SYMBOLCOMMON_NAMEaka. SYNONYMS
win.polyglotduke (Back to overview)

PolyglotDuke

Actor(s): APT29


There is no description at this point.

References
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29
2019-10-17ESET ResearchESET Research
@online{research:20191017:operation:812f836, author = {ESET Research}, title = {{Operation Ghost: The Dukes aren’t back – they never left}}, date = {2019-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/}, language = {English}, urldate = {2020-01-09} } Operation Ghost: The Dukes aren’t back – they never left
PolyglotDuke
Yara Rules
[TLP:WHITE] win_polyglotduke_auto (20230407 | Detects win.polyglotduke.)
rule win_polyglotduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.polyglotduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7404 48894310 4d85ed 7404 4c896b28 4d85f6 }
            // n = 6, score = 100
            //   7404                 | xor                 eax, eax
            //   48894310             | dec                 eax
            //   4d85ed               | lea                 edi, [ebp + 0x230]
            //   7404                 | repne scasd         eax, dword ptr es:[edi]
            //   4c896b28             | dec                 eax
            //   4d85f6               | not                 ecx

        $sequence_1 = { 498bd6 4889442438 e8???????? 488b542460 488b8c24c0000000 4889442468 }
            // n = 6, score = 100
            //   498bd6               | mov                 edi, dword ptr [esp + 0x48]
            //   4889442438           | dec                 eax
            //   e8????????           |                     
            //   488b542460           | mov                 ecx, dword ptr [esp + 0x58]
            //   488b8c24c0000000     | dec                 eax
            //   4889442468           | mov                 ecx, edi

        $sequence_2 = { 8d4f01 e8???????? 488b5608 448bc7 488bc8 488bd8 }
            // n = 6, score = 100
            //   8d4f01               | dec                 eax
            //   e8????????           |                     
            //   488b5608             | mov                 ecx, dword ptr [ebx]
            //   448bc7               | inc                 esp
            //   488bc8               | mov                 eax, edi
            //   488bd8               | dec                 eax

        $sequence_3 = { 4885c0 0f8421010000 e8???????? 488bd8 4885c0 0f8410010000 4c8bc0 }
            // n = 7, score = 100
            //   4885c0               | dec                 eax
            //   0f8421010000         | test                ecx, ecx
            //   e8????????           |                     
            //   488bd8               | je                  0x1029
            //   4885c0               | cmp                 dword ptr [ecx], 0xc
            //   0f8410010000         | jb                  0x1029
            //   4c8bc0               | dec                 eax

        $sequence_4 = { 488d0ddb8f0000 ff15???????? 833d????????00 750a b901000000 e8???????? ff15???????? }
            // n = 7, score = 100
            //   488d0ddb8f0000       | movsx               ecx, byte ptr [eax + ebx + 8]
            //   ff15????????         |                     
            //   833d????????00       |                     
            //   750a                 | and                 ecx, 1
            //   b901000000           | dec                 esp
            //   e8????????           |                     
            //   ff15????????         |                     

        $sequence_5 = { e8???????? 488bcd c60000 488bf0 ff15???????? 488d0d95ff0000 4c63e8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bcd               | dec                 eax
            //   c60000               | mov                 ecx, ebx
            //   488bf0               | dec                 eax
            //   ff15????????         |                     
            //   488d0d95ff0000       | mov                 esi, eax
            //   4c63e8               | dec                 eax

        $sequence_6 = { 4c8d8d50070000 488d0d7a020100 4533c0 33d2 ff15???????? 488d8d50070000 ff15???????? }
            // n = 7, score = 100
            //   4c8d8d50070000       | jne                 0x1df1
            //   488d0d7a020100       | mov                 ecx, 0x3156
            //   4533c0               | inc                 word ptr [edi + 4]
            //   33d2                 | mov                 dword ptr [edi + 0x10], eax
            //   ff15????????         |                     
            //   488d8d50070000       | cmp                 eax, -1
            //   ff15????????         |                     

        $sequence_7 = { e8???????? 488bcf e8???????? 894710 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   488bcf               | dec                 ecx
            //   e8????????           |                     
            //   894710               | add                 esi, edi

        $sequence_8 = { 48897c2420 ff15???????? 4c8be0 4885c0 0f84ad010000 488d0de0dc0000 e8???????? }
            // n = 7, score = 100
            //   48897c2420           | inc                 ecx
            //   ff15????????         |                     
            //   4c8be0               | mov                 edx, esp
            //   4885c0               | dec                 esp
            //   0f84ad010000         | mov                 eax, edi
            //   488d0de0dc0000       | dec                 eax
            //   e8????????           |                     

        $sequence_9 = { 4885c9 741c f0ff09 7517 488d057fd20000 }
            // n = 5, score = 100
            //   4885c9               | mov                 ebp, eax
            //   741c                 | dec                 ecx
            //   f0ff09               | mov                 ecx, ebp
            //   7517                 | mov                 edx, esi
            //   488d057fd20000       | mov                 ecx, edi

    condition:
        7 of them and filesize < 222784
}
Download all Yara Rules