SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grimplant (Back to overview)

GrimPlant


This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

References
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-07-20MandiantMandiant Threat Intelligence
@online{intelligence:20220720:evacuation:edd478e, author = {Mandiant Threat Intelligence}, title = {{Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities}}, date = {2022-07-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/spear-phish-ukrainian-entities}, language = {English}, urldate = {2022-07-25} } Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
@online{affairs:20220720:cyber:b7604e7, author = {Cyber National Mission Force Public Affairs}, title = {{Cyber National Mission Force discloses IOCs from Ukrainian networks}}, date = {2022-07-20}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/}, language = {English}, urldate = {2022-07-25} } Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-25BitdefenderMartin Zugec
@online{zugec:20220425:deep:9d3f4ba, author = {Martin Zugec}, title = {{Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine}}, date = {2022-04-25}, organization = {Bitdefender}, url = {https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine}, language = {English}, urldate = {2023-02-27} } Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
GraphSteel GrimPlant
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-04IntezerJoakim Kennedy, Nicole Fishbein
@online{kennedy:20220404:elephant:b2c14b1, author = {Joakim Kennedy and Nicole Fishbein}, title = {{Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations}}, date = {2022-04-04}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/}, language = {English}, urldate = {2022-04-07} } Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
GraphSteel GrimPlant SaintBear
2022-04-02GovInfo SecurityPrajeet Nair
@online{nair:20220402:cyber:6b4f95f, author = {Prajeet Nair}, title = {{Cyber Espionage Actor Deploying Malware Using Excel}}, date = {2022-04-02}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830}, language = {English}, urldate = {2022-04-06} } Cyber Espionage Actor Deploying Malware Using Excel
GraphSteel GrimPlant
2022-04-01MalwarebytesAnkur Saini, Roberto Santos, Hossein Jazi
@online{saini:20220401:new:273cbe0, author = {Ankur Saini and Roberto Santos and Hossein Jazi}, title = {{New UAC-0056 activity: There’s a Go Elephant in the room}}, date = {2022-04-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/}, language = {English}, urldate = {2022-04-05} } New UAC-0056 activity: There’s a Go Elephant in the room
GrimPlant SaintBear
2022-03-28Cert-UACert-UA
@online{certua:20220328:uac0056:46919e1, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)}}, date = {2022-03-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38374}, language = {Ukrainian}, urldate = {2022-03-31} } UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)
GraphSteel GrimPlant SaintBear
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
@online{ehrlich:20220315:threat:7f64477, author = {Amitai Ben Shushan Ehrlich}, title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}}, date = {2022-03-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/}, language = {English}, urldate = {2022-03-17} } Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
Yara Rules
[TLP:WHITE] win_grimplant_auto (20230407 | Detects win.grimplant.)
rule win_grimplant_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.grimplant."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 0fb6542469 4c8b542460 4a8d0412 488b4c2478 4839c1 7279 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0fb6542469           | mov                 ecx, eax
            //   4c8b542460           | dec                 eax
            //   4a8d0412             | mov                 eax, ebx
            //   488b4c2478           | dec                 eax
            //   4839c1               | mov                 ebx, edx
            //   7279                 | dec                 eax

        $sequence_1 = { eb03 4c89d6 4d85c9 0f868f010000 488b7c2468 4989fa 48c1ff08 }
            // n = 7, score = 100
            //   eb03                 | mov                 eax, dword ptr [esp + 0x58]
            //   4c89d6               | dec                 esp
            //   4d85c9               | mov                 esi, eax
            //   0f868f010000         | dec                 eax
            //   488b7c2468           | mov                 dword ptr [esp + 0x80], ecx
            //   4989fa               | dec                 eax
            //   48c1ff08             | mov                 dword ptr [esp + 0x88], esi

        $sequence_2 = { eb11 488d7818 488b8c24180d0000 e8???????? 48c740081a000000 488d0d99db0f00 488908 }
            // n = 7, score = 100
            //   eb11                 | mov                 dword ptr [esp + 0x38], eax
            //   488d7818             | dec                 eax
            //   488b8c24180d0000     | mov                 eax, dword ptr [edx + 0x90]
            //   e8????????           |                     
            //   48c740081a000000     | dec                 eax
            //   488d0d99db0f00       | mov                 edx, dword ptr [edx + 0x98]
            //   488908               | dec                 ecx

        $sequence_3 = { f7d8 31d2 418d1404 31c0 e9???????? 448d24d2 83fada }
            // n = 7, score = 100
            //   f7d8                 | lea                 eax, [0x1ac804]
            //   31d2                 | dec                 eax
            //   418d1404             | lea                 ebx, [0x2f9e2d]
            //   31c0                 | dec                 eax
            //   e9????????           |                     
            //   448d24d2             | mov                 eax, dword ptr [esp + 0x48]
            //   83fada               | dec                 eax

        $sequence_4 = { eb0c 488d3d6b237f00 e8???????? 488b6c2438 4883c440 c3 0f1f4000 }
            // n = 7, score = 100
            //   eb0c                 | dec                 eax
            //   488d3d6b237f00       | mov                 dword ptr [esp + 0x30], ecx
            //   e8????????           |                     
            //   488b6c2438           | dec                 eax
            //   4883c440             | lea                 eax, [0x449c16]
            //   c3                   | jne                 0x1ae6
            //   0f1f4000             | dec                 eax

        $sequence_5 = { e9???????? 488b942410010000 4885d2 488bb424b8000000 4889d7 4c8b842488000000 4c8b8c2480000000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b942410010000     | mov                 edi, eax
            //   4885d2               | dec                 ecx
            //   488bb424b8000000     | mov                 ecx, edx
            //   4889d7               | dec                 eax
            //   4c8b842488000000     | mov                 eax, edi
            //   4c8b8c2480000000     | dec                 esp

        $sequence_6 = { e9???????? e8???????? 488b6c2458 4883c460 c3 4889442408 48895c2410 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   e8????????           |                     
            //   488b6c2458           | dec                 eax
            //   4883c460             | lea                 esi, [ecx + 1]
            //   c3                   | dec                 eax
            //   4889442408           | mov                 dword ptr [edx + 8], esi
            //   48895c2410           | dec                 eax

        $sequence_7 = { eb3c 4889c3 488d05744b4400 e8???????? 488b7c2420 488b442438 0f1f440000 }
            // n = 7, score = 100
            //   eb3c                 | mov                 ecx, ebx
            //   4889c3               | dec                 eax
            //   488d05744b4400       | lea                 ebx, [0x3ddb3a]
            //   e8????????           |                     
            //   488b7c2420           | dec                 eax
            //   488b442438           | mov                 eax, dword ptr [esp + 0x20]
            //   0f1f440000           | dec                 eax

        $sequence_8 = { e9???????? c78040010000ffffffff 833d????????00 7509 488905???????? eb0c 488d3d01ab7900 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   c78040010000ffffffff     | add    esp, 0x20
            //   833d????????00       |                     
            //   7509                 | ret                 
            //   488905????????       |                     
            //   eb0c                 | nop                 
            //   488d3d01ab7900       | dec                 eax

        $sequence_9 = { e9???????? 4885c9 7e72 488b942490000000 4c8b12 488bb424c8000000 8406 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4885c9               | mov                 edi, ecx
            //   7e72                 | nop                 
            //   488b942490000000     | dec                 eax
            //   4c8b12               | mov                 edx, dword ptr [esp + 0x198]
            //   488bb424c8000000     | dec                 eax
            //   8406                 | mov                 ebx, dword ptr [edx + 0x48]

    condition:
        7 of them and filesize < 19940352
}
Download all Yara Rules