PinchDuke (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.pinchduke (Back to overview)

PinchDuke

Actor(s): APT29

According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.

References

2015-09 ⋅ F-Secure ⋅ F-Secure Labs
The Dukes - 7 Years of Russian Cyberespionage
PinchDuke

Yara Rules

[TLP:WHITE] win_pinchduke_auto (20230715 | Detects win.pinchduke.)

rule win_pinchduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.pinchduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 89442418 ffd3 6825050000 e8???????? }
            // n = 5, score = 100
            //   57                   | push                edi
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   ffd3                 | call                ebx
            //   6825050000           | push                0x525
            //   e8????????           |                     

        $sequence_1 = { 68???????? e8???????? 8b7d08 8bcf e8???????? 8d45e8 50 }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax

        $sequence_2 = { 53 56 57 7420 8b7c2414 8a1f 84db }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   7420                 | je                  0x22
            //   8b7c2414             | mov                 edi, dword ptr [esp + 0x14]
            //   8a1f                 | mov                 bl, byte ptr [edi]
            //   84db                 | test                bl, bl

        $sequence_3 = { 7d4f 53 57 bf???????? 50 8bcf e8???????? }
            // n = 7, score = 100
            //   7d4f                 | jge                 0x51
            //   53                   | push                ebx
            //   57                   | push                edi
            //   bf????????           |                     
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_4 = { 8b5510 c1e004 03c6 8d4dd0 e8???????? 5f 5e }
            // n = 7, score = 100
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   c1e004               | shl                 eax, 4
            //   03c6                 | add                 eax, esi
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_5 = { 8bf0 0fb745f4 50 0fb745f2 50 0fb745f0 50 }
            // n = 7, score = 100
            //   8bf0                 | mov                 esi, eax
            //   0fb745f4             | movzx               eax, word ptr [ebp - 0xc]
            //   50                   | push                eax
            //   0fb745f2             | movzx               eax, word ptr [ebp - 0xe]
            //   50                   | push                eax
            //   0fb745f0             | movzx               eax, word ptr [ebp - 0x10]
            //   50                   | push                eax

        $sequence_6 = { 85c0 59 75eb 8b450c 53 e8???????? 59 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   59                   | pop                 ecx
            //   75eb                 | jne                 0xffffffed
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_7 = { 03d1 33c0 390424 b05c 7403 f366ab 59 }
            // n = 7, score = 100
            //   03d1                 | add                 edx, ecx
            //   33c0                 | xor                 eax, eax
            //   390424               | cmp                 dword ptr [esp], eax
            //   b05c                 | mov                 al, 0x5c
            //   7403                 | je                  5
            //   f366ab               | rep stosw           word ptr es:[edi], ax
            //   59                   | pop                 ecx

        $sequence_8 = { 68???????? e8???????? 83c410 2bf0 56 68???????? e8???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   2bf0                 | sub                 esi, eax
            //   56                   | push                esi
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_9 = { 8945fc e8???????? 0fbe00 0345fc 8d4ddc d1f8 50 }
            // n = 7, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   0fbe00               | movsx               eax, byte ptr [eax]
            //   0345fc               | add                 eax, dword ptr [ebp - 4]
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   d1f8                 | sar                 eax, 1
            //   50                   | push                eax

    condition:
        7 of them and filesize < 223680
}

Download all Yara Rules

PinchDuke Propose Change

References

Yara Rules

PinchDuke