SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kerrdown (Back to overview)

KerrDown

Actor(s): APT32

URLhaus    

There is no description at this point.

References
2020-11-10Recorded FutureInsikt Group®
@techreport{group:20201110:new:97e5657, author = {Insikt Group®}, title = {{New APT32 Malware Campaign Targets Cambodian Government}}, date = {2020-11-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf}, language = {English}, urldate = {2020-11-11} } New APT32 Malware Campaign Targets Cambodian Government
KerrDown METALJACK SOUNDBITE
2020-11-06VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20201106:oceanlotus:f7b11ac, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}}, date = {2020-11-06}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/}, language = {English}, urldate = {2020-11-09} } OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2019-05-31TradaHackingm4n0w4r
@online{m4n0w4r:20190531:thng:c687d46, author = {m4n0w4r}, title = {{Thưởng tết….}}, date = {2019-05-31}, organization = {TradaHacking}, url = {https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7}, language = {Vietnamese}, urldate = {2020-01-10} } Thưởng tết….
KerrDown
2019-03-24One Night in NorfolkKevin Perlow
@online{perlow:20190324:jeshell:439ae8b, author = {Kevin Perlow}, title = {{JEShell: An OceanLotus (APT32) Backdoor}}, date = {2019-03-24}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/}, language = {English}, urldate = {2020-05-19} } JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown
2019-02-02CyStackBach Nguyen
@online{nguyen:20190202:wordbased:89a23db, author = {Bach Nguyen}, title = {{Word-based Malware Attack}}, date = {2019-02-02}, organization = {CyStack}, url = {https://blog.cystack.net/word-based-malware-attack/}, language = {English}, urldate = {2019-12-20} } Word-based Malware Attack
KerrDown
2019-02-01Palo Alto Networks Unit 42Vicky Ray, Kaoru Hayashi
@online{ray:20190201:tracking:479c2b7, author = {Vicky Ray and Kaoru Hayashi}, title = {{Tracking OceanLotus’ new Downloader, KerrDown}}, date = {2019-02-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/}, language = {English}, urldate = {2019-10-23} } Tracking OceanLotus’ new Downloader, KerrDown
KerrDown
Yara Rules
[TLP:WHITE] win_kerrdown_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_kerrdown_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6bc618 57 8db870ca3300 57 ff15???????? ff0d???????? 83ef18 }
            // n = 7, score = 100
            //   6bc618               | imul                eax, esi, 0x18
            //   57                   | push                edi
            //   8db870ca3300         | lea                 edi, [eax + 0x33ca70]
            //   57                   | push                edi
            //   ff15????????         |                     
            //   ff0d????????         |                     
            //   83ef18               | sub                 edi, 0x18

        $sequence_1 = { 8b1c8538083300 56 6800080000 6a00 53 }
            // n = 5, score = 100
            //   8b1c8538083300       | mov                 ebx, dword ptr [eax*4 + 0x330838]
            //   56                   | push                esi
            //   6800080000           | push                0x800
            //   6a00                 | push                0
            //   53                   | push                ebx

        $sequence_2 = { 8bec 8b4508 57 8d3c85c8cb3300 8b0f }
            // n = 5, score = 100
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8d3c85c8cb3300       | lea                 edi, [eax*4 + 0x33cbc8]
            //   8b0f                 | mov                 ecx, dword ptr [edi]

        $sequence_3 = { 89882cc53300 68???????? e8???????? 8be5 }
            // n = 4, score = 100
            //   89882cc53300         | mov                 dword ptr [eax + 0x33c52c], ecx
            //   68????????           |                     
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp

        $sequence_4 = { 0f8580000000 8b4508 dd00 ebc6 c745e078303300 e9???????? }
            // n = 6, score = 100
            //   0f8580000000         | jne                 0x86
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   dd00                 | fld                 qword ptr [eax]
            //   ebc6                 | jmp                 0xffffffc8
            //   c745e078303300       | mov                 dword ptr [ebp - 0x20], 0x333078
            //   e9????????           |                     

        $sequence_5 = { 7cef 33db 0f1f4000 8a441de8 }
            // n = 4, score = 100
            //   7cef                 | jl                  0xfffffff1
            //   33db                 | xor                 ebx, ebx
            //   0f1f4000             | nop                 dword ptr [eax]
            //   8a441de8             | mov                 al, byte ptr [ebp + ebx - 0x18]

        $sequence_6 = { 8b45dc 85c0 0f8544ffffff 85f6 0f848f000000 }
            // n = 5, score = 100
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   85c0                 | test                eax, eax
            //   0f8544ffffff         | jne                 0xffffff4a
            //   85f6                 | test                esi, esi
            //   0f848f000000         | je                  0x95

        $sequence_7 = { 57 50 e8???????? 83c40c 6b45e430 8945e0 8d8018513300 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6b45e430             | imul                eax, dword ptr [ebp - 0x1c], 0x30
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8d8018513300         | lea                 eax, [eax + 0x335118]

        $sequence_8 = { 660fd60f 8d7f08 8b048da42d3200 ffe0 f7c703000000 }
            // n = 5, score = 100
            //   660fd60f             | movq                qword ptr [edi], xmm1
            //   8d7f08               | lea                 edi, [edi + 8]
            //   8b048da42d3200       | mov                 eax, dword ptr [ecx*4 + 0x322da4]
            //   ffe0                 | jmp                 eax
            //   f7c703000000         | test                edi, 3

        $sequence_9 = { a4 7d15 6bcdac 73d0 }
            // n = 4, score = 100
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   7d15                 | jge                 0x17
            //   6bcdac               | imul                ecx, ebp, -0x54
            //   73d0                 | jae                 0xffffffd2

    condition:
        7 of them and filesize < 278528
}
Download all Yara Rules