SYMBOLCOMMON_NAMEaka. SYNONYMS
win.reedbed (Back to overview)

ReedBed

Actor(s): MALLARD SPIDER, UNC4393

VTCollection    

ReedBed, identified as a malware proxy backdoor, is suspected to be developed by QAKBOT devs, and was deployed by the threat actor Storm-1811 in campaigns observed during late October and early November 2024. These campaigns are typically initiated with email bombing, a tactic involving mass email distribution, followed by social engineering strategies where the actor impersonates help desk personnel to gain access to victim systems.

Upon execution, ReedBed ensures single-instance operation via the mutex "JhishdiI2Uhsvoc94keiojn7ns19m0do" and hooks critical system APIs (NtCreateUserProcess, RtlExitUserProcess) for defense evasion, process interference, and anti-termination. It reads its Command and Control (C2) configuration, typically from the "Software\TitanPlus" registry key, establishes a persistent SSL/TLS encrypted connection, and transmits an initial system information beacon. Subsequently, ReedBed enters its main operational loop, acting as a versatile network proxy based on C2 commands; this includes initiating outgoing TCP connections, relaying data bi-directionally, and establishing reverse SOCKS5 (with authentication) or direct TCP port mapping services via locally opened listening ports. If commanded or upon connection failure, it transitions into a restart/wait cycle guided by registry values, leveraging its hooked exit function to hinder termination before attempting to reconnect to the C2.

References
2025-03-10LevelBlueKen Ng
Prevent, Detect, Contain: LevelBlue MDR’s Guide Against Black Basta Affiliates’ Attacks
Black Basta Black Basta ReedBed
2025-03-03Trend MicroAdam O'Connor, Catherine Loveria, Gabriel Cardoso, Ian Kenefick, Jack Walsh, Jovit Samaniego, Lucas Silva, Stephen Carbery
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
Black Basta Black Basta Cactus ReedBed
2025-02-20ReliaquestJohn Dilgen
48 Minutes: How Fast Phishing Attacks Exploit Weaknesses
ReedBed
2025-01-31ConnectWiseBlake Eakin
Attackers Leveraging Microsoft Teams Defaults and Quick Assist for Social Engineering Attacks
Black Basta Black Basta ReedBed
2025-01-30eSentireeSentire
Ongoing Email Bombing Campaigns leading to Remote Access and Post-Exploitation
Black Basta ReedBed UNC4393
2025-01-25SophosAnthony Bradshaw, Colin Cowie, Daniel Souter, Hunter Neal, Mark Parsons, Sean Baird, Sean Gallagher
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
ReedBed STAC5143 UNC4393
2025-01-23Github (PaloAltoNetworks)Brad Duncan
Cluster of Infrastructure likely used by Affiliate of Dark Scorpius (Black Basta)
ReedBed
2025-01-21Twitter (@MsftSecIntel)Microsoft Threat Intelligence
Twitter Thread describing spotting of ReedBed in a Storm-1811 campaign
ReedBed UNC4393
2025-01-20Medium walmartglobaltechJason Reaves, Jonathan Mccay, Joshua Platt
Qbot is Back.Connect
ReedBed UNC4393
Yara Rules
[TLP:WHITE] win_reedbed_auto (20260504 | Detects win.reedbed.)
rule win_reedbed_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.reedbed."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c9 e8???????? 488b0d???????? 488981c2140000 }
            // n = 4, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   488981c2140000       | dec                 eax

        $sequence_1 = { 33c9 ff15???????? 85c0 751e }
            // n = 4, score = 300
            //   33c9                 | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [ecx + 0x14c2], eax
            //   751e                 | xor                 ecx, ecx

        $sequence_2 = { 453b03 7519 41833b40 7313 }
            // n = 4, score = 200
            //   453b03               | je                  0x18
            //   7519                 | inc                 ecx
            //   41833b40             | mov                 al, byte ptr [ecx]
            //   7313                 | inc                 ecx

        $sequence_3 = { 4181ba9814000000000200 7347 4533c0 443b06 7316 418b490e }
            // n = 6, score = 200
            //   4181ba9814000000000200     | or    dword ptr [eax + 0x21], 0x204
            //   7347                 | dec                 eax
            //   4533c0               | test                eax, eax
            //   443b06               | je                  0x2a
            //   7316                 | mov                 byte ptr [eax], 0
            //   418b490e             | dec                 eax

        $sequence_4 = { 4885c0 75e9 8d4f01 4803c9 e8???????? 488bf8 }
            // n = 6, score = 200
            //   4885c0               | mov                 dword ptr [esi + 0x26], ebx
            //   75e9                 | inc                 ebp
            //   8d4f01               | xor                 eax, eax
            //   4803c9               | mov                 word ptr [esi + 0x2a], di
            //   e8????????           |                     
            //   488bf8               | dec                 eax

        $sequence_5 = { 40f6c520 7412 418a01 4181482104020000 }
            // n = 4, score = 200
            //   40f6c520             | test                eax, eax
            //   7412                 | jne                 0xffffffee
            //   418a01               | lea                 ecx, [edi + 1]
            //   4181482104020000     | dec                 eax

        $sequence_6 = { eb55 8b9d90020000 4c8d8d90020000 895e26 4533c0 66897e2a }
            // n = 6, score = 200
            //   eb55                 | test                eax, eax
            //   8b9d90020000         | jne                 0x20
            //   4c8d8d90020000       | jmp                 0x57
            //   895e26               | mov                 ebx, dword ptr [ebp + 0x290]
            //   4533c0               | dec                 esp
            //   66897e2a             | lea                 ecx, [ebp + 0x290]

        $sequence_7 = { 4885c0 7425 c60000 488d742440 eb13 }
            // n = 5, score = 200
            //   4885c0               | add                 ecx, ecx
            //   7425                 | dec                 eax
            //   c60000               | mov                 edi, eax
            //   488d742440           | inc                 eax
            //   eb13                 | test                ch, 0x20

        $sequence_8 = { 8944244c 48c744243800000000 c744243051010000 488d0546980600 4889442428 }
            // n = 5, score = 100
            //   8944244c             | mov                 al, byte ptr [ecx]
            //   48c744243800000000     | inc    ecx
            //   c744243051010000     | or                  dword ptr [eax + 0x21], 0x204
            //   488d0546980600       | dec                 eax
            //   4889442428           | test                eax, eax

        $sequence_9 = { 89442450 817c245000ca9a3b 723a 488d0514070600 }
            // n = 4, score = 100
            //   89442450             | mov                 dword ptr [esp + 0x28], eax
            //   817c245000ca9a3b     | dec                 eax
            //   723a                 | lea                 eax, [0x323ca]
            //   488d0514070600       | mov                 dword ptr [esp + 0x4c], eax

        $sequence_10 = { 89442450 837c245000 753a 488d053d0e0500 }
            // n = 4, score = 100
            //   89442450             | dec                 eax
            //   837c245000           | lea                 eax, [0x600a4]
            //   753a                 | dec                 eax
            //   488d053d0e0500       | mov                 dword ptr [esp + 0x28], eax

        $sequence_11 = { 89442450 488b442428 0fb700 488d0d10da0500 }
            // n = 4, score = 100
            //   89442450             | dec                 eax
            //   488b442428           | lea                 eax, [0x51000]
            //   0fb700               | dec                 eax
            //   488d0d10da0500       | mov                 dword ptr [esp + 0x20], eax

        $sequence_12 = { 8944244c 837c244c00 753a 488d0504c00500 }
            // n = 4, score = 100
            //   8944244c             | jae                 0x49
            //   837c244c00           | inc                 ebp
            //   753a                 | xor                 eax, eax
            //   488d0504c00500       | inc                 esp

        $sequence_13 = { 8944244c 837c244c0f 0f875e010000 8b44244c 488d0d1ba4eaff }
            // n = 5, score = 100
            //   8944244c             | dec                 eax
            //   837c244c0f           | mov                 dword ptr [esp + 0x28], eax
            //   0f875e010000         | mov                 dword ptr [esp + 0x4c], eax
            //   8b44244c             | cmp                 dword ptr [esp + 0x4c], 0
            //   488d0d1ba4eaff       | jne                 0x41

    condition:
        7 of them and filesize < 3760128
}
[TLP:WHITE] win_reedbed_w0   (20250218 | detects the loader for reedbed)
rule win_reedbed_w0 {
    meta:
        author = "defender2yara"
        detection_name = "Trojan:Win64/ReedBed.B!ldr"
        threat_id = "2147927915"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "ReedBed"
        description = "detects the loader for reedbed"
        severity = "Critical"
        info = "ldr: loader component of a malware"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20250218"
        malpedia_hash = ""
        malpedia_version = "20250218"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x_1_1 = {4c 8b 71 30 41 bf 01 00 00 ?? 4c 23 f0 48 03 d9 45 2b e7 44 8b 5b 20 41 f7 d4 4c 8d 43 18 4d 0b de 48 8b f2}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
[TLP:WHITE] win_reedbed_w1   (20250218 | detects the reedbed payload)
rule win_reedbed_w1 {
    meta:
        author = "defender2yara"
        detection_name = "Trojan:Win64/ReedBed.A"
        threat_id = "2147927914"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "ReedBed"
        description = "detects the reedbed payload"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20250218"
        malpedia_hash = ""
        malpedia_version = "20250218"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x_1_1 = "HookNtCreateUserProcess(): ok!" ascii //weight: 1
        $x_1_2 = "HookRtlExitUserProcess(): RtlExitUserProcess not found hNtdll=%#p" ascii //weight: 1
        $x_1_3 = "\\bc_ssl_client." ascii //weight: 1
        $x_1_4 = "send_pipe_ssl(): SSL_write(): SSL_ERROR_WANT_WRITE" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (2 of ($x*))
}
[TLP:WHITE] win_reedbed_w2   (20250411 | No description)
rule win_reedbed_w2 {
    meta:
        author = "defender2yara"
        detection_name = "Trojan:Win64/Sidlodll.DB!MTB"
        threat_id = "2147926705"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "Sidlodll"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "24"
        strings_accuracy = "High"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20250411"
        malpedia_hash = ""
        malpedia_version = "20250411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x_10_1 = "RunShellcodeProc()" ascii //weight: 10
        $x_10_2 = "ReadPayloadFromDisc()" ascii //weight: 10
        $x_1_3 = "logger_init()" ascii //weight: 1
        $x_1_4 = "Client hook" ascii //weight: 1
        $x_1_5 = "c:\\debug_log\\" ascii //weight: 1
        $x_1_6 = "rc4Key" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Download all Yara Rules