SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mosquito (Back to overview)

Mosquito

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12Recorded FutureInsikt Group
@online{group:20200312:swallowing:b1becb5, author = {Insikt Group}, title = {{Swallowing the Snake’s Tail: Tracking Turla Infrastructure}}, date = {2020-03-12}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/turla-apt-infrastructure/}, language = {English}, urldate = {2020-03-13} } Swallowing the Snake’s Tail: Tracking Turla Infrastructure
Mosquito Sinowal
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2018-05-22ESET ResearchESET Research
@online{research:20180522:turla:358ccf7, author = {ESET Research}, title = {{Turla Mosquito: A shift towards more generic tools}}, date = {2018-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/}, language = {English}, urldate = {2019-11-14} } Turla Mosquito: A shift towards more generic tools
Mosquito Turla Group
2018-01ESET ResearchEset
@techreport{eset:201801:diplomats:89688b4, author = {Eset}, title = {{Diplomats in Eastern Europe bitten by a Turla mosquito}}, date = {2018-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf}, language = {English}, urldate = {2020-01-08} } Diplomats in Eastern Europe bitten by a Turla mosquito
Mosquito
Yara Rules
[TLP:WHITE] win_mosquito_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_mosquito_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bfc f3a5 ff942464020000 81c450020000 85c0 }
            // n = 5, score = 300
            //   8bfc                 | mov                 edi, esp
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff942464020000       | call                dword ptr [esp + 0x264]
            //   81c450020000         | add                 esp, 0x250
            //   85c0                 | test                eax, eax

        $sequence_1 = { f7d8 1bc0 83e0b4 83c04c }
            // n = 4, score = 300
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   83e0b4               | and                 eax, 0xffffffb4
            //   83c04c               | add                 eax, 0x4c

        $sequence_2 = { 99 52 50 6a00 6801c1fd7d }
            // n = 5, score = 300
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6801c1fd7d           | push                0x7dfdc101

        $sequence_3 = { 6a00 56 ff15???????? 8903 }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8903                 | mov                 dword ptr [ebx], eax

        $sequence_4 = { e8???????? 83c40c e8???????? 6a20 8bf0 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   e8????????           |                     
            //   6a20                 | push                0x20
            //   8bf0                 | mov                 esi, eax

        $sequence_5 = { 6824080000 50 e8???????? 83c410 }
            // n = 4, score = 200
            //   6824080000           | push                0x824
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_6 = { 85c0 7508 6a6b 58 e9???????? }
            // n = 5, score = 200
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   6a6b                 | push                0x6b
            //   58                   | pop                 eax
            //   e9????????           |                     

        $sequence_7 = { 52 8b01 ff5010 8b45f8 }
            // n = 4, score = 200
            //   52                   | push                edx
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_8 = { b888000000 eb43 57 8b7d08 85ff 7435 }
            // n = 6, score = 200
            //   b888000000           | mov                 eax, 0x88
            //   eb43                 | jmp                 0x45
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   85ff                 | test                edi, edi
            //   7435                 | je                  0x37

        $sequence_9 = { 8b07 56 ff7510 83c00c 03c3 50 e8???????? }
            // n = 7, score = 200
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   56                   | push                esi
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   83c00c               | add                 eax, 0xc
            //   03c3                 | add                 eax, ebx
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_10 = { 33c0 eb55 53 8b5d0c 85db 7443 8bce }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   eb55                 | jmp                 0x57
            //   53                   | push                ebx
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   85db                 | test                ebx, ebx
            //   7443                 | je                  0x45
            //   8bce                 | mov                 ecx, esi

        $sequence_11 = { 6a20 8bd8 e8???????? 8bc8 }
            // n = 4, score = 200
            //   6a20                 | push                0x20
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_12 = { 6801c1fd7d e8???????? 8bd8 eb02 }
            // n = 4, score = 200
            //   6801c1fd7d           | push                0x7dfdc101
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   eb02                 | jmp                 4

        $sequence_13 = { 8b4df4 8bce 85c0 0032 0100 83c480 }
            // n = 6, score = 100
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8bce                 | mov                 ecx, esi
            //   85c0                 | test                eax, eax
            //   0032                 | add                 byte ptr [edx], dh
            //   0100                 | add                 dword ptr [eax], eax
            //   83c480               | add                 esp, -0x80

