SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grimplant (Back to overview)

GrimPlant


This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

References
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-07-20MandiantMandiant Threat Intelligence
@online{intelligence:20220720:evacuation:edd478e, author = {Mandiant Threat Intelligence}, title = {{Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities}}, date = {2022-07-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/spear-phish-ukrainian-entities}, language = {English}, urldate = {2022-07-25} } Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
@online{affairs:20220720:cyber:b7604e7, author = {Cyber National Mission Force Public Affairs}, title = {{Cyber National Mission Force discloses IOCs from Ukrainian networks}}, date = {2022-07-20}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/}, language = {English}, urldate = {2022-07-25} } Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-04IntezerJoakim Kennedy, Nicole Fishbein
@online{kennedy:20220404:elephant:b2c14b1, author = {Joakim Kennedy and Nicole Fishbein}, title = {{Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations}}, date = {2022-04-04}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/}, language = {English}, urldate = {2022-04-07} } Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
GraphSteel GrimPlant SaintBear
2022-04-02GovInfo SecurityPrajeet Nair
@online{nair:20220402:cyber:6b4f95f, author = {Prajeet Nair}, title = {{Cyber Espionage Actor Deploying Malware Using Excel}}, date = {2022-04-02}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830}, language = {English}, urldate = {2022-04-06} } Cyber Espionage Actor Deploying Malware Using Excel
GraphSteel GrimPlant
2022-04-01MalwarebytesAnkur Saini, Roberto Santos, Hossein Jazi
@online{saini:20220401:new:273cbe0, author = {Ankur Saini and Roberto Santos and Hossein Jazi}, title = {{New UAC-0056 activity: There’s a Go Elephant in the room}}, date = {2022-04-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/}, language = {English}, urldate = {2022-04-05} } New UAC-0056 activity: There’s a Go Elephant in the room
GrimPlant SaintBear
2022-03-28Cert-UACert-UA
@online{certua:20220328:uac0056:46919e1, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)}}, date = {2022-03-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38374}, language = {Ukrainian}, urldate = {2022-03-31} } UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)
GraphSteel GrimPlant SaintBear
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
@online{ehrlich:20220315:threat:7f64477, author = {Amitai Ben Shushan Ehrlich}, title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}}, date = {2022-03-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/}, language = {English}, urldate = {2022-03-17} } Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
Yara Rules
[TLP:WHITE] win_grimplant_auto (20230125 | Detects win.grimplant.)
rule win_grimplant_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.grimplant."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 48c7400819000000 488d0dda7d3b00 488908 488b8c24f0000000 48894810 4889c3 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48c7400819000000     | dec                 eax
            //   488d0dda7d3b00       | lea                 edi, [esp + 0x148]
            //   488908               | dec                 eax
            //   488b8c24f0000000     | lea                 edi, [edi - 0x20]
            //   48894810             | nop                 word ptr [eax + eax]
            //   4889c3               | dec                 eax

        $sequence_1 = { bb02000000 488d8c2490000000 e8???????? 84c0 0f841e040000 4883bc249800000000 6690 }
            // n = 7, score = 100
            //   bb02000000           | mov                 eax, dword ptr [esp + 0x60]
            //   488d8c2490000000     | test                cl, cl
            //   e8????????           |                     
            //   84c0                 | dec                 eax
            //   0f841e040000         | lea                 ebx, [0x45ec4c]
            //   4883bc249800000000     | nop    dword ptr [eax]
            //   6690                 | dec                 eax

        $sequence_2 = { e9???????? 488d059a373800 488b5c2460 488b4c2478 e8???????? 4885c0 0f8417030000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d059a373800       | mov                 edi, ecx
            //   488b5c2460           | mov                 esi, 0xa
            //   488b4c2478           | dec                 eax
            //   e8????????           |                     
            //   4885c0               | mov                 dword ptr [esp + 0x218], 8
            //   0f8417030000         | dec                 eax

        $sequence_3 = { e9???????? 448d24d2 83fada 0f84f8040000 4189c5 4489d8 4189d3 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   448d24d2             | dec                 eax
            //   83fada               | mov                 eax, dword ptr [esp + 0x118]
            //   0f84f8040000         | dec                 eax
            //   4189c5               | mov                 dword ptr [esp + 0x38], 4
            //   4489d8               | dec                 eax
            //   4189d3               | mov                 dword ptr [esp + 0x40], 0x10

        $sequence_4 = { e8???????? e9???????? 48899c2460020000 4889842488000000 488d0557aa1f00 e8???????? 488b8c2488000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   48899c2460020000     | dec                 eax
            //   4889842488000000     | mov                 dword ptr [esp + 0xf8], eax
            //   488d0557aa1f00       | dec                 eax
            //   e8????????           |                     
            //   488b8c2488000000     | mov                 dword ptr [eax + 0x18], 0

        $sequence_5 = { e8???????? 8400 833d????????00 750c 488d1559641d00 488910 eb0f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8400                 | mov                 dword ptr [eax], ecx
            //   833d????????00       |                     
            //   750c                 | jne                 0xb87
            //   488d1559641d00       | jmp                 0xb8c
            //   488910               | dec                 eax
            //   eb0f                 | mov                 dword ptr [eax + 8], 0x10

        $sequence_6 = { b802000080 488d1d4f254900 b937000000 bf09000000 e8???????? 4885db 0f85aa000000 }
            // n = 7, score = 100
            //   b802000080           | dec                 eax
            //   488d1d4f254900       | lea                 ebx, [0x242870]
            //   b937000000           | dec                 eax
            //   bf09000000           | lea                 ecx, [0x1c9aea]
            //   e8????????           |                     
            //   4885db               | dec                 eax
            //   0f85aa000000         | mov                 dword ptr [eax + 8], ecx

        $sequence_7 = { eb0d 488bbc24d0000000 e8???????? 488b4a38 48898c24a8000000 90 488d05a6231d00 }
            // n = 7, score = 100
            //   eb0d                 | mov                 dword ptr [esp + 0x80], ebx
            //   488bbc24d0000000     | dec                 eax
            //   e8????????           |                     
            //   488b4a38             | mov                 dword ptr [esp + 0x78], eax
            //   48898c24a8000000     | dec                 ecx
            //   90                   | cmp                 esp, dword ptr [esi + 0x10]
            //   488d05a6231d00       | jbe                 0x60f

        $sequence_8 = { eb1e 4889442420 4889c3 488d0505d30f00 0f1f440000 e8???????? 488b442420 }
            // n = 7, score = 100
            //   eb1e                 | mov                 dword ptr [esp + 0x20], ebp
            //   4889442420           | dec                 eax
            //   4889c3               | lea                 ebp, [esp + 0x20]
            //   488d0505d30f00       | dec                 eax
            //   0f1f440000           | mov                 dword ptr [esp + 0x38], ebx
            //   e8????????           |                     
            //   488b442420           | dec                 eax

        $sequence_9 = { eb10 488d7808 488d3590db1700 e8???????? 488d0524900d00 488b5c2478 488d0d4c3c1500 }
            // n = 7, score = 100
            //   eb10                 | sub                 esp, 0x68
            //   488d7808             | dec                 eax
            //   488d3590db1700       | mov                 dword ptr [esp + 0x60], ebp
            //   e8????????           |                     
            //   488d0524900d00       | dec                 eax
            //   488b5c2478           | lea                 ebp, [esp + 0x60]
            //   488d0d4c3c1500       | dec                 esp

    condition:
        7 of them and filesize < 19940352
}
Download all Yara Rules