SYMBOLCOMMON_NAMEaka. SYNONYMS
win.graphsteel (Back to overview)

GraphSteel


This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

References
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-07MalpediaMalpedia
@online{malpedia:20220407:malpedia:9d3108e, author = {Malpedia}, title = {{Malpedia Page for GraphSteel}}, date = {2022-04-07}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel}, language = {English}, urldate = {2022-05-05} } Malpedia Page for GraphSteel
GraphSteel SaintBear
2022-04-04IntezerJoakim Kennedy, Nicole Fishbein
@online{kennedy:20220404:elephant:b2c14b1, author = {Joakim Kennedy and Nicole Fishbein}, title = {{Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations}}, date = {2022-04-04}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/}, language = {English}, urldate = {2022-04-07} } Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
GraphSteel GrimPlant SaintBear
2022-04-02GovInfo SecurityPrajeet Nair
@online{nair:20220402:cyber:6b4f95f, author = {Prajeet Nair}, title = {{Cyber Espionage Actor Deploying Malware Using Excel}}, date = {2022-04-02}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830}, language = {English}, urldate = {2022-04-06} } Cyber Espionage Actor Deploying Malware Using Excel
GraphSteel GrimPlant
2022-03-28Cert-UACert-UA
@online{certua:20220328:uac0056:46919e1, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)}}, date = {2022-03-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38374}, language = {Ukrainian}, urldate = {2022-03-31} } UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)
GraphSteel GrimPlant SaintBear
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-03-28} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
@online{ehrlich:20220315:threat:7f64477, author = {Amitai Ben Shushan Ehrlich}, title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}}, date = {2022-03-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/}, language = {English}, urldate = {2022-03-17} } Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
Yara Rules
[TLP:WHITE] win_graphsteel_auto (20220516 | Detects win.graphsteel.)
rule win_graphsteel_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.graphsteel."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd2 4889c3 31c0 e8???????? 84c0 0f851e0a0000 488b942468010000 }
            // n = 7, score = 100
            //   ffd2                 | dec                 eax
            //   4889c3               | lea                 eax, [ecx + ecx*4]
            //   31c0                 | nop                 
            //   e8????????           |                     
            //   84c0                 | dec                 eax
            //   0f851e0a0000         | lea                 eax, [0x8a8bdd]
            //   488b942468010000     | nop                 dword ptr [eax + eax]

        $sequence_1 = { ff15???????? 4c89e1 e8???????? b80b000000 48c70300000000 4883c420 5b }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   4c89e1               | add                 esp, 0x68
            //   e8????????           |                     
            //   b80b000000           | lea                 esi, [eax - 1]
            //   48c70300000000       | test                ebx, ebx
            //   4883c420             | jle                 0xc71
            //   5b                   | lea                 edx, [ebx - 1]

        $sequence_2 = { f606fd 0f84b5000000 807e5400 7840 bb00000000 7425 0f1f840000000000 }
            // n = 7, score = 100
            //   f606fd               | je                  0xa44
            //   0f84b5000000         | dec                 ecx
            //   807e5400             | mov                 eax, ebx
            //   7840                 | mov                 edx, edi
            //   bb00000000           | dec                 esp
            //   7425                 | mov                 ecx, esp
            //   0f1f840000000000     | lea                 eax, [ebp + 2]

        $sequence_3 = { ff9180000000 0fb75314 8b4310 39c2 0f84c6010000 0fb74b16 4c8d040f }
            // n = 7, score = 100
            //   ff9180000000         | shl                 ebp, 5
            //   0fb75314             | dec                 eax
            //   8b4310               | add                 eax, 1
            //   39c2                 | nop                 
            //   0f84c6010000         | dec                 eax
            //   0fb74b16             | mov                 edx, ecx
            //   4c8d040f             | dec                 eax

        $sequence_4 = { e8???????? 488b542478 0fb65c2426 488b742430 4c8b842488000000 4c8b4c2440 4c8b9424b8010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b542478           | movzx               ebp, byte ptr [ebp + ecx]
            //   0fb65c2426           | lea                 ecx, [ebx + 1]
            //   488b742430           | dec                 eax
            //   4c8b842488000000     | arpl                cx, cx
            //   4c8b4c2440           | movzx               ecx, byte ptr [ebp + ecx]
            //   4c8b9424b8010000     | test                ebx, ebx

        $sequence_5 = { 48f7df 48c1ff3f 4821df 4801fe 4889d7 e9???????? 4889d8 }
            // n = 7, score = 100
            //   48f7df               | dec                 eax
            //   48c1ff3f             | mov                 ecx, dword ptr [esp + 0xe0]
            //   4821df               | dec                 eax
            //   4801fe               | mov                 dword ptr [eax + 0x10], ecx
            //   4889d7               | dec                 eax
            //   e9????????           |                     
            //   4889d8               | mov                 ebx, eax

        $sequence_6 = { 81fbad000000 7506 410fb65c2402 83fb24 0f84cc030000 4c8d3db61b5000 bd01000000 }
            // n = 7, score = 100
            //   81fbad000000         | jne                 0x1a9
            //   7506                 | jae                 0x1da
            //   410fb65c2402         | dec                 eax
            //   83fb24               | lea                 eax, [0x491c48]
            //   0f84cc030000         | dec                 eax
            //   4c8d3db61b5000       | mov                 edi, dword ptr [esp + 0xf8]
            //   bd01000000           | dec                 eax

        $sequence_7 = { f6c280 743a 488d0d1ab44c00 48894c2420 48c74424281d000000 488b442420 bb1d000000 }
            // n = 7, score = 100
            //   f6c280               | mov                 dword ptr [esp + 0x58], edx
            //   743a                 | dec                 eax
            //   488d0d1ab44c00       | add                 eax, dword ptr [esp + 0x48]
            //   48894c2420           | mov                 edx, 0x202c
            //   48c74424281d000000     | mov    word ptr [eax], dx
            //   488b442420           | lea                 edx, [eax + 2]
            //   bb1d000000           | cmp                 edx, dword ptr [esp + 0x50]

        $sequence_8 = { e8???????? 8b44247c e9???????? 418b5640 4c8b6c2470 8994248c000000 e9???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b44247c             | xor                 ecx, ecx
            //   e9????????           |                     
            //   418b5640             | dec                 eax
            //   4c8b6c2470           | mov                 ecx, eax
            //   8994248c000000       | mov                 ebp, eax
            //   e9????????           |                     

        $sequence_9 = { e8???????? e9???????? 4531ff e9???????? 41b804000000 488d154f1c5100 4c89e9 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   4531ff               | cmp                 byte ptr [ecx + 0x12], 0
            //   e9????????           |                     
            //   41b804000000         | je                  0x1cc
            //   488d154f1c5100       | test                bl, bl
            //   4c89e9               | mov                 ebx, edx

    condition:
        7 of them and filesize < 19812352
}
Download all Yara Rules