SYMBOLCOMMON_NAMEaka. SYNONYMS
win.outlook_backdoor (Back to overview)

Outlook Backdoor

aka: FACADE

Actor(s): Turla Group


There is no description at this point.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2019-01-17Twitter (@VK_intel)Vitali Kremez
@online{kremez:20190117:turla:1eff5e6, author = {Vitali Kremez}, title = {{Tweet on Turla Outlook Backdoor}}, date = {2019-01-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1085820673811992576}, language = {English}, urldate = {2020-01-13} } Tweet on Turla Outlook Backdoor
Outlook Backdoor
2018-08-22ESET ResearchESET researchers
@techreport{researchers:20180822:turla:d444ef7, author = {ESET researchers}, title = {{Turla Outlook Backdoor}}, date = {2018-08-22}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf}, language = {English}, urldate = {2019-10-18} } Turla Outlook Backdoor
Outlook Backdoor
Yara Rules
[TLP:WHITE] win_outlook_backdoor_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_outlook_backdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 8d45cc 50 8b4514 e8???????? 8b08 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   8d45cc               | lea                 eax, [ebp - 0x34]
            //   50                   | push                eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   e8????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_1 = { 56 e8???????? 84c0 7509 e8???????? 32c0 eb53 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7509                 | jne                 0xb
            //   e8????????           |                     
            //   32c0                 | xor                 al, al
            //   eb53                 | jmp                 0x55

        $sequence_2 = { 8b4004 50 33ff 51 89452c 897b18 e8???????? }
            // n = 7, score = 400
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   50                   | push                eax
            //   33ff                 | xor                 edi, edi
            //   51                   | push                ecx
            //   89452c               | mov                 dword ptr [ebp + 0x2c], eax
            //   897b18               | mov                 dword ptr [ebx + 0x18], edi
            //   e8????????           |                     

        $sequence_3 = { 50 e8???????? 837c244c08 8b442438 7304 8d442438 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   837c244c08           | cmp                 dword ptr [esp + 0x4c], 8
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   7304                 | jae                 6
            //   8d442438             | lea                 eax, [esp + 0x38]

        $sequence_4 = { 33c9 890b 394d0c 7415 8b4304 8b10 53 }
            // n = 7, score = 400
            //   33c9                 | xor                 ecx, ecx
            //   890b                 | mov                 dword ptr [ebx], ecx
            //   394d0c               | cmp                 dword ptr [ebp + 0xc], ecx
            //   7415                 | je                  0x17
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   53                   | push                ebx

        $sequence_5 = { 83630400 8d4f0c 51 6800000080 c645fc02 8b06 56 }
            // n = 7, score = 400
            //   83630400             | and                 dword ptr [ebx + 4], 0
            //   8d4f0c               | lea                 ecx, [edi + 0xc]
            //   51                   | push                ecx
            //   6800000080           | push                0x80000000
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   56                   | push                esi

        $sequence_6 = { ff5110 8bf0 e8???????? 8d45c0 e8???????? 50 }
            // n = 6, score = 400
            //   ff5110               | call                dword ptr [ecx + 0x10]
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   e8????????           |                     
            //   50                   | push                eax

        $sequence_7 = { 81eca0000000 57 8d442420 50 8bf9 e8???????? ff7508 }
            // n = 7, score = 400
            //   81eca0000000         | sub                 esp, 0xa0
            //   57                   | push                edi
            //   8d442420             | lea                 eax, [esp + 0x20]
            //   50                   | push                eax
            //   8bf9                 | mov                 edi, ecx
            //   e8????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_8 = { 8b4d08 8bf7 e8???????? 33c0 895c242c 3bfb 742a }
            // n = 7, score = 400
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8bf7                 | mov                 esi, edi
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   895c242c             | mov                 dword ptr [esp + 0x2c], ebx
            //   3bfb                 | cmp                 edi, ebx
            //   742a                 | je                  0x2c

        $sequence_9 = { e9???????? 8d4de8 51 50 ff15???????? 8d45d8 50 }
            // n = 7, score = 400
            //   e9????????           |                     
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 2912256
}
Download all Yara Rules