SYMBOLCOMMON_NAMEaka. SYNONYMS
win.icefog (Back to overview)

Icefog

aka: Fucobha

There is no description at this point.

References
2021-02-28Recorded FutureInsikt Group®
@techreport{group:20210228:chinalinked:2fb1230, author = {Insikt Group®}, title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf}, language = {English}, urldate = {2021-03-04} } China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-06-03FireEyeChi-en Shen
@online{shen:20190603:into:d40fee9, author = {Chi-en Shen}, title = {{Into the Fog - The Return of ICEFOG APT}}, date = {2019-06-03}, organization = {FireEye}, url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt}, language = {English}, urldate = {2020-06-30} } Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust
2016-09-06KZ CERTKZ CERT
@online{cert:20160906:kzcert:3d8bb82, author = {KZ CERT}, title = {{KZ-CERT has analyzed another sample of malicious software, which is a component of targeted attacks (Targeted attacks, Advanced Persistent Threats (APT))}}, date = {2016-09-06}, organization = {KZ CERT}, url = {http://www.kz-cert.kz/page/502}, language = {Kazakh}, urldate = {2019-10-16} } KZ-CERT has analyzed another sample of malicious software, which is a component of targeted attacks (Targeted attacks, Advanced Persistent Threats (APT))
Icefog
Yara Rules
[TLP:WHITE] win_icefog_auto (20210616 | Detects win.icefog.)
rule win_icefog_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.icefog."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b850cffffff e8???????? 85c0 0f85c7020000 8b4644 50 e8???????? }
            // n = 7, score = 200
            //   8b850cffffff         | mov                 eax, dword ptr [ebp - 0xf4]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f85c7020000         | jne                 0x2cd
            //   8b4644               | mov                 eax, dword ptr [esi + 0x44]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { 8bf8 83c408 85ff 744e 8b16 8d449f0c 33f6 }
            // n = 7, score = 200
            //   8bf8                 | mov                 edi, eax
            //   83c408               | add                 esp, 8
            //   85ff                 | test                edi, edi
            //   744e                 | je                  0x50
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   8d449f0c             | lea                 eax, dword ptr [edi + ebx*4 + 0xc]
            //   33f6                 | xor                 esi, esi

        $sequence_2 = { 8a5508 885620 8b45f0 8b4804 51 e8???????? 8b5508 }
            // n = 7, score = 200
            //   8a5508               | mov                 dl, byte ptr [ebp + 8]
            //   885620               | mov                 byte ptr [esi + 0x20], dl
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_3 = { 894508 e8???????? 8945e8 8b4508 50 56 e8???????? }
            // n = 7, score = 200
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   e8????????           |                     
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_4 = { 8d0c81 3b1c0f 752a 8b5a28 8b4e28 8a1c18 3a1c08 }
            // n = 7, score = 200
            //   8d0c81               | lea                 ecx, dword ptr [ecx + eax*4]
            //   3b1c0f               | cmp                 ebx, dword ptr [edi + ecx]
            //   752a                 | jne                 0x2c
            //   8b5a28               | mov                 ebx, dword ptr [edx + 0x28]
            //   8b4e28               | mov                 ecx, dword ptr [esi + 0x28]
            //   8a1c18               | mov                 bl, byte ptr [eax + ebx]
            //   3a1c08               | cmp                 bl, byte ptr [eax + ecx]

        $sequence_5 = { e9???????? 3c2c 750f 8955f4 c6868100000001 e9???????? 3c70 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   3c2c                 | cmp                 al, 0x2c
            //   750f                 | jne                 0x11
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   c6868100000001       | mov                 byte ptr [esi + 0x81], 1
            //   e9????????           |                     
            //   3c70                 | cmp                 al, 0x70

        $sequence_6 = { 8be5 5d c3 6a09 8d55dc 68???????? 52 }
            // n = 7, score = 200
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a09                 | push                9
            //   8d55dc               | lea                 edx, dword ptr [ebp - 0x24]
            //   68????????           |                     
            //   52                   | push                edx

        $sequence_7 = { 8bec 51 8b480c 53 56 8b7010 57 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b7010               | mov                 esi, dword ptr [eax + 0x10]
            //   57                   | push                edi

        $sequence_8 = { ba40000000 66895010 8b5f14 035dec 83c41c 8b5320 804b1208 }
            // n = 7, score = 200
            //   ba40000000           | mov                 edx, 0x40
            //   66895010             | mov                 word ptr [eax + 0x10], dx
            //   8b5f14               | mov                 ebx, dword ptr [edi + 0x14]
            //   035dec               | add                 ebx, dword ptr [ebp - 0x14]
            //   83c41c               | add                 esp, 0x1c
            //   8b5320               | mov                 edx, dword ptr [ebx + 0x20]
            //   804b1208             | or                  byte ptr [ebx + 0x12], 8

        $sequence_9 = { c6460a00 8b7614 85f6 75e0 8b4f04 8b5130 52 }
            // n = 7, score = 200
            //   c6460a00             | mov                 byte ptr [esi + 0xa], 0
            //   8b7614               | mov                 esi, dword ptr [esi + 0x14]
            //   85f6                 | test                esi, esi
            //   75e0                 | jne                 0xffffffe2
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]
            //   8b5130               | mov                 edx, dword ptr [ecx + 0x30]
            //   52                   | push                edx

    condition:
        7 of them and filesize < 1187840
}
Download all Yara Rules