OnionDuke (Malware Family)

OnionDuke

Actor(s): APT29

VTCollection

OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites.

References

2020-05-06 ⋅ F-Secure Labs ⋅ Artturi Lehtiö, Melissa Michael
039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29
OnionDuke

2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29

2014-11-15 ⋅ Contagio Dump ⋅ Mila Parkour
OnionDuke samples
OnionDuke

2014-11-14 ⋅ F-Secure ⋅ F-Secure Labs
OnionDuke: APT Attacks Via the Tor Network
OnionDuke

Yara Rules

[TLP:WHITE] win_onionduke_auto (20230808 | Detects win.onionduke.)

rule win_onionduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.onionduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33d2 895e68 66895658 8b550c 8d4202 c645fc04 8945ec }
            // n = 7, score = 200
            //   33d2                 | xor                 edx, edx
            //   895e68               | mov                 dword ptr [esi + 0x68], ebx
            //   66895658             | mov                 word ptr [esi + 0x58], dx
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8d4202               | lea                 eax, [edx + 2]
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_1 = { c1e81f 03c2 897dcc 0f84d0000000 897dd0 eb02 }
            // n = 6, score = 200
            //   c1e81f               | shr                 eax, 0x1f
            //   03c2                 | add                 eax, edx
            //   897dcc               | mov                 dword ptr [ebp - 0x34], edi
            //   0f84d0000000         | je                  0xd6
            //   897dd0               | mov                 dword ptr [ebp - 0x30], edi
            //   eb02                 | jmp                 4

        $sequence_2 = { 384b01 7506 40 380c18 }
            // n = 4, score = 200
            //   384b01               | cmp                 byte ptr [ebx + 1], cl
            //   7506                 | jne                 8
            //   40                   | inc                 eax
            //   380c18               | cmp                 byte ptr [eax + ebx], cl

        $sequence_3 = { 894ee4 894ffc 8d4eec 8d57ec 8d5fec }
            // n = 5, score = 200
            //   894ee4               | mov                 dword ptr [esi - 0x1c], ecx
            //   894ffc               | mov                 dword ptr [edi - 4], ecx
            //   8d4eec               | lea                 ecx, [esi - 0x14]
            //   8d57ec               | lea                 edx, [edi - 0x14]
            //   8d5fec               | lea                 ebx, [edi - 0x14]

        $sequence_4 = { 56 8bf1 837e0c00 751e 6a04 e8???????? 83c404 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   837e0c00             | cmp                 dword ptr [esi + 0xc], 0
            //   751e                 | jne                 0x20
            //   6a04                 | push                4
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_5 = { 3bfb 72ac 5f 5e }
            // n = 4, score = 200
            //   3bfb                 | cmp                 edi, ebx
            //   72ac                 | jb                  0xffffffae
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_6 = { 8b4e44 8b09 85d2 7405 }
            // n = 4, score = 200
            //   8b4e44               | mov                 ecx, dword ptr [esi + 0x44]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   85d2                 | test                edx, edx
            //   7405                 | je                  7

        $sequence_7 = { 8910 894ed0 8b56e0 8957e0 8b56e4 }
            // n = 5, score = 200
            //   8910                 | mov                 dword ptr [eax], edx
            //   894ed0               | mov                 dword ptr [esi - 0x30], ecx
            //   8b56e0               | mov                 edx, dword ptr [esi - 0x20]
            //   8957e0               | mov                 dword ptr [edi - 0x20], edx
            //   8b56e4               | mov                 edx, dword ptr [esi - 0x1c]

        $sequence_8 = { e8???????? 83c404 33c0 eb66 8bc6 8d5001 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   33c0                 | xor                 eax, eax
            //   eb66                 | jmp                 0x68
            //   8bc6                 | mov                 eax, esi
            //   8d5001               | lea                 edx, [eax + 1]

        $sequence_9 = { 80f90f 7f05 80c157 eb02 32c9 }
            // n = 5, score = 200
            //   80f90f               | cmp                 cl, 0xf
            //   7f05                 | jg                  7
            //   80c157               | add                 cl, 0x57
            //   eb02                 | jmp                 4
            //   32c9                 | xor                 cl, cl

    condition:
        7 of them and filesize < 671744
}

Download all Yara Rules

OnionDuke Propose Change

References

Yara Rules

OnionDuke