SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambert (Back to overview)

Lambert

aka: Plexor

Actor(s): Longhorn


There is no description at this point.

References
2022-01-21Twitter (@_CPResearch_)Check Point Research
@online{research:20220121:whitelambert:e5581c9, author = {Check Point Research}, title = {{Tweet on WhiteLambert malware}}, date = {2022-01-21}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1484502090068242433}, language = {English}, urldate = {2022-01-25} } Tweet on WhiteLambert malware
Lambert
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-09-30QianxinRed Raindrop Team
@online{team:20190930:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2019-09-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2022-05-04} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
Yara Rules
[TLP:WHITE] win_lambert_auto (20220516 | Detects win.lambert.)
rule win_lambert_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.lambert."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8208010000 803a00 74e6 0fb602 }
            // n = 4, score = 400
            //   0f8208010000         | jb                  0x10e
            //   803a00               | cmp                 byte ptr [edx], 0
            //   74e6                 | je                  0xffffffe8
            //   0fb602               | movzx               eax, byte ptr [edx]

        $sequence_1 = { 0fb632 42 3b5508 0f83b4010000 }
            // n = 4, score = 400
            //   0fb632               | movzx               esi, byte ptr [edx]
            //   42                   | inc                 edx
            //   3b5508               | cmp                 edx, dword ptr [ebp + 8]
            //   0f83b4010000         | jae                 0x1ba

        $sequence_2 = { 4e 4e 8b1f 8919 }
            // n = 4, score = 400
            //   4e                   | dec                 esi
            //   4e                   | dec                 esi
            //   8b1f                 | mov                 ebx, dword ptr [edi]
            //   8919                 | mov                 dword ptr [ecx], ebx

        $sequence_3 = { 33c0 83c104 83f928 72da 84db 7418 0fb6c3 }
            // n = 7, score = 400
            //   33c0                 | xor                 eax, eax
            //   83c104               | add                 ecx, 4
            //   83f928               | cmp                 ecx, 0x28
            //   72da                 | jb                  0xffffffdc
            //   84db                 | test                bl, bl
            //   7418                 | je                  0x1a
            //   0fb6c3               | movzx               eax, bl

        $sequence_4 = { 0f826f010000 8a07 8801 41 }
            // n = 4, score = 400
            //   0f826f010000         | jb                  0x175
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8801                 | mov                 byte ptr [ecx], al
            //   41                   | inc                 ecx

        $sequence_5 = { 3bc7 0f82e5010000 8b4508 2bc2 8d7701 3bc6 0f82a9010000 }
            // n = 7, score = 400
            //   3bc7                 | cmp                 eax, edi
            //   0f82e5010000         | jb                  0x1eb
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   2bc2                 | sub                 eax, edx
            //   8d7701               | lea                 esi, [edi + 1]
            //   3bc6                 | cmp                 eax, esi
            //   0f82a9010000         | jb                  0x1af

        $sequence_6 = { 2bfe 4f 42 3b7d10 724d }
            // n = 5, score = 400
            //   2bfe                 | sub                 edi, esi
            //   4f                   | dec                 edi
            //   42                   | inc                 edx
            //   3b7d10               | cmp                 edi, dword ptr [ebp + 0x10]
            //   724d                 | jb                  0x4f

        $sequence_7 = { 42 8b4508 2bc2 83f801 0f82bb000000 }
            // n = 5, score = 400
            //   42                   | inc                 edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   2bc2                 | sub                 eax, edx
            //   83f801               | cmp                 eax, 1
            //   0f82bb000000         | jb                  0xc1

        $sequence_8 = { 64a130000000 8945fc 8b4dfc 8b510c 8b421c 8945f4 8b4df4 }
            // n = 7, score = 300
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b510c               | mov                 edx, dword ptr [ecx + 0xc]
            //   8b421c               | mov                 eax, dword ptr [edx + 0x1c]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_9 = { 0fbe02 85c0 741f 8b4df8 c1e90d }
            // n = 5, score = 300
            //   0fbe02               | movsx               eax, byte ptr [edx]
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   c1e90d               | shr                 ecx, 0xd

        $sequence_10 = { 55 8bec 0fb74508 83f841 7c12 0fb74d08 83f95a }
            // n = 7, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   0fb74508             | movzx               eax, word ptr [ebp + 8]
            //   83f841               | cmp                 eax, 0x41
            //   7c12                 | jl                  0x14
            //   0fb74d08             | movzx               ecx, word ptr [ebp + 8]
            //   83f95a               | cmp                 ecx, 0x5a

        $sequence_11 = { 8b55e8 52 8b4508 50 e8???????? 8945f4 }
            // n = 6, score = 300
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_12 = { eb0b 8b55fc 83c201 8955fc ebb9 8b45fc }
            // n = 6, score = 300
            //   eb0b                 | jmp                 0xd
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   83c201               | add                 edx, 1
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   ebb9                 | jmp                 0xffffffbb
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_13 = { 0fbe08 034df8 894df8 ebce 8b45f8 8be5 }
            // n = 6, score = 300
            //   0fbe08               | movsx               ecx, byte ptr [eax]
            //   034df8               | add                 ecx, dword ptr [ebp - 8]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   ebce                 | jmp                 0xffffffd0
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8be5                 | mov                 esp, ebp

        $sequence_14 = { 8b55f8 c1e213 0bca 894df8 8b45fc 0fbe08 }
            // n = 6, score = 300
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   c1e213               | shl                 edx, 0x13
            //   0bca                 | or                  ecx, edx
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0fbe08               | movsx               ecx, byte ptr [eax]

        $sequence_15 = { 8b4dec 8b5508 031481 8955f4 8b45f4 50 e8???????? }
            // n = 7, score = 300
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   031481               | add                 edx, dword ptr [ecx + eax*4]
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   50                   | push                eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules