PHOTOFORK (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.photofork (Back to overview)

PHOTOFORK

VTCollection

PHOTOFORK is a downloader which is a modified version of GZIPLOADER. It was first detected in February 2023 and was distributed by TA581 along with an unattributed threat activity cluster that facilitated initial access. In this version, the configuration file is no longer encrypted using a simple XOR algorithm with a 64-byte key. Instead, it uses a custom algorithm previously used by the Standard core loader. This algorithm decrypts DLL strings that are needed to resolve handles to the necessary DLLs later on. The strings are decrypted using an algorithm that splits the data into DWORDs and XORs it against a random key. The main objective of PHOTOFORK remains the same as GZIPLOADER, i.e. to deliver an encrypted bot and core DLL loader (forked) that loads the Forked ICEDID bot into memory using a custom PE format.

References

2023-03-27 ⋅ Proofpoint ⋅ Joe Wise, Kelsey Merriman, Pim Trouerbach
Fork in the Ice: The New Era of IcedID
IcedID PHOTOFORK PHOTOLITE PhotoLoader

Yara Rules

[TLP:WHITE] win_photofork_auto (20230808 | Detects win.photofork.)

rule win_photofork_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.photofork."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photofork"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c9 4c8d85f0010000 ff15???????? 33db }
            // n = 4, score = 400
            //   33c9                 | mov                 edi, ecx
            //   4c8d85f0010000       | movzx               eax, word ptr [edx]
            //   ff15????????         |                     
            //   33db                 | dec                 eax

        $sequence_1 = { 4885d2 7431 488b9278010000 4885d2 753a ba01000000 33c9 }
            // n = 7, score = 400
            //   4885d2               | mov                 dword ptr [ebp - 0x58], 0x6475c714
            //   7431                 | mov                 eax, dword ptr [ebp - 0x64]
            //   488b9278010000       | mov                 byte ptr [ebp - 0x68], bl
            //   4885d2               | mov                 dword ptr [ebp - 0x64], 0x543f5d9f
            //   753a                 | mov                 dword ptr [ebp - 0x60], 0x54785dfb
            //   ba01000000           | mov                 dword ptr [ebp - 0x5c], 0x546b5dc5
            //   33c9                 | mov                 dword ptr [ebp - 0x58], 0x541f5d99

        $sequence_2 = { 4d85c9 7535 8d5301 33c9 }
            // n = 4, score = 400
            //   4d85c9               | dec                 eax
            //   7535                 | mov                 ecx, ebp
            //   8d5301               | nop                 dword ptr [eax]
            //   33c9                 | mov                 eax, dword ptr [esp + ecx*4 + 0x1c]

        $sequence_3 = { ff15???????? 4863c8 48ffc6 4803f9 493bf7 0f825fffffff }
            // n = 6, score = 400
            //   ff15????????         |                     
            //   4863c8               | nop                 word ptr [eax + eax]
            //   48ffc6               | dec                 eax
            //   4803f9               | lea                 eax, [eax + 0x80]
            //   493bf7               | movups              xmm0, xmmword ptr [edx]
            //   0f825fffffff         | dec                 eax

        $sequence_4 = { 4c8b0d???????? 4d85c9 7430 4d8b8910110000 4d85c9 }
            // n = 5, score = 400
            //   4c8b0d????????       |                     
            //   4d85c9               | mov                 byte ptr [ebp - 0x1c], bh
            //   7430                 | mov                 dword ptr [ebp - 0x18], 0x235a9029
            //   4d8b8910110000       | mov                 dword ptr [ebp - 0x14], 0x231d904d
            //   4d85c9               | mov                 dword ptr [ebp - 0x10], 0x231e907b

        $sequence_5 = { 488d55e8 498bcc e8???????? 4c8bbc2498000000 }
            // n = 4, score = 400
            //   488d55e8             | movzx               edx, cl
            //   498bcc               | inc                 ecx
            //   e8????????           |                     
            //   4c8bbc2498000000     | add                 dl, byte ptr [ecx + esi]

        $sequence_6 = { 5e 5d c3 498bdf 6690 80bbc001000030 }
            // n = 6, score = 400
            //   5e                   | nop                 word ptr [eax + eax]
            //   5d                   | mov                 eax, dword ptr [esp + ecx*4 + 0x4c]
            //   c3                   | xor                 eax, 0x4f50b987
            //   498bdf               | mov                 dword ptr [esp + ecx*4 + 0x4c], eax
            //   6690                 | dec                 eax
            //   80bbc001000030       | inc                 ecx

        $sequence_7 = { 48ffc1 4883f903 72ea 448b4df8 488d0c7e }
            // n = 5, score = 400
            //   48ffc1               | mov                 dword ptr [ebp + ecx*4 + 0xb], eax
            //   4883f903             | dec                 eax
            //   72ea                 | inc                 ecx
            //   448b4df8             | dec                 eax
            //   488d0c7e             | cmp                 ecx, 4

        $sequence_8 = { 488bd0 488b05???????? 48899040060000 488d4dc0 ffd2 66837dc009 b840000000 }
            // n = 7, score = 400
            //   488bd0               | mov                 eax, dword ptr [ebp + 0x44]
            //   488b05????????       |                     
            //   48899040060000       | xor                 eax, 0x75ef2a27
            //   488d4dc0             | mov                 eax, dword ptr [ebp + 0x44]
            //   ffd2                 | movzx               eax, byte ptr [ebp + 0x40]
            //   66837dc009           | test                al, al
            //   b840000000           | jne                 0x1de2

        $sequence_9 = { 8b44246c 0fb6442468 84c0 7520 }
            // n = 4, score = 400
            //   8b44246c             | mov                 esi, ecx
            //   0fb6442468           | dec                 eax
            //   84c0                 | lea                 edx, [ebp - 0x50]
            //   7520                 | xor                 ecx, ecx

    condition:
        7 of them and filesize < 99328
}

Download all Yara Rules

PHOTOFORK Propose Change

References

Yara Rules

PHOTOFORK