SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grimplant (Back to overview)

GrimPlant


This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

References
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-04IntezerJoakim Kennedy, Nicole Fishbein
@online{kennedy:20220404:elephant:b2c14b1, author = {Joakim Kennedy and Nicole Fishbein}, title = {{Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations}}, date = {2022-04-04}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/}, language = {English}, urldate = {2022-04-07} } Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
GraphSteel GrimPlant SaintBear
2022-04-02GovInfo SecurityPrajeet Nair
@online{nair:20220402:cyber:6b4f95f, author = {Prajeet Nair}, title = {{Cyber Espionage Actor Deploying Malware Using Excel}}, date = {2022-04-02}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830}, language = {English}, urldate = {2022-04-06} } Cyber Espionage Actor Deploying Malware Using Excel
GraphSteel GrimPlant
2022-04-01MalwarebytesAnkur Saini, Roberto Santos, Hossein Jazi
@online{saini:20220401:new:273cbe0, author = {Ankur Saini and Roberto Santos and Hossein Jazi}, title = {{New UAC-0056 activity: There’s a Go Elephant in the room}}, date = {2022-04-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/}, language = {English}, urldate = {2022-04-05} } New UAC-0056 activity: There’s a Go Elephant in the room
GrimPlant SaintBear
2022-03-28Cert-UACert-UA
@online{certua:20220328:uac0056:46919e1, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)}}, date = {2022-03-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38374}, language = {Ukrainian}, urldate = {2022-03-31} } UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)
GraphSteel GrimPlant SaintBear
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-03-28} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
@online{ehrlich:20220315:threat:7f64477, author = {Amitai Ben Shushan Ehrlich}, title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}}, date = {2022-03-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/}, language = {English}, urldate = {2022-03-17} } Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
Yara Rules
[TLP:WHITE] win_grimplant_auto (20220516 | Detects win.grimplant.)
rule win_grimplant_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.grimplant."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4d3b6610 0f86e7010000 4881ec88000000 4889ac2480000000 488dac2480000000 48899c2498000000 4889b424b0000000 }
            // n = 7, score = 100
            //   4d3b6610             | mov                 dword ptr [esp + 0x4a8], esi
            //   0f86e7010000         | dec                 esp
            //   4881ec88000000       | mov                 dword ptr [esp + 0x4b0], eax
            //   4889ac2480000000     | dec                 esp
            //   488dac2480000000     | mov                 dword ptr [esp + 0x4b8], ecx
            //   48899c2498000000     | dec                 esp
            //   4889b424b0000000     | mov                 dword ptr [esp + 0x4c0], edx

        $sequence_1 = { e9???????? 488d0583489300 31db 488b6c2458 4883c460 c3 48895c2470 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d0583489300       | dec                 eax
            //   31db                 | sub                 esi, eax
            //   488b6c2458           | dec                 eax
            //   4883c460             | sub                 ecx, eax
            //   c3                   | dec                 eax
            //   48895c2470           | mov                 edx, esi

        $sequence_2 = { ffd1 4885c0 0f9fc0 488bac2488000000 4881c490000000 c3 488d442428 }
            // n = 7, score = 100
            //   ffd1                 | mov                 dword ptr [esp + 0x1a0], ecx
            //   4885c0               | dec                 ebp
            //   0f9fc0               | mov                 ecx, dword ptr [edx]
            //   488bac2488000000     | dec                 eax
            //   4881c490000000       | mov                 eax, dword ptr [esp + 0x1c8]
            //   c3                   | mov                 ebx, edx
            //   488d442428           | mov                 ecx, 1

        $sequence_3 = { eb11 488b4c2470 488db9d8000000 e8???????? 488b8424b8000000 488b08 488b4948 }
            // n = 7, score = 100
            //   eb11                 | je                  0x13c5
            //   488b4c2470           | dec                 eax
            //   488db9d8000000       | mov                 edx, dword ptr [esp + 0x168]
            //   e8????????           |                     
            //   488b8424b8000000     | dec                 eax
            //   488b08               | mov                 ebx, dword ptr [edx + 0x30]
            //   488b4948             | dec                 eax

        $sequence_4 = { 833d????????00 750d 48c782c001000000000000 eb0e 488dbac0010000 31d2 e8???????? }
            // n = 7, score = 100
            //   833d????????00       |                     
            //   750d                 | mov                 ecx, dword ptr [esp + 0x2b0]
            //   48c782c001000000000000     | dec    eax
            //   eb0e                 | mov                 edi, ecx
            //   488dbac0010000       | dec                 eax
            //   31d2                 | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_5 = { eb22 488d7808 488b8c2448010000 e8???????? 488d7810 488b542468 0f1f00 }
            // n = 7, score = 100
            //   eb22                 | mov                 ecx, ebx
            //   488d7808             | mov                 edi, 0x20
            //   488b8c2448010000     | dec                 eax
            //   e8????????           |                     
            //   488d7810             | mov                 ebx, eax
            //   488b542468           | dec                 eax
            //   0f1f00               | mov                 eax, dword ptr [esp + 0x118]

        $sequence_6 = { e9???????? 488b4a58 48c784248001000000000000 488db42488010000 440f113e 488db42498010000 440f113e }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b4a58             | dec                 eax
            //   48c784248001000000000000     | cmp    edx, 0x10
            //   488db42488010000     | ja                  0x1a68
            //   440f113e             | dec                 eax
            //   488db42498010000     | mov                 ebp, dword ptr [esp + 0x30]
            //   440f113e             | dec                 eax

        $sequence_7 = { 833d????????00 7509 48899af0000000 eb11 488dbaf0000000 0f1f440000 e8???????? }
            // n = 7, score = 100
            //   833d????????00       |                     
            //   7509                 | dec                 eax
            //   48899af0000000       | sar                 ecx, 0x3f
            //   eb11                 | dec                 eax
            //   488dbaf0000000       | and                 edx, ecx
            //   0f1f440000           | dec                 esp
            //   e8????????           |                     

        $sequence_8 = { c3 31c0 e8???????? 488d0537704d00 bb19000000 e8???????? 90 }
            // n = 7, score = 100
            //   c3                   | xor                 eax, eax
            //   31c0                 | xor                 ebx, ebx
            //   e8????????           |                     
            //   488d0537704d00       | dec                 eax
            //   bb19000000           | mov                 ebp, dword ptr [esp + 0x190]
            //   e8????????           |                     
            //   90                   | dec                 eax

        $sequence_9 = { e8???????? 488b8c2468010000 488b09 488908 4889842438010000 48b9ffffffffffffff7f 488b942470010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b8c2468010000     | dec                 eax
            //   488b09               | lea                 ecx, [esp + 0x38]
            //   488908               | dec                 eax
            //   4889842438010000     | mov                 edx, dword ptr [esp + 0x30]
            //   48b9ffffffffffffff7f     | dec    eax
            //   488b942470010000     | mov                 dword ptr [esp + 0x58], edx

    condition:
        7 of them and filesize < 19940352
}
Download all Yara Rules