SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microbackdoor (Back to overview)

MicroBackdoor

Actor(s): Ghostwriter

VTCollection    

Open-source lightweight backdoor for C2 communication.
GitHub: https://github.com/Cr4sh/MicroBackdoor

References
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20MandiantMandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-29AttackIQFrancis Guibernau, Jackson Wells
Attack Graph Response to UNC1151 Continued Targeting of Ukraine
MicroBackdoor
2022-04-07InQuestNick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-14QianxinRed Raindrop Team
Analysis Of Attack Activities Of Suspected APT Organization UNC1151 Against Ukraine And Other Countries
MicroBackdoor
2022-03-08Cluster25Cluster25
GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine
MicroBackdoor
2022-03-07Cert-UACert-UA
UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)
MicroBackdoor
2021-05-04Cr4sh
Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets
MicroBackdoor
Yara Rules
[TLP:WHITE] win_microbackdoor_auto (20230808 | Detects win.microbackdoor.)
rule win_microbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.microbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb74510 50 ff750c ff15???????? }
            // n = 4, score = 100
            //   0fb74510             | push                0x40
            //   50                   | mov                 ecx, eax
            //   ff750c               | mov                 dword ptr [ebp + 0xc], ecx
            //   ff15????????         |                     

        $sequence_1 = { ffd7 eb06 ff15???????? 8bc6 eb06 }
            // n = 5, score = 100
            //   ffd7                 | dec                 esp
            //   eb06                 | lea                 eax, [0x759c]
            //   ff15????????         |                     
            //   8bc6                 | dec                 eax
            //   eb06                 | lea                 ecx, [0x94b7]

        $sequence_2 = { 488bcd 418bdc 4d8bfc e8???????? 85db 755b 488d842478020000 }
            // n = 7, score = 100
            //   488bcd               | test                eax, eax
            //   418bdc               | je                  0x1c3
            //   4d8bfc               | je                  0x1b3
            //   e8????????           |                     
            //   85db                 | dec                 eax
            //   755b                 | mov                 ecx, ebp
            //   488d842478020000     | inc                 ecx

        $sequence_3 = { 8939 488d4c2430 41b89c000000 e8???????? 488d4c2430 }
            // n = 5, score = 100
            //   8939                 | je                  0x1c
            //   488d4c2430           | movzx               eax, word ptr [edi + ebx*2 - 2]
            //   41b89c000000         | cmp                 ax, 0x5c
            //   e8????????           |                     
            //   488d4c2430           | je                  0xc

        $sequence_4 = { 74df 8d047506000000 50 6a40 ff15???????? 8bc8 894d0c }
            // n = 7, score = 100
            //   74df                 | dec                 eax
            //   8d047506000000       | lea                 ecx, [esp + 0x30]
            //   50                   | dec                 ecx
            //   6a40                 | mov                 ecx, esi
            //   ff15????????         |                     
            //   8bc8                 | xor                 esi, esi
            //   894d0c               | test                ebp, ebp

        $sequence_5 = { 85c0 751d 837c247001 7516 395c2478 7610 488b4c2430 }
            // n = 7, score = 100
            //   85c0                 | mov                 dword ptr [esp + 0x88], edi
            //   751d                 | inc                 ebp
            //   837c247001           | cmp                 eax, esp
            //   7516                 | dec                 esp
            //   395c2478             | mov                 dword ptr [esp + 0x20], edi
            //   7610                 | dec                 eax
            //   488b4c2430           | test                ebx, ebx

        $sequence_6 = { 4885db 7417 0fb7445ffe 6683f85c 7406 6683f82f }
            // n = 6, score = 100
            //   4885db               | jne                 0x5f
            //   7417                 | dec                 eax
            //   0fb7445ffe           | lea                 eax, [esp + 0x278]
            //   6683f85c             | dec                 ecx
            //   7406                 | mov                 ecx, esi
            //   6683f82f             | inc                 esp

        $sequence_7 = { 498bce 33f6 e8???????? 85ed }
            // n = 4, score = 100
            //   498bce               | cmp                 ax, 0x2f
            //   33f6                 | test                eax, eax
            //   e8????????           |                     
            //   85ed                 | jne                 0x2b

        $sequence_8 = { 498bce 4489bc2488000000 453bc4 4c897c2420 }
            // n = 4, score = 100
            //   498bce               | mov                 ebx, esp
            //   4489bc2488000000     | dec                 ebp
            //   453bc4               | mov                 edi, esp
            //   4c897c2420           | test                ebx, ebx

        $sequence_9 = { 56 6a00 6a00 68???????? ff75f8 ff15???????? 85c0 }
            // n = 7, score = 100
            //   56                   | mov                 dword ptr [ecx], edi
            //   6a00                 | dec                 eax
            //   6a00                 | lea                 ecx, [esp + 0x30]
            //   68????????           |                     
            //   ff75f8               | inc                 ecx
            //   ff15????????         |                     
            //   85c0                 | mov                 eax, 0x9c

        $sequence_10 = { ff15???????? 8d4336 50 6a40 ff15???????? 8bf8 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8d4336               | call                edi
            //   50                   | jmp                 0xa
            //   6a40                 | mov                 eax, esi
            //   ff15????????         |                     
            //   8bf8                 | jmp                 0xe

        $sequence_11 = { 8bf8 897dd4 85ff 7498 837df800 b9???????? 8b5dfc }
            // n = 7, score = 100
            //   8bf8                 | mov                 edx, eax
            //   897dd4               | mov                 edi, eax
            //   85ff                 | xor                 eax, eax
            //   7498                 | inc                 eax
            //   837df800             | push                esi
            //   b9????????           |                     
            //   8b5dfc               | push                0

        $sequence_12 = { ff15???????? 488bd8 4885c0 7512 ff15???????? 488d0d503e0000 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488bd8               | dec                 eax
            //   4885c0               | mov                 ebx, eax
            //   7512                 | dec                 eax
            //   ff15????????         |                     
            //   488d0d503e0000       | test                eax, eax

        $sequence_13 = { 8bf8 e9???????? 33c0 40 e9???????? ff15???????? }
            // n = 6, score = 100
            //   8bf8                 | jbe                 0x2b
            //   e9????????           |                     
            //   33c0                 | dec                 eax
            //   40                   | mov                 ecx, dword ptr [esp + 0x30]
            //   e9????????           |                     
            //   ff15????????         |                     

        $sequence_14 = { 83feff 743b 8b4d0c ff7510 894df4 ff15???????? 668945f2 }
            // n = 7, score = 100
            //   83feff               | push                0
            //   743b                 | push                dword ptr [ebp - 8]
            //   8b4d0c               | test                eax, eax
            //   ff7510               | je                  0xffffffe1
            //   894df4               | lea                 eax, [esi*2 + 6]
            //   ff15????????         |                     
            //   668945f2             | push                eax

        $sequence_15 = { 85c0 0f84bb010000 66833d????????00 0f84ad010000 }
            // n = 4, score = 100
            //   85c0                 | jne                 0x14
            //   0f84bb010000         | dec                 eax
            //   66833d????????00     |                     
            //   0f84ad010000         | lea                 ecx, [0x3e50]

    condition:
        7 of them and filesize < 123904
}
Download all Yara Rules