SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambert (Back to overview)

Lambert

aka: Plexor

Actor(s): Longhorn


There is no description at this point.

References
2022-01-21Twitter (@_CPResearch_)Check Point Research
@online{research:20220121:whitelambert:e5581c9, author = {Check Point Research}, title = {{Tweet on WhiteLambert malware}}, date = {2022-01-21}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1484502090068242433}, language = {English}, urldate = {2022-01-25} } Tweet on WhiteLambert malware
Lambert
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-09-30QianxinRed Raindrop Team
@online{team:20190930:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2019-09-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2022-05-04} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
Yara Rules
[TLP:WHITE] win_lambert_auto (20230125 | Detects win.lambert.)
rule win_lambert_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.lambert."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945f4 837df400 751f 837d08ff 7519 }
            // n = 5, score = 400
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   751f                 | jne                 0x21
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1
            //   7519                 | jne                 0x1b

        $sequence_1 = { 8955fc 8b45fc 8b08 83c930 }
            // n = 4, score = 400
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c930               | or                  ecx, 0x30

        $sequence_2 = { 334df0 83c220 314df8 894af0 894df4 8b4df8 }
            // n = 6, score = 400
            //   334df0               | xor                 ecx, dword ptr [ebp - 0x10]
            //   83c220               | add                 edx, 0x20
            //   314df8               | xor                 dword ptr [ebp - 8], ecx
            //   894af0               | mov                 dword ptr [edx - 0x10], ecx
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

        $sequence_3 = { 8b5508 52 8b45f8 8b8870020000 ffd1 8945f4 837df400 }
            // n = 7, score = 400
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b8870020000         | mov                 ecx, dword ptr [eax + 0x270]
            //   ffd1                 | call                ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0

        $sequence_4 = { 837d08ff 7519 837d0c22 7513 }
            // n = 4, score = 400
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1
            //   7519                 | jne                 0x1b
            //   837d0c22             | cmp                 dword ptr [ebp + 0xc], 0x22
            //   7513                 | jne                 0x15

        $sequence_5 = { c1e810 0fb6f8 8972fc 895a08 8bcb }
            // n = 5, score = 400
            //   c1e810               | shr                 eax, 0x10
            //   0fb6f8               | movzx               edi, al
            //   8972fc               | mov                 dword ptr [edx - 4], esi
            //   895a08               | mov                 dword ptr [edx + 8], ebx
            //   8bcb                 | mov                 ecx, ebx

        $sequence_6 = { 8bec 83ec0c e8???????? 58 8945f8 }
            // n = 5, score = 400
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_7 = { 8b08 83c930 8b55fc 890a 8b45f4 8be5 }
            // n = 6, score = 400
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c930               | or                  ecx, 0x30
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   890a                 | mov                 dword ptr [edx], ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8be5                 | mov                 esp, ebp

        $sequence_8 = { 8b45f8 2500f0ffff 8945f8 8b4d18 51 8b5514 }
            // n = 6, score = 400
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   51                   | push                ecx
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]

        $sequence_9 = { 2bd9 8d4602 3bd8 0f82a4000000 83fe06 0f822cffffff }
            // n = 6, score = 400
            //   2bd9                 | sub                 ebx, ecx
            //   8d4602               | lea                 eax, [esi + 2]
            //   3bd8                 | cmp                 ebx, eax
            //   0f82a4000000         | jb                  0xaa
            //   83fe06               | cmp                 esi, 6
            //   0f822cffffff         | jb                  0xffffff32

        $sequence_10 = { 42 0fb702 c1e802 2bf8 42 }
            // n = 5, score = 400
            //   42                   | inc                 edx
            //   0fb702               | movzx               eax, word ptr [edx]
            //   c1e802               | shr                 eax, 2
            //   2bf8                 | sub                 edi, eax
            //   42                   | inc                 edx

        $sequence_11 = { 40 e9???????? 8b4508 8b4804 334f04 53 }
            // n = 6, score = 400
            //   40                   | inc                 eax
            //   e9????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   334f04               | xor                 ecx, dword ptr [edi + 4]
            //   53                   | push                ebx

        $sequence_12 = { 83f928 72da 84db 7418 }
            // n = 4, score = 400
            //   83f928               | cmp                 ecx, 0x28
            //   72da                 | jb                  0xffffffdc
            //   84db                 | test                bl, bl
            //   7418                 | je                  0x1a

        $sequence_13 = { 837d0c22 7513 8b5510 8955fc }
            // n = 4, score = 400
            //   837d0c22             | cmp                 dword ptr [ebp + 0xc], 0x22
            //   7513                 | jne                 0x15
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_14 = { 0f8c1fffffff 8b07 8901 6a04 }
            // n = 4, score = 400
            //   0f8c1fffffff         | jl                  0xffffff25
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   6a04                 | push                4

        $sequence_15 = { 2bf8 4f 42 42 }
            // n = 4, score = 400
            //   2bf8                 | sub                 edi, eax
            //   4f                   | dec                 edi
            //   42                   | inc                 edx
            //   42                   | inc                 edx

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules