SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mosquito (Back to overview)

Mosquito

Actor(s): Turla Group


There is no description at this point.

References
2022-05-02cocomelonccocomelonc
@online{cocomelonc:20220502:malware:4384b01, author = {cocomelonc}, title = {{Malware development: persistence - part 3. COM DLL hijack. Simple C++ example}}, date = {2022-05-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2020-03-12Recorded FutureInsikt Group
@online{group:20200312:swallowing:b1becb5, author = {Insikt Group}, title = {{Swallowing the Snake’s Tail: Tracking Turla Infrastructure}}, date = {2020-03-12}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/turla-apt-infrastructure/}, language = {English}, urldate = {2020-03-13} } Swallowing the Snake’s Tail: Tracking Turla Infrastructure
Mosquito Sinowal
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2018-05-22ESET ResearchESET Research
@online{research:20180522:turla:358ccf7, author = {ESET Research}, title = {{Turla Mosquito: A shift towards more generic tools}}, date = {2018-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/}, language = {English}, urldate = {2019-11-14} } Turla Mosquito: A shift towards more generic tools
Mosquito Turla
2018-01ESET ResearchEset
@techreport{eset:201801:diplomats:89688b4, author = {Eset}, title = {{Diplomats in Eastern Europe bitten by a Turla mosquito}}, date = {2018-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf}, language = {English}, urldate = {2020-01-08} } Diplomats in Eastern Europe bitten by a Turla mosquito
Mosquito
Yara Rules
[TLP:WHITE] win_mosquito_auto (20221125 | Detects win.mosquito.)
rule win_mosquito_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.mosquito."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7d8 1bc0 83e0b4 83c04c }
            // n = 4, score = 400
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   83e0b4               | and                 eax, 0xffffffb4
            //   83c04c               | add                 eax, 0x4c

        $sequence_1 = { 99 52 50 6a00 6801c1fd7d }
            // n = 5, score = 400
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6801c1fd7d           | push                0x7dfdc101

        $sequence_2 = { 8bfc f3a5 ff942464020000 81c450020000 }
            // n = 4, score = 400
            //   8bfc                 | mov                 edi, esp
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff942464020000       | call                dword ptr [esp + 0x264]
            //   81c450020000         | add                 esp, 0x250

        $sequence_3 = { 8d4508 50 c745082b000000 e8???????? 8bcb c700???????? 8d4508 }
            // n = 7, score = 300
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   c745082b000000       | mov                 dword ptr [ebp + 8], 0x2b
            //   e8????????           |                     
            //   8bcb                 | mov                 ecx, ebx
            //   c700????????         |                     
            //   8d4508               | lea                 eax, [ebp + 8]

        $sequence_4 = { 8d4508 50 c745082c000000 e8???????? }
            // n = 4, score = 300
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   c745082c000000       | mov                 dword ptr [ebp + 8], 0x2c
            //   e8????????           |                     

        $sequence_5 = { 8d4508 50 c745082d000000 e8???????? }
            // n = 4, score = 300
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   c745082d000000       | mov                 dword ptr [ebp + 8], 0x2d
            //   e8????????           |                     

        $sequence_6 = { 8bfc f3a5 ff942460020000 81c450020000 85c0 }
            // n = 5, score = 300
            //   8bfc                 | mov                 edi, esp
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff942460020000       | call                dword ptr [esp + 0x260]
            //   81c450020000         | add                 esp, 0x250
            //   85c0                 | test                eax, eax

        $sequence_7 = { 6a20 8bf0 e8???????? 8bc8 }
            // n = 4, score = 300
            //   6a20                 | push                0x20
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_8 = { e8???????? 6a20 e8???????? 83c40c }
            // n = 4, score = 300
            //   e8????????           |                     
            //   6a20                 | push                0x20
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_9 = { e8???????? 6a20 8bd8 e8???????? 8bc8 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   6a20                 | push                0x20
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_10 = { 0000 0001 1001 c550f0 8b8078005900 }
            // n = 5, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   0001                 | add                 byte ptr [ecx], al
            //   1001                 | adc                 byte ptr [ecx], al
            //   c550f0               | lds                 edx, ptr [eax - 0x10]
            //   8b8078005900         | mov                 eax, dword ptr [eax + 0x590078]

