SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mosquito (Back to overview)

Mosquito

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12Recorded FutureInsikt Group
@online{group:20200312:swallowing:b1becb5, author = {Insikt Group}, title = {{Swallowing the Snake’s Tail: Tracking Turla Infrastructure}}, date = {2020-03-12}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/turla-apt-infrastructure/}, language = {English}, urldate = {2020-03-13} } Swallowing the Snake’s Tail: Tracking Turla Infrastructure
Mosquito Sinowal
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2018-05-22ESET ResearchESET Research
@online{research:20180522:turla:358ccf7, author = {ESET Research}, title = {{Turla Mosquito: A shift towards more generic tools}}, date = {2018-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/}, language = {English}, urldate = {2019-11-14} } Turla Mosquito: A shift towards more generic tools
Mosquito Turla Group
2018-01ESET ResearchEset
@techreport{eset:201801:diplomats:89688b4, author = {Eset}, title = {{Diplomats in Eastern Europe bitten by a Turla mosquito}}, date = {2018-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf}, language = {English}, urldate = {2020-01-08} } Diplomats in Eastern Europe bitten by a Turla mosquito
Mosquito
Yara Rules
[TLP:WHITE] win_mosquito_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_mosquito_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7d8 1bc0 83e0b4 83c04c }
            // n = 4, score = 400
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   83e0b4               | and                 eax, 0xffffffb4
            //   83c04c               | add                 eax, 0x4c

        $sequence_1 = { 8bfc f3a5 ff942464020000 81c450020000 }
            // n = 4, score = 400
            //   8bfc                 | mov                 edi, esp
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff942464020000       | call                dword ptr [esp + 0x264]
            //   81c450020000         | add                 esp, 0x250

        $sequence_2 = { 99 52 50 6a00 6801c1fd7d }
            // n = 5, score = 400
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6801c1fd7d           | push                0x7dfdc101

        $sequence_3 = { e8???????? 6a20 e8???????? 83c40c }
            // n = 4, score = 300
            //   e8????????           |                     
            //   6a20                 | push                0x20
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_4 = { 50 c7450826000000 e8???????? 8bcb c700???????? 8d4508 }
            // n = 6, score = 300
            //   50                   | push                eax
            //   c7450826000000       | mov                 dword ptr [ebp + 8], 0x26
            //   e8????????           |                     
            //   8bcb                 | mov                 ecx, ebx
            //   c700????????         |                     
            //   8d4508               | lea                 eax, [ebp + 8]

        $sequence_5 = { 8bfc f3a5 ff942460020000 81c450020000 }
            // n = 4, score = 300
            //   8bfc                 | mov                 edi, esp
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff942460020000       | call                dword ptr [esp + 0x260]
            //   81c450020000         | add                 esp, 0x250

        $sequence_6 = { e8???????? 6a20 8bf0 e8???????? 8bc8 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   6a20                 | push                0x20
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_7 = { ff5004 85c0 7508 c7060b000000 }
            // n = 4, score = 300
            //   ff5004               | call                dword ptr [eax + 4]
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   c7060b000000         | mov                 dword ptr [esi], 0xb

        $sequence_8 = { 8b01 ff5018 85c0 750d 8b434a 6a6e 8b4004 }
            // n = 7, score = 300
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5018               | call                dword ptr [eax + 0x18]
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   8b434a               | mov                 eax, dword ptr [ebx + 0x4a]
            //   6a6e                 | push                0x6e
            //   8b4004               | mov                 eax, dword ptr [eax + 4]

        $sequence_9 = { 53 8b5d08 56 57 8bf9 c70306000000 897df4 }
            // n = 7, score = 300
            //   53                   | push                ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   c70306000000         | mov                 dword ptr [ebx], 6
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi

        $sequence_10 = { 891e 8d442418 50 8d84246c020000 50 ff15???????? }
            // n = 6, score = 300
            //   891e                 | mov                 dword ptr [esi], ebx
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax
            //   8d84246c020000       | lea                 eax, [esp + 0x26c]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_11 = { 64a300000000 8b7d08 c745fc00000000 8b7710 85f6 7429 }
            // n = 6, score = 200
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8b7710               | mov                 esi, dword ptr [edi + 0x10]
            //   85f6                 | test                esi, esi
            //   7429                 | je                  0x2b

