SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grimplant (Back to overview)

GrimPlant


This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

References
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-07-20MandiantMandiant Threat Intelligence
@online{intelligence:20220720:evacuation:edd478e, author = {Mandiant Threat Intelligence}, title = {{Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities}}, date = {2022-07-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/spear-phish-ukrainian-entities}, language = {English}, urldate = {2022-07-25} } Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
@online{affairs:20220720:cyber:b7604e7, author = {Cyber National Mission Force Public Affairs}, title = {{Cyber National Mission Force discloses IOCs from Ukrainian networks}}, date = {2022-07-20}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/}, language = {English}, urldate = {2022-07-25} } Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-04IntezerJoakim Kennedy, Nicole Fishbein
@online{kennedy:20220404:elephant:b2c14b1, author = {Joakim Kennedy and Nicole Fishbein}, title = {{Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations}}, date = {2022-04-04}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/}, language = {English}, urldate = {2022-04-07} } Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
GraphSteel GrimPlant SaintBear
2022-04-02GovInfo SecurityPrajeet Nair
@online{nair:20220402:cyber:6b4f95f, author = {Prajeet Nair}, title = {{Cyber Espionage Actor Deploying Malware Using Excel}}, date = {2022-04-02}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830}, language = {English}, urldate = {2022-04-06} } Cyber Espionage Actor Deploying Malware Using Excel
GraphSteel GrimPlant
2022-04-01MalwarebytesAnkur Saini, Roberto Santos, Hossein Jazi
@online{saini:20220401:new:273cbe0, author = {Ankur Saini and Roberto Santos and Hossein Jazi}, title = {{New UAC-0056 activity: There’s a Go Elephant in the room}}, date = {2022-04-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/}, language = {English}, urldate = {2022-04-05} } New UAC-0056 activity: There’s a Go Elephant in the room
GrimPlant SaintBear
2022-03-28Cert-UACert-UA
@online{certua:20220328:uac0056:46919e1, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)}}, date = {2022-03-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38374}, language = {Ukrainian}, urldate = {2022-03-31} } UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)
GraphSteel GrimPlant SaintBear
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
@online{ehrlich:20220315:threat:7f64477, author = {Amitai Ben Shushan Ehrlich}, title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}}, date = {2022-03-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/}, language = {English}, urldate = {2022-03-17} } Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
Yara Rules
[TLP:WHITE] win_grimplant_auto (20220808 | Detects win.grimplant.)
rule win_grimplant_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.grimplant."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f30f7f5d10 4c8b8c2480010000 e8???????? 4831c9 4883f910 0f8299000000 4c0317 }
            // n = 7, score = 100
            //   f30f7f5d10           | dec                 eax
            //   4c8b8c2480010000     | mov                 edx, dword ptr [esp + 0x98]
            //   e8????????           |                     
            //   4831c9               | dec                 eax
            //   4883f910             | mov                 dword ptr [edx + 0x218], 0
            //   0f8299000000         | dec                 eax
            //   4c0317               | lea                 esi, [edx + 0x220]

        $sequence_1 = { 8b1481 488b1d???????? 488b35???????? 4839d8 72d4 6690 e9???????? }
            // n = 7, score = 100
            //   8b1481               | mov                 edi, dword ptr [edi + 8]
            //   488b1d????????       |                     
            //   488b35????????       |                     
            //   4839d8               | dec                 eax
            //   72d4                 | lea                 eax, [esp + 0x68]
            //   6690                 | dec                 eax
            //   e9????????           |                     

        $sequence_2 = { f00fb111 0f94c2 84d2 7512 48894c2420 4889c8 e8???????? }
            // n = 7, score = 100
            //   f00fb111             | mov                 dword ptr [eax + 0x38], esi
            //   0f94c2               | jmp                 0x6dd
            //   84d2                 | dec                 eax
            //   7512                 | lea                 edi, [eax + 0x38]
            //   48894c2420           | dec                 eax
            //   4889c8               | mov                 esi, dword ptr [esp + 0x80]
            //   e8????????           |                     

        $sequence_3 = { e8???????? 31c9 4889c7 4889de 31c0 31db 488b6c2440 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   31c9                 | palignr             mm5, mm5, 0xc
            //   4889c7               | palignr             xmm6, xmm6, 8
            //   4889de               | palignr             xmm7, xmm7, 8
            //   31c0                 | inc                 bp
            //   31db                 | palignr             mm0, mm0, 8
            //   488b6c2440           | palignr             xmm3, xmm3, 0xc

        $sequence_4 = { f20f1002 4839cb 0f8372010000 488d0c5b 498b54c808 498b4cc810 90 }
            // n = 7, score = 100
            //   f20f1002             | jne                 0x126f
            //   4839cb               | dec                 eax
            //   0f8372010000         | mov                 edx, dword ptr [esp + 0x418]
            //   488d0c5b             | dec                 eax
            //   498b54c808           | mov                 dword ptr [eax], edx
            //   498b4cc810           | jmp                 0x1287
            //   90                   | dec                 eax

        $sequence_5 = { c680b010000001 488988f0100000 4889b0f8100000 833d????????00 7509 488990e8100000 eb0c }
            // n = 7, score = 100
            //   c680b010000001       | mov                 ecx, dword ptr [esp + 0xc8]
            //   488988f0100000       | dec                 eax
            //   4889b0f8100000       | mov                 dword ptr [esp], ecx
            //   833d????????00       |                     
            //   7509                 | dec                 eax
            //   488990e8100000       | lea                 ecx, [esp + 0x80]
            //   eb0c                 | dec                 eax

        $sequence_6 = { eb67 488b0d???????? 488b3d???????? 31c0 31db 488bac24b0000000 4881c4b8000000 }
            // n = 7, score = 100
            //   eb67                 | jmp                 0x15cf
            //   488b0d????????       |                     
            //   488b3d????????       |                     
            //   31c0                 | dec                 eax
            //   31db                 | lea                 ecx, [0x1f8a9a]
            //   488bac24b0000000     | jne                 0x15d9
            //   4881c4b8000000       | dec                 eax

        $sequence_7 = { ffd6 488b442438 90 e8???????? 488b6c2428 4883c430 c3 }
            // n = 7, score = 100
            //   ffd6                 | add                 esp, 0x68
            //   488b442438           | test                al, al
            //   90                   | je                  0x59f
            //   e8????????           |                     
            //   488b6c2428           | nop                 
            //   4883c430             | inc                 ecx
            //   c3                   | mov                 eax, 1

        $sequence_8 = { eb0d 4889c7 488b542440 e8???????? 488b542438 488b1a 8403 }
            // n = 7, score = 100
            //   eb0d                 | cmp                 al, 0x20
            //   4889c7               | jb                  0x10bb
            //   488b542440           | inc                 ecx
            //   e8????????           |                     
            //   488b542438           | cmp                 al, 0x7f
            //   488b1a               | jne                 0x109e
            //   8403                 | inc                 ecx

        $sequence_9 = { e8???????? 4c89df 48898424d0000000 48898c24e0000000 48899c24d8000000 4c8b5828 4983e301 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c89df               | dec                 eax
            //   48898424d0000000     | mov                 edi, dword ptr [esp + 0x58]
            //   48898c24e0000000     | mov                 ecx, dword ptr [esp + 0x7c]
            //   48899c24d8000000     | jne                 0x169
            //   4c8b5828             | dec                 eax
            //   4983e301             | mov                 dword ptr [edx + 0x80], eax

    condition:
        7 of them and filesize < 19940352
}
Download all Yara Rules