        $sequence_11 = { 0000 00748078 3001 40 }
            // n = 4, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   00748078             | add                 byte ptr [eax + eax*4 + 0x78], dh
            //   3001                 | xor                 byte ptr [ecx], al
            //   40                   | inc                 eax

        $sequence_12 = { 0000 006301 1000 7500 }
            // n = 4, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   006301               | add                 byte ptr [ebx + 1], ah
            //   1000                 | adc                 byte ptr [eax], al
            //   7500                 | jne                 2

        $sequence_13 = { 6a00 ff15???????? 6a00 56 ff15???????? 8903 }
            // n = 6, score = 200
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8903                 | mov                 dword ptr [ebx], eax

        $sequence_14 = { 0000 00645657 8b7dc2 0400 }
            // n = 4, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   00645657             | add                 byte ptr [esi + edx*2 + 0x57], ah
            //   8b7dc2               | mov                 edi, dword ptr [ebp - 0x3e]
            //   0400                 | add                 al, 0

        $sequence_15 = { 0000 006500 676c 0010 }
            // n = 4, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   006500               | add                 byte ptr [ebp], ah
            //   676c                 | insb                byte ptr es:[di], dx
            //   0010                 | add                 byte ptr [eax], dl

        $sequence_16 = { 6c c55003 00442464 a1???????? 0001 894d1d }
            // n = 6, score = 200
            //   6c                   | insb                byte ptr es:[edi], dx
            //   c55003               | lds                 edx, ptr [eax + 3]
            //   00442464             | add                 byte ptr [esp + 0x64], al
            //   a1????????           |                     
            //   0001                 | add                 byte ptr [ecx], al
            //   894d1d               | mov                 dword ptr [ebp + 0x1d], ecx

        $sequence_17 = { 0000 0018 a0???????? 57 }
            // n = 4, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   0018                 | add                 byte ptr [eax], bl
            //   a0????????           |                     
            //   57                   | push                edi

        $sequence_18 = { 0000 0032 08804d086440 5e }
            // n = 4, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   0032                 | add                 byte ptr [edx], dh
            //   08804d086440         | or                  byte ptr [eax + 0x4064084d], al
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 1015808
}
[TLP:WHITE] win_mosquito_w0   (20180301 | Detects malware sample from Turla Mosquito report)
import "pe"

rule win_mosquito_w0 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = ".?AVFileNameParseException@ExecuteFile@@" fullword ascii
        $s3 = "no_address" fullword wide
        $s6 = "SRRRQP" fullword ascii
        $s7 = "QWVPQQ" fullword ascii
    condition:
        pe.imphash() == "cd918073f209c5da7a16b6c125d73746" or all of them
}
[TLP:WHITE] win_mosquito_w1   (20180301 | Detects malware sample from Turla Mosquito report)
rule win_mosquito_w1 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "/scripts/m/query.php?id=" fullword wide
        $a2 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" fullword wide
        $a3 = "GetUserNameW fails" fullword wide

        $s1 = "QVSWQQ" fullword ascii
        $s2 = "SRRRQP" fullword ascii
        $s3 = "QSVVQQ" fullword ascii
    condition:
        2 of ($a*) or 4 of them
}
[TLP:WHITE] win_mosquito_w2   (20180301 | Detects malware sample from Turla Mosquito report)
import "pe"

rule win_mosquito_w2 {
    meta:
        description = "Detects malware sample from Turla Mosquito report"
        author = "Florian Roth"
        reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "Logger32.dll" fullword ascii
        $s6 = "lManager::Execute : CPalExceptio" fullword wide
        $s19 = "CCommandSender::operator(" fullword wide
    condition:
        pe.imphash() == "073235ae6dfbb1bf5db68a039a7b7726" or 2 of them
}
Download all Yara Rules