp + 0x1b5]
            //   488b85e0040000       | dec                 ecx
            //   4889442460           | add                 ecx, ebx
            //   486385f0040000       | dec                 eax

        $sequence_8 = { e8???????? 4885c0 7509 488d0597420100 eb04 4883c024 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   4885c0               | add                 esi, ecx
            //   7509                 | dec                 eax
            //   488d0597420100       | mov                 ecx, edx
            //   eb04                 | dec                 ecx
            //   4883c024             | sub                 ecx, edx

        $sequence_9 = { 48c1e028 480bd8 0fb6852e020000 48c1e030 480bd8 0fb6852f020000 48c1e038 }
            // n = 7, score = 100
            //   48c1e028             | mov                 dword ptr [ebp - 0x38], ecx
            //   480bd8               | dec                 eax
            //   0fb6852e020000       | mov                 ecx, edx
            //   48c1e030             | dec                 ecx
            //   480bd8               | sub                 ecx, edx
            //   0fb6852f020000       | dec                 ecx
            //   48c1e038             | sub                 ecx, edx

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules