GraphDrop (Malware Family)

GraphDrop

aka: GraphicalProton, SPICYBEAT

Actor(s): APT29

VTCollection

PANW Unit 42 describes this malware as capable of up and downloading files as well as loading additional shellcode payloads into selected target processes. It uses the Microsoft Graph API and Dropbox API as C&C channel.

References

2023-12-13 ⋅ CISA ⋅ CISA
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
GraphDrop

2023-12-13 ⋅ Fortinet ⋅ Amey Gat, Angelo Cris Deveraturda, Hongkei Chan, Jared Betts, Jayesh Zala, John Simmons, Ken Evans, Mark Robson
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793
GraphDrop

2023-09-22 ⋅ Mandiant ⋅ Dan Black, Josh Atkins, Luke Jenkins
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)

2023-07-27 ⋅ Recorded Future ⋅ Insikt Group
BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware
GraphDrop GraphicalNeutrino QUARTERRIG

2023-07-25 ⋅ Avertium ⋅ Avertium
EVOLUTION OF RUSSIAN APT29 – NEW ATTACKS AND TECHNIQUES UNCOVERED
GraphDrop

2023-07-12 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Diplomats Beware: Cloaked Ursa Phishing With a Twist
GraphDrop

Yara Rules

[TLP:WHITE] win_graphdown_w0 (20230728 | Detects unpacked GraphicalProton samples)

rule win_graphdown_w0 {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2023-05-11"
        description = "Detects unpacked GraphicalProton samples"
        version = "1.0"
        hash = "38f8b8036ed2a0b5abb8fbf264ee6fd2b82dcd917f60d9f1d8f18d07c26b1534"
        hash = "60d96d8d3a09f822ded0a3c84194a5d88ed62a979cbb6378545b45b04353bb37"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdown"
        malpedia_rule_date = "20230728"
        malpedia_hash = ""
        malpedia_version = "20230728"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
        
    strings:
        $chaskey = { 4? 8b 44 ?4 08 8b 48 04 4? 8b 44 ?4 08 03 08 89 08 4? 8b 44 ?4 08 8b 48 04 c1 e9 1b 4? 8b 44 ?4 08
        8b 50 04 c1 e2 05 09 d1 4? 8b 44 ?4 08 33 08 4? 8b 44 ?4 08 89 48 04 4? 8b 44 ?4 08 8b 48 0c 4? 8b 44 ?4 08 03 48 08
        89 48 08 4? 8b 44 ?4 08 8b 48 0c c1 e9 18 4? 8b 44 ?4 08 8b 50 0c c1 e2 08 09 d1 4? 8b 44 ?4 08 33 48 08 4? 8b 44 ?4
        08 89 48 0c 4? 8b 44 ?4 08 8b 48 04 4? 8b 44 ?4 08 03 48 08 89 48 08 4? 8b 44 ?4 08 8b 08 c1 e9 10 4? 8b 44 ?4 08 8b
        10 c1 e2 10 09 d1 4? 8b 44 ?4 08 03 48 0c 4? 8b 44 ?4 08 89 08 4? 8b 44 ?4 08 8b 48 0c c1 e9 13 4? 8b 44 ?4 08 8b 50
        0c c1 e2 0d 09 d1 4? 8b 44 ?4 08 33 08 4? 8b 44 ?4 08 89 48 0c 4? 8b 44 ?4 08 8b 48 04 c1 e9 19 4? 8b 44 ?4 08 8b 50
        04 c1 e2 07 09 d1 4? 8b 44 ?4 08 33 48 08 4? 8b 44 ?4 08 89 48 04 4? 8b 44 ?4 08 8b 48 08 c1 e9 10 4? 8b 44 ?4 08 8b
        50 08 c1 e2 10 09 d1 4? 8b 44 ?4 08 89 48 08 }
        
        $decrypt = { 8b 44 ?? ?? 89 c1 0f b6 44 0c 50 4? 8b 4c ?? ?? 8b 54 ?? ?? 4? 89 d0 4? 0f b6 14 01 31 c2 4? 88 14
        01 8b 44 ?? ?? 83 c0 01 89 44 ?? ?? e9 ?? ?? ?? ?? 8b 44 ?? ?? 8b 4c ?? ?? 29 c1 89 4c ?? ?? 8b 44 ?? ?? 4? 8b 54 ??
        ?? 89 c0 4? 89 c0 4? 01 c2 4? 89 54 ?? ?? }
        
        $bmp_header = { 66 c7 00 42 4d c7 40 02 00 00 00 00 66 c7 40 06 00 00 66 c7 40 08 00 00 c7 40 0a 00 00 00 00 59 c3 }
        
