SYMBOLCOMMON_NAMEaka. SYNONYMS
win.graphsteel (Back to overview)

GraphSteel

This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

References
2023-05-16SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20230516:growing:c703021, author = {Counter Threat Unit ResearchTeam}, title = {{The Growing Threat from Infostealers}}, date = {2023-05-16}, organization = {Secureworks}, url = {https://www.secureworks.com/research/the-growing-threat-from-infostealers}, language = {English}, urldate = {2023-07-31} } The Growing Threat from Infostealers
Graphiron GraphSteel Raccoon RedLine Stealer Rhadamanthys Taurus Stealer Vidar
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-07-20MandiantMandiant Threat Intelligence
@online{intelligence:20220720:evacuation:edd478e, author = {Mandiant Threat Intelligence}, title = {{Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities}}, date = {2022-07-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/spear-phish-ukrainian-entities}, language = {English}, urldate = {2022-07-25} } Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
@online{affairs:20220720:cyber:b7604e7, author = {Cyber National Mission Force Public Affairs}, title = {{Cyber National Mission Force discloses IOCs from Ukrainian networks}}, date = {2022-07-20}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/}, language = {English}, urldate = {2022-07-25} } Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-25BitdefenderMartin Zugec
@online{zugec:20220425:deep:9d3f4ba, author = {Martin Zugec}, title = {{Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine}}, date = {2022-04-25}, organization = {Bitdefender}, url = {https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine}, language = {English}, urldate = {2023-02-27} } Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
GraphSteel GrimPlant
2022-04-07MalpediaMalpedia
@online{malpedia:20220407:malpedia:9d3108e, author = {Malpedia}, title = {{Malpedia Page for GraphSteel}}, date = {2022-04-07}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel}, language = {English}, urldate = {2022-05-05} } Malpedia Page for GraphSteel
GraphSteel SaintBear
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-04IntezerJoakim Kennedy, Nicole Fishbein
@online{kennedy:20220404:elephant:b2c14b1, author = {Joakim Kennedy and Nicole Fishbein}, title = {{Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations}}, date = {2022-04-04}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/}, language = {English}, urldate = {2022-04-07} } Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
GraphSteel GrimPlant SaintBear
2022-04-02GovInfo SecurityPrajeet Nair
@online{nair:20220402:cyber:6b4f95f, author = {Prajeet Nair}, title = {{Cyber Espionage Actor Deploying Malware Using Excel}}, date = {2022-04-02}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830}, language = {English}, urldate = {2022-04-06} } Cyber Espionage Actor Deploying Malware Using Excel
GraphSteel GrimPlant
2022-03-28Cert-UACert-UA
@online{certua:20220328:uac0056:46919e1, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)}}, date = {2022-03-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38374}, language = {Ukrainian}, urldate = {2022-03-31} } UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)
GraphSteel GrimPlant SaintBear
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
@online{ehrlich:20220315:threat:7f64477, author = {Amitai Ben Shushan Ehrlich}, title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}}, date = {2022-03-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/}, language = {English}, urldate = {2022-03-17} } Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
Yara Rules
[TLP:WHITE] win_graphsteel_auto (20230715 | Detects win.graphsteel.)
rule win_graphsteel_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.graphsteel."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb0d 4889c7 488b542470 e8???????? 31db 488d0da84f5b00 4889c7 }
            // n = 7, score = 100
            //   eb0d                 | dec                 eax
            //   4889c7               | mov                 dword ptr [eax + 0xb8], 4
            //   488b542470           | dec                 eax
            //   e8????????           |                     
            //   31db                 | mov                 dword ptr [eax + 0x80], edx
            //   488d0da84f5b00       | jmp                 0x7d
            //   4889c7               | dec                 eax

        $sequence_1 = { eb11 488d7818 488b8c24f0000000 e8???????? 48c740101c000000 488d0d0d555300 48894808 }
            // n = 7, score = 100
            //   eb11                 | mov                 dword ptr [esp + 0xc0], edx
            //   488d7818             | dec                 eax
            //   488b8c24f0000000     | mov                 dword ptr [esp + 0xc8], eax
            //   e8????????           |                     
            //   48c740101c000000     | dec                 eax
            //   488d0d0d555300       | mov                 eax, dword ptr [esp + 0xb0]
            //   48894808             | dec                 eax

