SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dustman (Back to overview)

DUSTMAN


In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named "DUSTMAN" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack "DUSTMAN" after the filename and string embedded in the malware. "DUSTMAN" can be considered as a new variant of "ZeroCleare" malware,
published in December 2019.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-01-20The Vault Bloghfiref0x
@online{hfiref0x:20200120:dustman:70f16bf, author = {hfiref0x}, title = {{Dustman APT: Art of Copy-Paste}}, date = {2020-01-20}, organization = {The Vault Blog}, url = {https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html}, language = {English}, urldate = {2020-01-22} } Dustman APT: Art of Copy-Paste
DUSTMAN
2020-01-04Twitter (@Irfan_Asrar)Irfan Asrar
@online{asrar:20200104:dustman:8df5168, author = {Irfan Asrar}, title = {{Tweet on Dustman}}, date = {2020-01-04}, organization = {Twitter (@Irfan_Asrar)}, url = {https://twitter.com/Irfan_Asrar/status/1213544175355908096}, language = {English}, urldate = {2020-01-09} } Tweet on Dustman
DUSTMAN
2019-01Saudi Arabia CNASaudi Arabia CNA
@online{cna:201901:destructive:38ed2c3, author = {Saudi Arabia CNA}, title = {{Destructive Attack “DUSTMAN” Technical Report}}, date = {2019-01}, organization = {Saudi Arabia CNA}, url = {https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report}, language = {English}, urldate = {2020-01-13} } Destructive Attack “DUSTMAN” Technical Report
DUSTMAN
2019-01LinkedIn Irfan AsrarIrfan Asrar
@online{asrar:201901:destructive:f4cc200, author = {Irfan Asrar}, title = {{Destructive Attack "Dustman" Technical Report}}, date = {2019-01}, organization = {LinkedIn Irfan Asrar}, url = {https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/}, language = {English}, urldate = {2020-01-13} } Destructive Attack "Dustman" Technical Report
DUSTMAN
Yara Rules
[TLP:WHITE] win_dustman_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_dustman_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f45d0 33c9 498d4308 49894bd0 }
            // n = 4, score = 100
            //   0f45d0               | movaps              xmmword ptr [ebp + 0x1c0], xmm0
            //   33c9                 | movaps              xmmword ptr [ebp + 0x1d0], xmm1
            //   498d4308             | movsd               qword ptr [ebp + 0x1e0], xmm0
            //   49894bd0             | movaps              xmmword ptr [ebp + 0x1a0], xmm0

        $sequence_1 = { 4c8d054d840000 488d154e840000 e8???????? 8bcb 4885c0 740c }
            // n = 6, score = 100
            //   4c8d054d840000       | dec                 eax
            //   488d154e840000       | sub                 esp, 0x38
            //   e8????????           |                     
            //   8bcb                 | dec                 eax
            //   4885c0               | lea                 eax, [0x8555]
            //   740c                 | xor                 eax, eax

        $sequence_2 = { 488bc7 4883c420 415f 415e 5f 5e }
            // n = 6, score = 100
            //   488bc7               | test                eax, eax
            //   4883c420             | dec                 ecx
            //   415f                 | mov                 ecx, edi
            //   415e                 | dec                 eax
            //   5f                   | imul                ebx, edi
            //   5e                   | dec                 eax

        $sequence_3 = { 33ff 428d4c270f 4803c9 e8???????? 4885c0 488bf0 7509 }
            // n = 7, score = 100
            //   33ff                 | add                 edi, ecx
            //   428d4c270f           | dec                 eax
            //   4803c9               | mov                 ecx, edx
            //   e8????????           |                     
            //   4885c0               | dec                 ecx
            //   488bf0               | sub                 ecx, edx
            //   7509                 | dec                 eax

        $sequence_4 = { 66c7045e2300 83c301 85ff 7414 448bc7 488d0c5e }
            // n = 6, score = 100
            //   66c7045e2300         | je                  0x6c2
            //   83c301               | dec                 eax
            //   85ff                 | lea                 eax, [0xe145]
            //   7414                 | dec                 edx
            //   448bc7               | mov                 ecx, dword ptr [eax + ebp*8]
            //   488d0c5e             | dec                 eax

        $sequence_5 = { 741c 488d05a8600000 483bc8 7410 b801000000 f00fc1815c010000 }
            // n = 6, score = 100
            //   741c                 | mov                 edx, esi
            //   488d05a8600000       | dec                 ecx
            //   483bc8               | mov                 ecx, edi
            //   7410                 | dec                 esp
            //   b801000000           | add                 esi, esi
            //   f00fc1815c010000     | dec                 eax

        $sequence_6 = { c744242800000020 66c7045e0000 c744242003000000 ff15???????? 488bd8 ff15???????? }
            // n = 6, score = 100
            //   c744242800000020     | sub                 ecx, edx
            //   66c7045e0000         | dec                 esp
            //   c744242003000000     | lea                 ebx, [ebp + 0x1bd]
            //   ff15????????         |                     
            //   488bd8               | dec                 ecx
            //   ff15????????         |                     

        $sequence_7 = { 488d1569a10000 488d0d42a10000 e8???????? 488d1566a10000 }
            // n = 4, score = 100
            //   488d1569a10000       | dec                 ecx
            //   488d0d42a10000       | sub                 ecx, edx
            //   e8????????           |                     
            //   488d1566a10000       | dec                 esp

        $sequence_8 = { 4803fe e9???????? 0fb606 4d8bc5 4c2bc6 4a0fbebc3800b90100 }
            // n = 6, score = 100
            //   4803fe               | dec                 eax
            //   e9????????           |                     
            //   0fb606               | lea                 ecx, [0xec2d]
            //   4d8bc5               | dec                 eax
            //   4c2bc6               | mov                 dword ptr [ebx], ecx
            //   4a0fbebc3800b90100     | dec    eax

        $sequence_9 = { 4883ec28 488d0d99450100 e8???????? 488d0da5450100 }
            // n = 4, score = 100
            //   4883ec28             | inc                 esp
            //   488d0d99450100       | mov                 dword ptr [esp + 0x20], esi
            //   e8????????           |                     
            //   488d0da5450100       | inc                 ebp

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules