GraphDrop (Malware Family)

GraphDrop

aka: GraphicalProton, SPICYBEAT

PANW Unit 42 describes this malware as capable of up and downloading files as well as loading additional shellcode payloads into selected target processes. It uses the Microsoft Graph API and Dropbox API as C&C channel.

References

2023-09-22 ⋅ Mandiant ⋅ Luke Jenkins, Josh Atkins, Dan Black
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)

2023-07-27 ⋅ Recorded Future ⋅ Insikt Group
BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware
GraphDrop GraphicalNeutrino QUARTERRIG

2023-07-25 ⋅ Avertium ⋅ Avertium
EVOLUTION OF RUSSIAN APT29 – NEW ATTACKS AND TECHNIQUES UNCOVERED
GraphDrop

2023-07-12 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Diplomats Beware: Cloaked Ursa Phishing With a Twist
GraphDrop

Yara Rules

[TLP:WHITE] win_graphdown_w0 (20230728 | Detects unpacked GraphicalProton samples)

rule win_graphdown_w0 {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2023-05-11"
        description = "Detects unpacked GraphicalProton samples"
        version = "1.0"
        hash = "38f8b8036ed2a0b5abb8fbf264ee6fd2b82dcd917f60d9f1d8f18d07c26b1534"
        hash = "60d96d8d3a09f822ded0a3c84194a5d88ed62a979cbb6378545b45b04353bb37"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdown"
        malpedia_rule_date = "20230728"
        malpedia_hash = ""
        malpedia_version = "20230728"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
        
    strings:
        $chaskey = { 4? 8b 44 ?4 08 8b 48 04 4? 8b 44 ?4 08 03 08 89 08 4? 8b 44 ?4 08 8b 48 04 c1 e9 1b 4? 8b 44 ?4 08
        8b 50 04 c1 e2 05 09 d1 4? 8b 44 ?4 08 33 08 4? 8b 44 ?4 08 89 48 04 4? 8b 44 ?4 08 8b 48 0c 4? 8b 44 ?4 08 03 48 08
        89 48 08 4? 8b 44 ?4 08 8b 48 0c c1 e9 18 4? 8b 44 ?4 08 8b 50 0c c1 e2 08 09 d1 4? 8b 44 ?4 08 33 48 08 4? 8b 44 ?4
        08 89 48 0c 4? 8b 44 ?4 08 8b 48 04 4? 8b 44 ?4 08 03 48 08 89 48 08 4? 8b 44 ?4 08 8b 08 c1 e9 10 4? 8b 44 ?4 08 8b
        10 c1 e2 10 09 d1 4? 8b 44 ?4 08 03 48 0c 4? 8b 44 ?4 08 89 08 4? 8b 44 ?4 08 8b 48 0c c1 e9 13 4? 8b 44 ?4 08 8b 50
        0c c1 e2 0d 09 d1 4? 8b 44 ?4 08 33 08 4? 8b 44 ?4 08 89 48 0c 4? 8b 44 ?4 08 8b 48 04 c1 e9 19 4? 8b 44 ?4 08 8b 50
        04 c1 e2 07 09 d1 4? 8b 44 ?4 08 33 48 08 4? 8b 44 ?4 08 89 48 04 4? 8b 44 ?4 08 8b 48 08 c1 e9 10 4? 8b 44 ?4 08 8b
        50 08 c1 e2 10 09 d1 4? 8b 44 ?4 08 89 48 08 }
        
        $decrypt = { 8b 44 ?? ?? 89 c1 0f b6 44 0c 50 4? 8b 4c ?? ?? 8b 54 ?? ?? 4? 89 d0 4? 0f b6 14 01 31 c2 4? 88 14
        01 8b 44 ?? ?? 83 c0 01 89 44 ?? ?? e9 ?? ?? ?? ?? 8b 44 ?? ?? 8b 4c ?? ?? 29 c1 89 4c ?? ?? 8b 44 ?? ?? 4? 8b 54 ??
        ?? 89 c0 4? 89 c0 4? 01 c2 4? 89 54 ?? ?? }
        
        $bmp_header = { 66 c7 00 42 4d c7 40 02 00 00 00 00 66 c7 40 06 00 00 66 c7 40 08 00 00 c7 40 0a 00 00 00 00 59 c3 }
        
        $parse_bmp = { 89 02 4? 8b 4? ?? ba 03 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 04 4? 8b 4? ?? ba
        07 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4? 8b 4? ?? 66 4? 89 48 08 4? 8b 4? ?? ba 09 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b
        08 4? 8b 4? ?? 66 4? 89 48 0a 4? 8b 4? ?? ba 0b 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 0c 4? 8b 4? ??
        ba 0f 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 10 4? 8b 4? ?? ba 13 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4?
        8b 4? ?? 4? 89 40 14 4? 8b 4? ?? ba 17 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 18 4? 8b 4? ?? ba 1b 00
        00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4? 8b 4? ?? 66 4? 89 48 1c 4? 8b 4? ?? ba 1d 00 00 00 e8 ?? ?? ?? ?? 66 4? 8b 08 4?
        8b 4? ?? 66 4? 89 48 1e 4? 8b 4? ?? ba 1f 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 20 4? 8b 4? ?? ba 23
        00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 24 4? 8b 4? ?? ba 27 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4?
        ?? 4? 89 40 28 4? 8b 4? ?? ba 2b 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 2c 4? 8b 4? ?? ba 2f 00 00 00
        e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89 40 30 4? 8b 4? ?? ba 33 00 00 00 e8 ?? ?? ?? ?? 4? 8b 00 4? 8b 4? ?? 4? 89
        40 34 4? 8b 40 14 4? 89 4? ?? 4? 8b 40 18 4? 89 4? ?? 4? 8b 4? ?? 4? 0f af 4? ?? 4? 6b c0 03 4? 89 4? ?? 4? 8b 4? ??
        4? c1 e8 03 4? 83 e8 36 4? 89 40 38 }
    condition:
        uint16(0) == 0x5a4d
        and filesize > 1MB
        and all of them
}

Download all Yara Rules

GraphDrop Propose Change

References

Yara Rules

GraphDrop