SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microbackdoor (Back to overview)

MicroBackdoor

Actor(s): Ghostwriter


Open-source lightweight backdoor for C2 communication.
GitHub: https://github.com/Cr4sh/MicroBackdoor

References
2022-07-20MandiantMandiant Threat Intelligence
@online{intelligence:20220720:evacuation:edd478e, author = {Mandiant Threat Intelligence}, title = {{Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities}}, date = {2022-07-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/spear-phish-ukrainian-entities}, language = {English}, urldate = {2022-07-25} } Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
@online{affairs:20220720:cyber:b7604e7, author = {Cyber National Mission Force Public Affairs}, title = {{Cyber National Mission Force discloses IOCs from Ukrainian networks}}, date = {2022-07-20}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/}, language = {English}, urldate = {2022-07-25} } Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-29AttackIQFrancis Guibernau, Jackson Wells
@online{guibernau:20220429:attack:52c55b9, author = {Francis Guibernau and Jackson Wells}, title = {{Attack Graph Response to UNC1151 Continued Targeting of Ukraine}}, date = {2022-04-29}, organization = {AttackIQ}, url = {https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/}, language = {English}, urldate = {2022-05-04} } Attack Graph Response to UNC1151 Continued Targeting of Ukraine
MicroBackdoor
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-14QianxinRed Raindrop Team
@online{team:20220314:analysis:9a058f9, author = {Red Raindrop Team}, title = {{Analysis Of Attack Activities Of Suspected APT Organization UNC1151 Against Ukraine And Other Countries}}, date = {2022-03-14}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/}, language = {Chinese}, urldate = {2022-03-15} } Analysis Of Attack Activities Of Suspected APT Organization UNC1151 Against Ukraine And Other Countries
MicroBackdoor
2022-03-08Cluster25Cluster25
@online{cluster25:20220308:ghostwriter:3f0d3c1, author = {Cluster25}, title = {{GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine}}, date = {2022-03-08}, organization = {Cluster25}, url = {https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/}, language = {English}, urldate = {2022-03-10} } GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine
MicroBackdoor
2022-03-07Cert-UACert-UA
@online{certua:20220307:uac0051:18afbc7, author = {Cert-UA}, title = {{UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)}}, date = {2022-03-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/37626}, language = {Ukrainian}, urldate = {2022-03-08} } UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)
MicroBackdoor
2021-05-04Cr4sh
@online{cr4sh:20210504:cr4sh:3c1597c, author = {Cr4sh}, title = {{Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets}}, date = {2021-05-04}, url = {https://github.com/cr4sh/microbackdoor}, language = {English}, urldate = {2021-05-04} } Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets
MicroBackdoor
Yara Rules
[TLP:WHITE] win_microbackdoor_auto (20230715 | Detects win.microbackdoor.)
rule win_microbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.microbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4533c9 488d542430 458d4103 488bcb 66c74424300501 }
            // n = 5, score = 100
            //   4533c9               | dec                 eax
            //   488d542430           | mov                 ecx, 0x80000002
            //   458d4103             | dec                 eax
            //   488bcb               | mov                 dword ptr [esp + 0x20], eax
            //   66c74424300501       | mov                 ebx, eax

        $sequence_1 = { 0f832f010000 ff15???????? e9???????? 8b5d0c 8d4dec }
            // n = 5, score = 100
            //   0f832f010000         | cmp                 dword ptr [ebp - 0x94], 2
            //   ff15????????         |                     
            //   e9????????           |                     
            //   8b5d0c               | jne                 0xbe
            //   8d4dec               | cmp                 dword ptr [ebp - 0xa0], 5

        $sequence_2 = { ff15???????? 488905???????? 4885c0 742f ff15???????? 3db7000000 7522 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488905????????       |                     
            //   4885c0               | dec                 eax
            //   742f                 | test                eax, eax
            //   ff15????????         |                     
            //   3db7000000           | je                  0x31
            //   7522                 | cmp                 eax, 0xb7

        $sequence_3 = { ff15???????? eb06 ff15???????? 5b 5f }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   eb06                 | test                eax, eax
            //   ff15????????         |                     
            //   5b                   | jne                 0x11
            //   5f                   | or                  eax, 0xffffffff

        $sequence_4 = { ff15???????? 33c0 e9???????? 83bd6cffffff02 0f85b1000000 83bd60ffffff05 0f86a4000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   33c0                 | jne                 0xc6
            //   e9????????           |                     
            //   83bd6cffffff02       | dec                 ebp
            //   0f85b1000000         | mov                 eax, esi
            //   83bd60ffffff05       | dec                 eax
            //   0f86a4000000         | mov                 eax, ebx

