SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grimplant (Back to overview)

GrimPlant

This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

References
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-07-20MandiantMandiant Threat Intelligence
@online{intelligence:20220720:evacuation:edd478e, author = {Mandiant Threat Intelligence}, title = {{Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities}}, date = {2022-07-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/spear-phish-ukrainian-entities}, language = {English}, urldate = {2022-07-25} } Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
@online{affairs:20220720:cyber:b7604e7, author = {Cyber National Mission Force Public Affairs}, title = {{Cyber National Mission Force discloses IOCs from Ukrainian networks}}, date = {2022-07-20}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/}, language = {English}, urldate = {2022-07-25} } Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-25BitdefenderMartin Zugec
@online{zugec:20220425:deep:9d3f4ba, author = {Martin Zugec}, title = {{Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine}}, date = {2022-04-25}, organization = {Bitdefender}, url = {https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine}, language = {English}, urldate = {2023-02-27} } Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
GraphSteel GrimPlant
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-04IntezerJoakim Kennedy, Nicole Fishbein
@online{kennedy:20220404:elephant:b2c14b1, author = {Joakim Kennedy and Nicole Fishbein}, title = {{Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations}}, date = {2022-04-04}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/}, language = {English}, urldate = {2022-04-07} } Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
GraphSteel GrimPlant SaintBear
2022-04-02GovInfo SecurityPrajeet Nair
@online{nair:20220402:cyber:6b4f95f, author = {Prajeet Nair}, title = {{Cyber Espionage Actor Deploying Malware Using Excel}}, date = {2022-04-02}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830}, language = {English}, urldate = {2022-04-06} } Cyber Espionage Actor Deploying Malware Using Excel
GraphSteel GrimPlant
2022-04-01MalwarebytesAnkur Saini, Roberto Santos, Hossein Jazi
@online{saini:20220401:new:273cbe0, author = {Ankur Saini and Roberto Santos and Hossein Jazi}, title = {{New UAC-0056 activity: There’s a Go Elephant in the room}}, date = {2022-04-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/}, language = {English}, urldate = {2022-04-05} } New UAC-0056 activity: There’s a Go Elephant in the room
GrimPlant SaintBear
2022-03-28Cert-UACert-UA
@online{certua:20220328:uac0056:46919e1, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)}}, date = {2022-03-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38374}, language = {Ukrainian}, urldate = {2022-03-31} } UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)
GraphSteel GrimPlant SaintBear
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
@online{ehrlich:20220315:threat:7f64477, author = {Amitai Ben Shushan Ehrlich}, title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}}, date = {2022-03-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/}, language = {English}, urldate = {2022-03-17} } Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
Yara Rules
[TLP:WHITE] win_grimplant_auto (20230808 | Detects win.grimplant.)
rule win_grimplant_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.grimplant."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 3c08 7465 eb15 3c0e 0f8ff5000000 90 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   3c08                 | test                byte ptr [eax], al
            //   7465                 | jne                 0x1c6b
            //   eb15                 | dec                 eax
            //   3c0e                 | mov                 ebx, dword ptr [edx + 0x68]
            //   0f8ff5000000         | dec                 eax
            //   90                   | lea                 eax, [0x147a64]

        $sequence_1 = { ffd2 eb3d 488b4c2428 488b91d0000000 488b442438 ffd2 4885c0 }
            // n = 7, score = 100
            //   ffd2                 | mov                 dword ptr [esp + 0x98], eax
            //   eb3d                 | dec                 eax
            //   488b4c2428           | mov                 eax, dword ptr [esp + 0x80]
            //   488b91d0000000       | dec                 eax
            //   488b442438           | mov                 ebx, dword ptr [esp + 0x60]
            //   ffd2                 | dec                 eax
            //   4885c0               | lea                 esi, [ebx + 1]

        $sequence_2 = { eb1f 488db8486a0100 488d15ac5c5000 e8???????? 488db8506a0100 e8???????? 440f11b8586a0100 }
            // n = 7, score = 100
            //   eb1f                 | dec                 eax
            //   488db8486a0100       | lea                 ecx, [esp + 0xd0]
            //   488d15ac5c5000       | dec                 eax
            //   e8????????           |                     
            //   488db8506a0100       | mov                 ebp, dword ptr [ebp]
            //   e8????????           |                     
            //   440f11b8586a0100     | jmp                 0xdc8

        $sequence_3 = { ffd2 b914000000 4889c7 4889de 31c0 488d1da6514200 e8???????? }
            // n = 7, score = 100
            //   ffd2                 | mov                 eax, dword ptr [esp + 0x80]
            //   b914000000           | dec                 eax
            //   4889c7               | mov                 ebx, ecx
            //   4889de               | call                esi
            //   31c0                 | dec                 eax
            //   488d1da6514200       | mov                 dword ptr [esp + 0x90], eax
            //   e8????????           |                     

        $sequence_4 = { ffd1 4883f805 0f85f2100000 0f1005???????? 0f11442478 0f1005???????? 0f11842488000000 }
            // n = 7, score = 100
            //   ffd1                 | dec                 ecx
            //   4883f805             | mov                 eax, eax
            //   0f85f2100000         | dec                 eax
            //   0f1005????????       |                     
            //   0f11442478           | mov                 eax, dword ptr [esp + 0x50]
            //   0f1005????????       |                     
            //   0f11842488000000     | dec                 eax

        $sequence_5 = { 746c 4c8b4018 49ffc0 4c394020 7d5f 488d05a3ab1d00 0f1f00 }
            // n = 7, score = 100
            //   746c                 | dec                 eax
            //   4c8b4018             | lea                 esi, [ebx + 1]
            //   49ffc0               | dec                 eax
            //   4c394020             | mov                 dword ptr [esp + 0x120], edx
            //   7d5f                 | dec                 eax
            //   488d05a3ab1d00       | mov                 dword ptr [esp + 0x128], ebx
            //   0f1f00               | dec                 eax

        $sequence_6 = { 90 488d05cbd28b00 e8???????? 488b442470 4c8b442440 4c8b4c2458 e9???????? }
            // n = 7, score = 100
            //   90                   | dec                 eax
            //   488d05cbd28b00       | cmp                 eax, ecx
            //   e8????????           |                     
            //   488b442470           | jg                  0x9b2
            //   4c8b442440           | dec                 eax
            //   4c8b4c2458           | mov                 eax, edx
            //   e9????????           |                     

        $sequence_7 = { c6401801 440f113c24 48c744241000000000 488b9c2480000000 4889c1 488bbc24a0000000 488bb424a8000000 }
            // n = 7, score = 100
            //   c6401801             | dec                 eax
            //   440f113c24           | mov                 ebp, dword ptr [esp + 0x10]
            //   48c744241000000000     | dec    eax
            //   488b9c2480000000     | mov                 eax, dword ptr [esp + 0x20]
            //   4889c1               | call                ecx
            //   488bbc24a0000000     | nop                 
            //   488bb424a8000000     | dec                 eax

        $sequence_8 = { 90 488d0567839000 e8???????? 8b542440 448b8424b0000000 448b4c2444 89d0 }
            // n = 7, score = 100
            //   90                   | mov                 ecx, dword ptr [esp + 0x48]
            //   488d0567839000       | dec                 eax
            //   e8????????           |                     
            //   8b542440             | mov                 eax, ebx
            //   448b8424b0000000     | call                edx
            //   448b4c2444           | jne                 0x1f44
            //   89d0                 | dec                 eax

        $sequence_9 = { eb0f 4889c7 488d159ceb1300 e8???????? 488d0588670a00 488b5c2448 b906000000 }
            // n = 7, score = 100
            //   eb0f                 | dec                 eax
            //   4889c7               | mov                 ebx, dword ptr [eax + 0x40]
            //   488d159ceb1300       | dec                 eax
            //   e8????????           |                     
            //   488d0588670a00       | mov                 ecx, dword ptr [eax + 0x48]
            //   488b5c2448           | dec                 eax
            //   b906000000           | lea                 eax, [0x6ddf4]

    condition:
        7 of them and filesize < 19940352
}
Download all Yara Rules