SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microbackdoor (Back to overview)

MicroBackdoor

Actor(s): Ghostwriter


Open-source lightweight backdoor for C2 communication.
GitHub: https://github.com/Cr4sh/MicroBackdoor

References
2022-07-20MandiantMandiant Threat Intelligence
@online{intelligence:20220720:evacuation:edd478e, author = {Mandiant Threat Intelligence}, title = {{Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities}}, date = {2022-07-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/spear-phish-ukrainian-entities}, language = {English}, urldate = {2022-07-25} } Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
@online{affairs:20220720:cyber:b7604e7, author = {Cyber National Mission Force Public Affairs}, title = {{Cyber National Mission Force discloses IOCs from Ukrainian networks}}, date = {2022-07-20}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/}, language = {English}, urldate = {2022-07-25} } Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-29AttackIQFrancis Guibernau, Jackson Wells
@online{guibernau:20220429:attack:52c55b9, author = {Francis Guibernau and Jackson Wells}, title = {{Attack Graph Response to UNC1151 Continued Targeting of Ukraine}}, date = {2022-04-29}, organization = {AttackIQ}, url = {https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/}, language = {English}, urldate = {2022-05-04} } Attack Graph Response to UNC1151 Continued Targeting of Ukraine
MicroBackdoor
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-14QianxinRed Raindrop Team
@online{team:20220314:analysis:9a058f9, author = {Red Raindrop Team}, title = {{Analysis Of Attack Activities Of Suspected APT Organization UNC1151 Against Ukraine And Other Countries}}, date = {2022-03-14}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/}, language = {Chinese}, urldate = {2022-03-15} } Analysis Of Attack Activities Of Suspected APT Organization UNC1151 Against Ukraine And Other Countries
MicroBackdoor
2022-03-08Cluster25Cluster25
@online{cluster25:20220308:ghostwriter:3f0d3c1, author = {Cluster25}, title = {{GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine}}, date = {2022-03-08}, organization = {Cluster25}, url = {https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/}, language = {English}, urldate = {2022-03-10} } GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine
MicroBackdoor
2022-03-07Cert-UACert-UA
@online{certua:20220307:uac0051:18afbc7, author = {Cert-UA}, title = {{UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)}}, date = {2022-03-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/37626}, language = {Ukrainian}, urldate = {2022-03-08} } UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)
MicroBackdoor
2021-05-04Cr4sh
@online{cr4sh:20210504:cr4sh:3c1597c, author = {Cr4sh}, title = {{Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets}}, date = {2021-05-04}, url = {https://github.com/cr4sh/microbackdoor}, language = {English}, urldate = {2021-05-04} } Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets
MicroBackdoor
Yara Rules
[TLP:WHITE] win_microbackdoor_auto (20230125 | Detects win.microbackdoor.)
rule win_microbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.microbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 56 66894dd8 ff15???????? 85c0 }
            // n = 5, score = 100
            //   50                   | dec                 edx
            //   56                   | or                  edx, 0xffffff00
            //   66894dd8             | inc                 edx
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_1 = { 7cdd 33c0 40 5f 5e 5b }
            // n = 6, score = 100
            //   7cdd                 | je                  0x24
            //   33c0                 | push                edi
            //   40                   | je                  0xe2
            //   5f                   | cmp                 dword ptr [ebp + 0x10], esi
            //   5e                   | je                  0xe2
            //   5b                   | mov                 dword ptr [ebp + 0xc], esi

        $sequence_2 = { eb29 488d0da3460000 e8???????? eb22 488d0d6d460000 e8???????? eb14 }
            // n = 7, score = 100
            //   eb29                 | dec                 esp
            //   488d0da3460000       | arpl                ax, sp
            //   e8????????           |                     
            //   eb22                 | inc                 ecx
            //   488d0d6d460000       | cmp                 esp, -1
            //   e8????????           |                     
            //   eb14                 | je                  0x1a9

        $sequence_3 = { 53 8d45fc 8975fc 50 56 56 }
            // n = 6, score = 100
            //   53                   | test                eax, eax
            //   8d45fc               | jne                 0xfffffd9d
            //   8975fc               | call                edi
            //   50                   | push                eax
            //   56                   | push                esi
            //   56                   | mov                 word ptr [ebp - 0x28], cx

        $sequence_4 = { 57 6a40 ff15???????? 8903 85c0 741c 57 }
            // n = 7, score = 100
            //   57                   | arpl                dx, cx
            //   6a40                 | dec                 eax
            //   ff15????????         |                     
            //   8903                 | add                 esp, 0x30
            //   85c0                 | pop                 edi
            //   741c                 | ret                 
            //   57                   | dec                 eax