        $sequence_5 = { 8bf0 85f6 7504 33c0 eb79 8b3d???????? }
            // n = 6, score = 100
            //   8bf0                 | push                esi
            //   85f6                 | push                dword ptr [ebp + 8]
            //   7504                 | xor                 esi, esi
            //   33c0                 | test                eax, eax
            //   eb79                 | xor                 eax, eax
            //   8b3d????????         |                     

        $sequence_6 = { 85c0 0f8ea0000000 8d85f0feffff 50 53 e8???????? 85c0 }
            // n = 7, score = 100
            //   85c0                 | nop                 dword ptr [eax]
            //   0f8ea0000000         | cmp                 byte ptr [ebx + eax + 1], 0
            //   8d85f0feffff         | dec                 eax
            //   50                   | lea                 eax, [eax + 1]
            //   53                   | jne                 0xd
            //   e8????????           |                     
            //   85c0                 | lea                 edx, [eax + 1]

        $sequence_7 = { ff15???????? 8bd8 85c0 7514 ff15???????? 488d0d2f6c0000 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8bd8                 | inc                 esp
            //   85c0                 | mov                 ecx, edi
            //   7514                 | inc                 ebp
            //   ff15????????         |                     
            //   488d0d2f6c0000       | xor                 eax, eax

        $sequence_8 = { 8b5d0c 40 56 33f6 }
            // n = 4, score = 100
            //   8b5d0c               | jbe                 0xbe
            //   40                   | mov                 eax, dword ptr [ebp - 0x234]
            //   56                   | pop                 ecx
            //   33f6                 | pop                 ecx

        $sequence_9 = { e8???????? 8b85ccfdffff 59 59 85c0 7505 83c8ff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b85ccfdffff         | dec                 esp
            //   59                   | sub                 eax, ebx
            //   59                   | nop                 word ptr [eax + eax]
            //   85c0                 | je                  0x6d
            //   7505                 | dec                 eax
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_10 = { 4439a5a8000000 0f85b9000000 4d8bc6 488bc3 4c2bc3 66660f1f840000000000 }
            // n = 6, score = 100
            //   4439a5a8000000       | inc                 ebp
            //   0f85b9000000         | xor                 ecx, ecx
            //   4d8bc6               | dec                 eax
            //   488bc3               | lea                 edx, [esp + 0x30]
            //   4c2bc3               | inc                 ebp
            //   66660f1f840000000000     | lea    eax, [ecx + 3]

        $sequence_11 = { 7514 8d4201 488b9c24f0000000 4881c4e0000000 }
            // n = 4, score = 100
            //   7514                 | test                eax, eax
            //   8d4201               | jne                 0x1a
            //   488b9c24f0000000     | dec                 eax
            //   4881c4e0000000       | lea                 ecx, [0x6c2f]

        $sequence_12 = { 488d1543520000 448bcf 4533c0 48c7c102000080 4889442420 }
            // n = 5, score = 100
            //   488d1543520000       | mov                 dword ptr [esp + 0x28], 0x7ff
            //   448bcf               | dec                 esp
            //   4533c0               | mov                 dword ptr [esp + 0x20], esi
            //   48c7c102000080       | dec                 eax
            //   4889442420           | lea                 edx, [0x5243]

        $sequence_13 = { 56 ff7508 ff15???????? a1???????? 33f6 8b1d???????? 85c0 }
            // n = 7, score = 100
            //   56                   | dec                 eax
            //   ff7508               | add                 esp, 0xe0
            //   ff15????????         |                     
            //   a1????????           |                     
            //   33f6                 | inc                 esp
            //   8b1d????????         |                     
            //   85c0                 | cmp                 dword ptr [ebp + 0xa8], esp

        $sequence_14 = { b9e9fd0000 c7442428ff070000 4c89742420 ff15???????? }
            // n = 4, score = 100
            //   b9e9fd0000           | dec                 eax
            //   c7442428ff070000     | lea                 ecx, [0x640e]
            //   4c89742420           | mov                 ecx, 0xfde9
            //   ff15????????         |                     

        $sequence_15 = { 8bd0 e8???????? 8b542468 488d0d0e640000 e8???????? }
            // n = 5, score = 100
            //   8bd0                 | jne                 0x24
            //   e8????????           |                     
            //   8b542468             | mov                 edx, eax
            //   488d0d0e640000       | mov                 edx, dword ptr [esp + 0x68]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 123904
}
Download all Yara Rules