        $sequence_12 = { a1???????? 49 8bf0 028b7000108b a0???????? 7500 ff00 }
            // n = 7, score = 200
            //   a1????????           |                     
            //   49                   | dec                 ecx
            //   8bf0                 | mov                 esi, eax
            //   028b7000108b         | add                 cl, byte ptr [ebx - 0x74efff90]
            //   a0????????           |                     
            //   7500                 | jne                 2
            //   ff00                 | inc                 dword ptr [eax]

        $sequence_13 = { 64a300000000 8b7d08 b801000000 894704 }
            // n = 4, score = 200
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   b801000000           | mov                 eax, 1
            //   894704               | mov                 dword ptr [edi + 4], eax

        $sequence_14 = { 89747230 018b54a300ff ff05???????? 0115???????? e5a0 }
            // n = 5, score = 200
            //   89747230             | mov                 dword ptr [edx + esi*2 + 0x30], esi
            //   018b54a300ff         | add                 dword ptr [ebx - 0xff5cac], ecx
            //   ff05????????         |                     
            //   0115????????         |                     
            //   e5a0                 | in                  eax, 0xa0

        $sequence_15 = { 53 006800 8b02 53 56 5b 8bc7 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   006800               | add                 byte ptr [eax], ch
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   5b                   | pop                 ebx
            //   8bc7                 | mov                 eax, edi

        $sequence_16 = { 56 ff15???????? 8903 83f8ff }
            // n = 4, score = 200
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8903                 | mov                 dword ptr [ebx], eax
            //   83f8ff               | cmp                 eax, -1

        $sequence_17 = { 51 ffd3 8b5510 c745fcffffffff 8b7d0c 83c404 }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   ffd3                 | call                ebx
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   83c404               | add                 esp, 4

        $sequence_18 = { 8bc3 e8???????? 8b4304 50 ffd7 83c404 }
            // n = 6, score = 200
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   83c404               | add                 esp, 4

        $sequence_19 = { 008be5430089 0d74008b10 8bce 00755b }
            // n = 4, score = 200
            //   008be5430089         | add                 byte ptr [ebx - 0x76ffbc1b], cl
            //   0d74008b10           | or                  eax, 0x108b0074
            //   8bce                 | mov                 ecx, esi
            //   00755b               | add                 byte ptr [ebp + 0x5b], dh

        $sequence_20 = { 6824080000 50 e8???????? 83c410 }
            // n = 4, score = 200
            //   6824080000           | push                0x824
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

    condition:
        7 of them and filesize < 1015808
}
[TLP:WHITE] win_mosquito_w0   (20180301 | Detects malware sample from Turla Mosquito report)
import "pe"

rule win_mosquito_w0 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = ".?AVFileNameParseException@ExecuteFile@@" fullword ascii
        $s3 = "no_address" fullword wide
        $s6 = "SRRRQP" fullword ascii
        $s7 = "QWVPQQ" fullword ascii
    condition:
        pe.imphash() == "cd918073f209c5da7a16b6c125d73746" or all of them
}
[TLP:WHITE] win_mosquito_w1   (20180301 | Detects malware sample from Turla Mosquito report)
rule win_mosquito_w1 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "/scripts/m/query.php?id=" fullword wide
        $a2 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" fullword wide
        $a3 = "GetUserNameW fails" fullword wide

        $s1 = "QVSWQQ" fullword ascii
        $s2 = "SRRRQP" fullword ascii
        $s3 = "QSVVQQ" fullword ascii
    condition:
        2 of ($a*) or 4 of them
}
[TLP:WHITE] win_mosquito_w2   (20180301 | Detects malware sample from Turla Mosquito report)
import "pe"

rule win_mosquito_w2 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "Logger32.dll" fullword ascii
        $s6 = "lManager::Execute : CPalExceptio" fullword wide
        $s19 = "CCommandSender::operator(" fullword wide
    condition:
        pe.imphash() == "073235ae6dfbb1bf5db68a039a7b7726" or 2 of them
}
Download all Yara Rules