        $sequence_5 = { 4883c430 5f c3 ff15???????? 488d0dd9710000 }
            // n = 5, score = 100
            //   4883c430             | pop                 ebp
            //   5f                   | jmp                 0x2b
            //   c3                   | dec                 eax
            //   ff15????????         |                     
            //   488d0dd9710000       | lea                 ecx, [0x46a3]

        $sequence_6 = { ff15???????? 4c63e0 4183fcff 0f849f010000 85c0 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   4c63e0               | inc                 ebp
            //   4183fcff             | mov                 ecx, esp
            //   0f849f010000         | dec                 eax
            //   85c0                 | mov                 dword ptr [esp + 0x330], edi

        $sequence_7 = { 751a 50 6a18 50 50 }
            // n = 5, score = 100
            //   751a                 | test                eax, eax
            //   50                   | push                edi
            //   6a18                 | push                0x40
            //   50                   | mov                 dword ptr [ebx], eax
            //   50                   | test                eax, eax

        $sequence_8 = { 03d1 81e2ff000080 7d0a ffca 81ca00ffffff ffc2 4863ca }
            // n = 7, score = 100
            //   03d1                 | test                eax, eax
            //   81e2ff000080         | dec                 eax
            //   7d0a                 | mov                 ecx, dword ptr [esp + 0x30]
            //   ffca                 | xor                 eax, eax
            //   81ca00ffffff         | dec                 eax
            //   ffc2                 | add                 esp, 0x138
            //   4863ca               | pop                 ebx

        $sequence_9 = { ff15???????? ff15???????? 8b542468 4c8d8510010000 488d0d53660000 458bcc 4889bc2430030000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   8b542468             | dec                 eax
            //   4c8d8510010000       | lea                 edx, [ebp + 0x3c0]
            //   488d0d53660000       | dec                 eax
            //   458bcc               | lea                 ecx, [0x7196]
            //   4889bc2430030000     | mov                 edx, dword ptr [esp + 0x68]

        $sequence_10 = { 488b4c2450 3d02010000 751b 8b9424f8000000 }
            // n = 4, score = 100
            //   488b4c2450           | dec                 esp
            //   3d02010000           | lea                 eax, [ebp + 0x110]
            //   751b                 | dec                 eax
            //   8b9424f8000000       | lea                 ecx, [0x6653]

        $sequence_11 = { 0f84dc000000 397510 0f84d9000000 89750c 8bce 0fb78108100010 }
            // n = 6, score = 100
            //   0f84dc000000         | lea                 ecx, [0x71d9]
            //   397510               | test                eax, eax
            //   0f84d9000000         | jne                 0x22
            //   89750c               | dec                 eax
            //   8bce                 | lea                 ecx, [0x6b49]
            //   0fb78108100010       | mov                 edx, eax

        $sequence_12 = { 7459 4c8d4da0 4c8d85b0010000 488d95c0030000 488d0d96710000 }
            // n = 5, score = 100
            //   7459                 | je                  0x5b
            //   4c8d4da0             | dec                 esp
            //   4c8d85b0010000       | lea                 ecx, [ebp - 0x60]
            //   488d95c0030000       | dec                 esp
            //   488d0d96710000       | lea                 eax, [ebp + 0x1b0]

        $sequence_13 = { 488b4c2430 ff15???????? 33c0 4881c438010000 5b 5d }
            // n = 6, score = 100
            //   488b4c2430           | dec                 eax
            //   ff15????????         |                     
            //   33c0                 | mov                 ecx, dword ptr [esp + 0x50]
            //   4881c438010000       | cmp                 eax, 0x102
            //   5b                   | jne                 0x22
            //   5d                   | mov                 edx, dword ptr [esp + 0xf8]

        $sequence_14 = { 85c0 0f8597fdffff ffd7 e9???????? }
            // n = 4, score = 100
            //   85c0                 | add                 edx, ecx
            //   0f8597fdffff         | and                 edx, 0x800000ff
            //   ffd7                 | jge                 0xc
            //   e9????????           |                     

        $sequence_15 = { 99 8dbd60ffffff 83e207 895dac }
            // n = 4, score = 100
            //   99                   | mov                 ecx, esi
            //   8dbd60ffffff         | movzx               eax, word ptr [ecx + 0x10001008]
            //   83e207               | push                ebx
            //   895dac               | lea                 eax, [ebp - 4]

    condition:
        7 of them and filesize < 123904
}
Download all Yara Rules