        $sequence_14 = { 0033 c58becc645c2 0410 00890d108d00 40 1033 }
            // n = 6, score = 100
            //   0033                 | add                 byte ptr [ebx], dh
            //   c58becc645c2         | lds                 ecx, ptr [ebx - 0x3dba3914]
            //   0410                 | add                 al, 0x10
            //   00890d108d00         | add                 byte ptr [ecx + 0x8d100d], cl
            //   40                   | inc                 eax
            //   1033                 | adc                 byte ptr [ebx], dh

        $sequence_15 = { 10890d8b5524 08f0 8b09 8b746400 cc 8bec }
            // n = 6, score = 100
            //   10890d8b5524         | adc                 byte ptr [ecx + 0x24558b0d], cl
            //   08f0                 | or                  al, dh
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   8b746400             | mov                 esi, dword ptr [esp]
            //   cc                   | int3                
            //   8bec                 | mov                 ebp, esp

        $sequence_16 = { 8a45f6 8d7df4 03fa 3007 85db }
            // n = 5, score = 100
            //   8a45f6               | mov                 al, byte ptr [ebp - 0xa]
            //   8d7df4               | lea                 edi, [ebp - 0xc]
            //   03fa                 | add                 edi, edx
            //   3007                 | xor                 byte ptr [edi], al
            //   85db                 | test                ebx, ebx

        $sequence_17 = { 098b298dffcc 5e 5b 08838b4a7200 }
            // n = 4, score = 100
            //   098b298dffcc         | or                  dword ptr [ebx - 0x330072d7], ecx
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   08838b4a7200         | or                  byte ptr [ebx + 0x724a8b], al

        $sequence_18 = { 7875 006440ff 15006c8b4a 1d8bffff45 fc 8bc7 85f6 }
            // n = 7, score = 100
            //   7875                 | js                  0x77
            //   006440ff             | add                 byte ptr [eax + eax*2 - 1], ah
            //   15006c8b4a           | adc                 eax, 0x4a8b6c00
            //   1d8bffff45           | sbb                 eax, 0x45ffff8b
            //   fc                   | cld                 
            //   8bc7                 | mov                 eax, edi
            //   85f6                 | test                esi, esi

        $sequence_19 = { 0000 8d6f00 1022 50 83a30000321083 64a100633f24 00758b }
            // n = 7, score = 100
            //   0000                 | add                 byte ptr [eax], al
            //   8d6f00               | lea                 ebp, [edi]
            //   1022                 | adc                 byte ptr [edx], ah
            //   50                   | push                eax
            //   83a30000321083       | and                 dword ptr [ebx + 0x10320000], 0xffffff83
            //   64a100633f24         | mov                 eax, dword ptr fs:[0x243f6300]
            //   00758b               | add                 byte ptr [ebp - 0x75], dh

        $sequence_20 = { 7464 8b4d14 8b4908 8bc6 }
            // n = 4, score = 100
            //   7464                 | je                  0x66
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   8b4908               | mov                 ecx, dword ptr [ecx + 8]
            //   8bc6                 | mov                 eax, esi

    condition:
        7 of them and filesize < 1015808
}
[TLP:WHITE] win_mosquito_w0   (20180301 | Detects malware sample from Turla Mosquito report)
import "pe"

rule win_mosquito_w0 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = ".?AVFileNameParseException@ExecuteFile@@" fullword ascii
        $s3 = "no_address" fullword wide
        $s6 = "SRRRQP" fullword ascii
        $s7 = "QWVPQQ" fullword ascii
    condition:
        pe.imphash() == "cd918073f209c5da7a16b6c125d73746" or all of them
}
[TLP:WHITE] win_mosquito_w1   (20180301 | Detects malware sample from Turla Mosquito report)
rule win_mosquito_w1 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "/scripts/m/query.php?id=" fullword wide
        $a2 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" fullword wide
        $a3 = "GetUserNameW fails" fullword wide

        $s1 = "QVSWQQ" fullword ascii
        $s2 = "SRRRQP" fullword ascii
        $s3 = "QSVVQQ" fullword ascii
    condition:
        2 of ($a*) or 4 of them
}
[TLP:WHITE] win_mosquito_w2   (20180301 | Detects malware sample from Turla Mosquito report)
import "pe"

rule win_mosquito_w2 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "Logger32.dll" fullword ascii
        $s6 = "lManager::Execute : CPalExceptio" fullword wide
        $s19 = "CCommandSender::operator(" fullword wide
    condition:
        pe.imphash() == "073235ae6dfbb1bf5db68a039a7b7726" or 2 of them
}
Download all Yara Rules