        $sequence_2 = { e8???????? 448b5c2478 4585db 0f859de1ffff 488b9424b8000000 4889d9 bd02000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   448b5c2478           | nop                 
            //   4585db               | dec                 eax
            //   0f859de1ffff         | mov                 dword ptr [eax + 0x10], ecx
            //   488b9424b8000000     | dec                 eax
            //   4889d9               | mov                 ebx, eax
            //   bd02000000           | dec                 eax

        $sequence_3 = { 898424b0000000 413b8594000000 0f8d34060000 48638424b0000000 8d5001 488d0c40 498b8588000000 }
            // n = 7, score = 100
            //   898424b0000000       | dec                 eax
            //   413b8594000000       | lea                 eax, [0x8e760f]
            //   0f8d34060000         | nop                 
            //   48638424b0000000     | dec                 eax
            //   8d5001               | add                 esp, 0x50
            //   488d0c40             | ret                 
            //   498b8588000000       | mov                 eax, 1

        $sequence_4 = { e8???????? 488b6d00 e9???????? 31c0 488bac2428020000 4881c430020000 c3 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b6d00             | lea                 eax, [0x90e89b]
            //   e9????????           |                     
            //   31c0                 | dec                 eax
            //   488bac2428020000     | mov                 dword ptr [esp + 0x10], edx
            //   4881c430020000       | dec                 eax
            //   c3                   | mov                 eax, dword ptr [esp + 0x68]

        $sequence_5 = { ff05???????? 4889f8 4883f836 7d48 488d150f9c5c00 0fb63402 81fe80000000 }
            // n = 7, score = 100
            //   ff05????????         |                     
            //   4889f8               | jne                 0xd1d
            //   4883f836             | dec                 eax
            //   7d48                 | lea                 edx, [0x504cc5]
            //   488d150f9c5c00       | dec                 eax
            //   0fb63402             | mov                 dword ptr [esp + 0xb0], edi
            //   81fe80000000         | dec                 eax

        $sequence_6 = { e9???????? 8b8424a0010000 4189d9 ba35000000 4c89e9 448b842498010000 41bf06000000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b8424a0010000       | dec                 eax
            //   4189d9               | mov                 dword ptr [esp + 0x128], ecx
            //   ba35000000           | dec                 eax
            //   4c89e9               | lea                 eax, [0x208f2c]
            //   448b842498010000     | dec                 eax
            //   41bf06000000         | mov                 ebx, eax

        $sequence_7 = { eb09 488d7848 e8???????? 440f117c2478 488d35459d5000 4889742468 4889442470 }
            // n = 7, score = 100
            //   eb09                 | mov                 esp, ecx
            //   488d7848             | dec                 eax
            //   e8????????           |                     
            //   440f117c2478         | mov                 edi, edx
            //   488d35459d5000       | dec                 eax
            //   4889742468           | mov                 dword ptr [esp + 0xb0], ecx
            //   4889442470           | dec                 eax

        $sequence_8 = { eb0c 488dbbe0100000 e8???????? 833d????????00 7510 488d05f6c14100 488983c0100000 }
            // n = 7, score = 100
            //   eb0c                 | mov                 dword ptr [esp + 0x110], ecx
            //   488dbbe0100000       | dec                 eax
            //   e8????????           |                     
            //   833d????????00       |                     
            //   7510                 | lea                 eax, [0x45bf61]
            //   488d05f6c14100       | dec                 eax
            //   488983c0100000       | mov                 dword ptr [esp + 0xf8], ecx

        $sequence_9 = { e9???????? 81f9eb5dd1d7 7527 488d0d80875000 4839c8 754b 488b0b }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81f9eb5dd1d7         | mov                 dword ptr [esp + 0x110], ecx
            //   7527                 | dec                 eax
            //   488d0d80875000       | mov                 dword ptr [esp + 0x118], edx
            //   4839c8               | inc                 esp
            //   754b                 | mov                 dword ptr [esp + 0x120], eax
            //   488b0b               | dec                 esp

    condition:
        7 of them and filesize < 19812352
}
Download all Yara Rules