SYMBOLCOMMON_NAMEaka. SYNONYMS
win.outlook_backdoor (Back to overview)

Outlook Backdoor

aka: FACADE

Actor(s): Turla Group


There is no description at this point.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2019-01-17Twitter (@VK_intel)Vitali Kremez
@online{kremez:20190117:turla:1eff5e6, author = {Vitali Kremez}, title = {{Tweet on Turla Outlook Backdoor}}, date = {2019-01-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1085820673811992576}, language = {English}, urldate = {2020-01-13} } Tweet on Turla Outlook Backdoor
Outlook Backdoor
2018-08-22ESET ResearchESET researchers
@techreport{researchers:20180822:turla:d444ef7, author = {ESET researchers}, title = {{Turla Outlook Backdoor}}, date = {2018-08-22}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf}, language = {English}, urldate = {2019-10-18} } Turla Outlook Backdoor
Outlook Backdoor
Yara Rules
[TLP:WHITE] win_outlook_backdoor_auto (20220411 | Detects win.outlook_backdoor.)
rule win_outlook_backdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.outlook_backdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c40c 8945e8 85c0 7503 214520 837dac10 8b4598 }
            // n = 7, score = 600
            //   83c40c               | add                 esp, 0xc
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   85c0                 | test                eax, eax
            //   7503                 | jne                 5
            //   214520               | and                 dword ptr [ebp + 0x20], eax
            //   837dac10             | cmp                 dword ptr [ebp - 0x54], 0x10
            //   8b4598               | mov                 eax, dword ptr [ebp - 0x68]

        $sequence_1 = { 8d4608 6a00 6880000000 6a02 6a00 6a01 68000000c0 }
            // n = 7, score = 600
            //   8d4608               | lea                 eax, dword ptr [esi + 8]
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   68000000c0           | push                0xc0000000

        $sequence_2 = { 8b4704 894004 83670800 3b5f04 741c 55 56 }
            // n = 7, score = 600
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   894004               | mov                 dword ptr [eax + 4], eax
            //   83670800             | and                 dword ptr [edi + 8], 0
            //   3b5f04               | cmp                 ebx, dword ptr [edi + 4]
            //   741c                 | je                  0x1e
            //   55                   | push                ebp
            //   56                   | push                esi

        $sequence_3 = { ff7528 ff75dc ff7524 50 8b4514 e8???????? 8b08 }
            // n = 7, score = 600
            //   ff7528               | push                dword ptr [ebp + 0x28]
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   ff7524               | push                dword ptr [ebp + 0x24]
            //   50                   | push                eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   e8????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_4 = { 53 ff7004 ff30 53 51 ff5214 8bf0 }
            // n = 7, score = 600
            //   53                   | push                ebx
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff30                 | push                dword ptr [eax]
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   ff5214               | call                dword ptr [edx + 0x14]
            //   8bf0                 | mov                 esi, eax

        $sequence_5 = { 6a00 8d45d0 e8???????? eb16 8b75ec 6aff 6a00 }
            // n = 7, score = 600
            //   6a00                 | push                0
            //   8d45d0               | lea                 eax, dword ptr [ebp - 0x30]
            //   e8????????           |                     
            //   eb16                 | jmp                 0x18
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   6aff                 | push                -1
            //   6a00                 | push                0

        $sequence_6 = { 83ec2c 56 57 ff750c 8d7308 ff7508 8b06 }
            // n = 7, score = 600
            //   83ec2c               | sub                 esp, 0x2c
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8d7308               | lea                 esi, dword ptr [ebx + 8]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_7 = { e8???????? 8b4508 83c428 5f 5e 5b 8be5 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83c428               | add                 esp, 0x28
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_8 = { 59 8945ec 8365fc00 33db 43 85c0 7424 }
            // n = 7, score = 600
            //   59                   | pop                 ecx
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   33db                 | xor                 ebx, ebx
            //   43                   | inc                 ebx
            //   85c0                 | test                eax, eax
            //   7424                 | je                  0x26

        $sequence_9 = { 89442410 7e70 0fb640ff 8b17 50 8bcf }
            // n = 6, score = 600
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   7e70                 | jle                 0x72
            //   0fb640ff             | movzx               eax, byte ptr [eax - 1]
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi

    condition:
        7 of them and filesize < 2912256
}
Download all Yara Rules