SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mosquito (Back to overview)

Mosquito

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12Recorded FutureInsikt Group
@online{group:20200312:swallowing:b1becb5, author = {Insikt Group}, title = {{Swallowing the Snake’s Tail: Tracking Turla Infrastructure}}, date = {2020-03-12}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/turla-apt-infrastructure/}, language = {English}, urldate = {2020-03-13} } Swallowing the Snake’s Tail: Tracking Turla Infrastructure
Mosquito Sinowal
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2018-05-22ESET ResearchESET Research
@online{research:20180522:turla:358ccf7, author = {ESET Research}, title = {{Turla Mosquito: A shift towards more generic tools}}, date = {2018-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/}, language = {English}, urldate = {2019-11-14} } Turla Mosquito: A shift towards more generic tools
Mosquito Turla Group
2018-01ESET ResearchEset
@techreport{eset:201801:diplomats:89688b4, author = {Eset}, title = {{Diplomats in Eastern Europe bitten by a Turla mosquito}}, date = {2018-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf}, language = {English}, urldate = {2020-01-08} } Diplomats in Eastern Europe bitten by a Turla mosquito
Mosquito
Yara Rules
[TLP:WHITE] win_mosquito_auto (20210616 | Detects win.mosquito.)
rule win_mosquito_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.mosquito."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7d8 1bc0 83e0b4 83c04c }
            // n = 4, score = 400
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   83e0b4               | and                 eax, 0xffffffb4
            //   83c04c               | add                 eax, 0x4c

        $sequence_1 = { 52 50 6a00 6801c1fd7d }
            // n = 4, score = 400
            //   52                   | push                edx
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6801c1fd7d           | push                0x7dfdc101

        $sequence_2 = { f3a5 ff942464020000 81c450020000 85c0 }
            // n = 4, score = 400
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff942464020000       | call                dword ptr [esp + 0x264]
            //   81c450020000         | add                 esp, 0x250
            //   85c0                 | test                eax, eax

        $sequence_3 = { e8???????? 6a20 8bf0 e8???????? 8bc8 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   6a20                 | push                0x20
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_4 = { 8bc8 8b10 6846730000 ff5204 }
            // n = 4, score = 300
            //   8bc8                 | mov                 ecx, eax
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   6846730000           | push                0x7346
            //   ff5204               | call                dword ptr [edx + 4]

        $sequence_5 = { 8bfc f3a5 ff942460020000 81c450020000 }
            // n = 4, score = 300
            //   8bfc                 | mov                 edi, esp
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff942460020000       | call                dword ptr [esp + 0x260]
            //   81c450020000         | add                 esp, 0x250

        $sequence_6 = { 7305 8b4908 eb04 8bd1 8b09 80792100 }
            // n = 6, score = 300
            //   7305                 | jae                 7
            //   8b4908               | mov                 ecx, dword ptr [ecx + 8]
            //   eb04                 | jmp                 6
            //   8bd1                 | mov                 edx, ecx
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   80792100             | cmp                 byte ptr [ecx + 0x21], 0

        $sequence_7 = { e8???????? 834dfcff 8bc8 e8???????? 8d4746 50 e8???????? }
            // n = 7, score = 300
            //   e8????????           |                     
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8d4746               | lea                 eax, dword ptr [edi + 0x46]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { 8b4d08 ff7510 e8???????? 83c40c eb05 b895000000 }
            // n = 6, score = 300
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb05                 | jmp                 7
            //   b895000000           | mov                 eax, 0x95

        $sequence_9 = { 8bc7 8b4c2428 64890d00000000 59 5f 5e 8be5 }
            // n = 7, score = 300
            //   8bc7                 | mov                 eax, edi
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp

        $sequence_10 = { 8b4b42 52 8b01 ff500c 8b4b42 }
            // n = 5, score = 300
            //   8b4b42               | mov                 ecx, dword ptr [ebx + 0x42]
            //   52                   | push                edx
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff500c               | call                dword ptr [eax + 0xc]
            //   8b4b42               | mov                 ecx, dword ptr [ebx + 0x42]

        $sequence_11 = { e8???????? 6a20 e8???????? 83c40c }
            // n = 4, score = 300
            //   e8????????           |                     
            //   6a20                 | push                0x20
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_12 = { 8bc8 8b10 6807000100 ff5204 8b450c 2bc3 83f80c }
            // n = 7, score = 300
            //   8bc8                 | mov                 ecx, eax
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   6807000100           | push                0x10007
            //   ff5204               | call                dword ptr [edx + 4]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   2bc3                 | sub                 eax, ebx
            //   83f80c               | cmp                 eax, 0xc

        $sequence_13 = { 708d 46 1001 45 }
            // n = 4, score = 200
            //   708d                 | jo                  0xffffff8f
            //   46                   | inc                 esi
            //   1001                 | adc                 byte ptr [ecx], al
            //   45                   | inc                 ebp

        $sequence_14 = { 7083 ec 54 2465 }
            // n = 4, score = 200
            //   7083                 | jo                  0xffffff85
            //   ec                   | in                  al, dx
            //   54                   | push                esp
            //   2465                 | and                 al, 0x65

        $sequence_15 = { 7068 3100 83680010 64006c64a1 }
            // n = 4, score = 200
            //   7068                 | jo                  0x6a
            //   3100                 | xor                 dword ptr [eax], eax
            //   83680010             | sub                 dword ptr [eax], 0x10
            //   64006c64a1           | add                 byte ptr fs:[esp - 0x5f], ch

        $sequence_16 = { 708b c600cc 8bf0 80780070 }
            // n = 4, score = 200
            //   708b                 | jo                  0xffffff8d
            //   c600cc               | mov                 byte ptr [eax], 0xcc
            //   8bf0                 | mov                 esi, eax
            //   80780070             | cmp                 byte ptr [eax], 0x70

        $sequence_17 = { 7051 0489 5d 00e8 3101 }
            // n = 5, score = 200
            //   7051                 | jo                  0x53
            //   0489                 | add                 al, 0x89
            //   5d                   | pop                 ebp
            //   00e8                 | add                 al, ch
            //   3101                 | xor                 dword ptr [ecx], eax

        $sequence_18 = { 7074 299319ff1556 57 0800 }
            // n = 4, score = 200
            //   7074                 | jo                  0x76
            //   299319ff1556         | sub                 dword ptr [ebx + 0x5615ff19], edx
            //   57                   | push                edi
            //   0800                 | or                  byte ptr [eax], al

    condition:
        7 of them and filesize < 1015808
}
[TLP:WHITE] win_mosquito_w0   (20180301 | Detects malware sample from Turla Mosquito report)
import "pe"

rule win_mosquito_w0 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = ".?AVFileNameParseException@ExecuteFile@@" fullword ascii
        $s3 = "no_address" fullword wide
        $s6 = "SRRRQP" fullword ascii
        $s7 = "QWVPQQ" fullword ascii
    condition:
        pe.imphash() == "cd918073f209c5da7a16b6c125d73746" or all of them
}
[TLP:WHITE] win_mosquito_w1   (20180301 | Detects malware sample from Turla Mosquito report)
rule win_mosquito_w1 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "/scripts/m/query.php?id=" fullword wide
        $a2 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" fullword wide
        $a3 = "GetUserNameW fails" fullword wide

        $s1 = "QVSWQQ" fullword ascii
        $s2 = "SRRRQP" fullword ascii
        $s3 = "QSVVQQ" fullword ascii
    condition:
        2 of ($a*) or 4 of them
}
[TLP:WHITE] win_mosquito_w2   (20180301 | Detects malware sample from Turla Mosquito report)
import "pe"

rule win_mosquito_w2 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "Logger32.dll" fullword ascii
        $s6 = "lManager::Execute : CPalExceptio" fullword wide
        $s19 = "CCommandSender::operator(" fullword wide
    condition:
        pe.imphash() == "073235ae6dfbb1bf5db68a039a7b7726" or 2 of them
}
Download all Yara Rules