        $parse_bmp = { 89 02 4? 8b 4? ?? ba 03 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 04 4? 8b 4? ?? ba
        07 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4? 8b 4? ?? 66 4? 89 48 08 4? 8b 4? ?? ba 09 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b
        08 4? 8b 4? ?? 66 4? 89 48 0a 4? 8b 4? ?? ba 0b 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 0c 4? 8b 4? ??
        ba 0f 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 10 4? 8b 4? ?? ba 13 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4?
        8b 4? ?? 4? 89 40 14 4? 8b 4? ?? ba 17 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 18 4? 8b 4? ?? ba 1b 00
        00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4? 8b 4? ?? 66 4? 89 48 1c 4? 8b 4? ?? ba 1d 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4?
        8b 4? ?? 66 4? 89 48 1e 4? 8b 4? ?? ba 1f 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 20 4? 8b 4? ?? ba 23
        00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 24 4? 8b 4? ?? ba 27 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4?
        ?? 4? 89 40 28 4? 8b 4? ?? ba 2b 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 2c 4? 8b 4? ?? ba 2f 00 00 00
        e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 30 4? 8b 4? ?? ba 33 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89
        40 34 4? 8b 40 14 4? 89 4? ?? 4? 8b 40 18 4? 89 4? ?? 4? 8b 4? ?? 4? 0f af 4? ?? 4? 6b c0 03 4? 89 4? ?? 4? 8b 4? ??
        4? c1 e8 03 4? 83 e8 36 4? 89 40 38 }
    condition:
        uint16(0) == 0x5a4d
        and filesize > 1MB
        and all of them
}

[TLP:WHITE] win_graphdrop_auto (20230808 | Detects win.graphdrop.)

rule win_graphdrop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.graphdrop."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdrop"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4154 90 415c 90 }
            // n = 4, score = 300
            //   4154                 | je                  0x1f84
            //   90                   | mov                 dword ptr [esp + 0x84], 0xfffffffe
            //   415c                 | cmp                 edx, dword ptr [ecx + 0x12]
            //   90                   | dec                 eax

        $sequence_1 = { 4155 49c7c501000000 4150 4152 415a }
            // n = 5, score = 300
            //   4155                 | dec                 eax
            //   49c7c501000000       | mov                 eax, dword ptr [ebx + 0x10]
            //   4150                 | jne                 0x6f4
            //   4152                 | dec                 eax
            //   415a                 | and                 dword ptr [esp + 0x70], 0

        $sequence_2 = { 52 0f77 90 5a }
            // n = 4, score = 300
            //   52                   | inc                 ecx
            //   0f77                 | mov                 ecx, 4
            //   90                   | inc                 ecx
            //   5a                   | mov                 eax, 0x3000

        $sequence_3 = { 0f77 0f77 5b 0f77 }
            // n = 4, score = 300
            //   0f77                 | pslld               mm5, 0x50
            //   0f77                 | inc                 ecx
            //   5b                   | pop                 ecx
            //   0f77                 | inc                 ecx

        $sequence_4 = { 49c7c501000000 4150 4152 415a 4158 }
            // n = 5, score = 300
            //   49c7c501000000       | jmp                 0x1106
            //   4150                 | inc                 esp
            //   4152                 | mov                 ah, byte ptr [ebp + 0x50]
            //   415a                 | inc                 esp
            //   4158                 | mov                 dword ptr [ebp - 0x20], ebx

        $sequence_5 = { 52 50 58 5a 49ffc9 }
            // n = 5, score = 300
            //   52                   | inc                 esp
            //   50                   | mov                 dh, byte ptr [esp + 0x30]
            //   58                   | dec                 esp
            //   5a                   | mov                 ebx, dword ptr [esp + 0x68]
            //   49ffc9               | je                  0x39c

        $sequence_6 = { 49c7c501000000 4150 4152 415a 4158 49ffcd }
            // n = 6, score = 300
            //   49c7c501000000       | dec                 eax
            //   4150                 | mov                 ecx, dword ptr [ebp + 0x188]
            //   4152                 | dec                 eax
            //   415a                 | lea                 eax, [ebp + 0x128]
            //   4158                 | dec                 eax
            //   49ffcd               | mov                 dword ptr [ebp - 0x40], ecx

        $sequence_7 = { 4150 4152 415a 4158 }
            // n = 4, score = 300
            //   4150                 | dec                 esp
            //   4152                 | mov                 dword ptr [esp + 0x18], eax
            //   415a                 | psadbw              mm2, mm4
            //   4158                 | inc                 ecx

        $sequence_8 = { 4155 49c7c501000000 4150 4152 415a 4158 49ffcd }
            // n = 7, score = 300
            //   4155                 | dec                 eax
            //   49c7c501000000       | mov                 eax, dword ptr [ebp - 0x30]
            //   4150                 | dec                 eax
            //   4152                 | add                 eax, 0x98
            //   415a                 | dec                 eax
            //   4158                 | mov                 dword ptr [esp + 0x10], edx
            //   49ffcd               | push                ebp

        $sequence_9 = { 4152 415a 4158 49ffcd }
            // n = 4, score = 300
            //   4152                 | sub                 byte ptr [edx], dh
            //   415a                 | rol                 byte ptr [ebx + 0x47cb9], 0
            //   4158                 | add                 dh, byte ptr [ebp + 0xd]
            //   49ffcd               | xor                 al, al

    condition:
        7 of them and filesize < 4186112
}

Download all Yara Rules

GraphDrop Propose Change

References

Yara Rules

GraphDrop