SYMBOLCOMMON_NAMEaka. SYNONYMS
win.reedbed (Back to overview)

ReedBed

Actor(s): MALLARD SPIDER, UNC4393

VTCollection    

ReedBed, identified as a malware proxy backdoor, is suspected to be developed by QAKBOT devs, and was deployed by the threat actor Storm-1811 in campaigns observed during late October and early November 2024. These campaigns are typically initiated with email bombing, a tactic involving mass email distribution, followed by social engineering strategies where the actor impersonates help desk personnel to gain access to victim systems.

Upon execution, ReedBed ensures single-instance operation via the mutex "JhishdiI2Uhsvoc94keiojn7ns19m0do" and hooks critical system APIs (NtCreateUserProcess, RtlExitUserProcess) for defense evasion, process interference, and anti-termination. It reads its Command and Control (C2) configuration, typically from the "Software\TitanPlus" registry key, establishes a persistent SSL/TLS encrypted connection, and transmits an initial system information beacon. Subsequently, ReedBed enters its main operational loop, acting as a versatile network proxy based on C2 commands; this includes initiating outgoing TCP connections, relaying data bi-directionally, and establishing reverse SOCKS5 (with authentication) or direct TCP port mapping services via locally opened listening ports. If commanded or upon connection failure, it transitions into a restart/wait cycle guided by registry values, leveraging its hooked exit function to hinder termination before attempting to reconnect to the C2.

References
2025-03-10LevelBlueKen Ng
Prevent, Detect, Contain: LevelBlue MDR’s Guide Against Black Basta Affiliates’ Attacks
Black Basta Black Basta ReedBed
2025-03-03Trend MicroAdam O'Connor, Catherine Loveria, Gabriel Cardoso, Ian Kenefick, Jack Walsh, Jovit Samaniego, Lucas Silva, Stephen Carbery
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
Black Basta Black Basta Cactus ReedBed
2025-02-20ReliaquestJohn Dilgen
48 Minutes: How Fast Phishing Attacks Exploit Weaknesses
ReedBed
2025-01-31ConnectWiseBlake Eakin
Attackers Leveraging Microsoft Teams Defaults and Quick Assist for Social Engineering Attacks
Black Basta Black Basta ReedBed
2025-01-30eSentireeSentire
Ongoing Email Bombing Campaigns leading to Remote Access and Post-Exploitation
Black Basta ReedBed UNC4393
2025-01-25SophosAnthony Bradshaw, Colin Cowie, Daniel Souter, Hunter Neal, Mark Parsons, Sean Baird, Sean Gallagher
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
ReedBed STAC5143 UNC4393
2025-01-23Github (PaloAltoNetworks)Brad Duncan
Cluster of Infrastructure likely used by Affiliate of Dark Scorpius (Black Basta)
ReedBed
2025-01-21Twitter (@MsftSecIntel)Microsoft Threat Intelligence
Twitter Thread describing spotting of ReedBed in a Storm-1811 campaign
ReedBed UNC4393
2025-01-20Medium walmartglobaltechJason Reaves, Jonathan Mccay, Joshua Platt
Qbot is Back.Connect
ReedBed UNC4393
Yara Rules
[TLP:WHITE] win_reedbed_auto (20251219 | Detects win.reedbed.)
rule win_reedbed_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.reedbed."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c9 e8???????? 488b0d???????? 488981c2140000 }
            // n = 4, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   488981c2140000       | dec                 eax

        $sequence_1 = { 33c9 ff15???????? 85c0 751e }
            // n = 4, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   751e                 | jne                 0x20

        $sequence_2 = { 4885c9 7405 e8???????? 33c0 0f57c0 }
            // n = 5, score = 200
            //   4885c9               | dec                 eax
            //   7405                 | add                 ecx, 0x3f
            //   e8????????           |                     
            //   33c0                 | dec                 eax
            //   0f57c0               | cmp                 ecx, edi

        $sequence_3 = { eb19 488d15e3d10100 eb10 488d15cad10100 eb07 488d15b5d10100 4533c0 }
            // n = 7, score = 200
            //   eb19                 | jl                  0xfffffff0
            //   488d15e3d10100       | xor                 ecx, ecx
            //   eb10                 | dec                 eax
            //   488d15cad10100       | test                ecx, ecx
            //   eb07                 | je                  0xa
            //   488d15b5d10100       | xor                 eax, eax
            //   4533c0               | xorps               xmm0, xmm0

        $sequence_4 = { 4c8d0d44e50000 b919000000 4c8d0534e50000 488d1531e50000 e8???????? }
            // n = 5, score = 200
            //   4c8d0d44e50000       | xor                 eax, eax
            //   b919000000           | and                 dword ptr [esp + 0x40], 0
            //   4c8d0534e50000       | dec                 esp
            //   488d1531e50000       | lea                 ecx, [esp + 0x40]
            //   e8????????           |                     

        $sequence_5 = { 488bd8 4885c0 7431 488bc8 ff15???????? 83f8ff }
            // n = 6, score = 200
            //   488bd8               | lea                 edx, [0x1d1ca]
            //   4885c0               | jmp                 0x12
            //   7431                 | dec                 eax
            //   488bc8               | lea                 edx, [0x1d1b5]
            //   ff15????????         |                     
            //   83f8ff               | inc                 ebp

        $sequence_6 = { 8364244000 4c8d4c2440 baffff0000 c744242004000000 41b801000000 }
            // n = 5, score = 200
            //   8364244000           | jmp                 0x1b
            //   4c8d4c2440           | dec                 eax
            //   baffff0000           | lea                 edx, [0x1d1e3]
            //   c744242004000000     | jmp                 0x12
            //   41b801000000         | dec                 eax

        $sequence_7 = { 488b83a6140000 4c8974080e 4883c13f 483bcf 7ceb e8???????? 33c9 }
            // n = 7, score = 200
            //   488b83a6140000       | dec                 eax
            //   4c8974080e           | mov                 dword ptr [ecx + 0x14c2], eax
            //   4883c13f             | dec                 eax
            //   483bcf               | mov                 eax, dword ptr [ebx + 0x14a6]
            //   7ceb                 | dec                 esp
            //   e8????????           |                     
            //   33c9                 | mov                 dword ptr [eax + ecx + 0xe], esi

        $sequence_8 = { c7450400000000 c7452400000000 488b8548010000 83780a00 }
            // n = 4, score = 100
            //   c7450400000000       | xor                 ecx, ecx
            //   c7452400000000       | mov                 dword ptr [ebp + 4], 0
            //   488b8548010000       | cmp                 dword ptr [ebp + 0x108], 0
            //   83780a00             | jne                 0x17

        $sequence_9 = { c7450400000000 c7452400000000 488b85a0010000 4883b8a614000000 }
            // n = 4, score = 100
            //   c7450400000000       | mov                 ecx, dword ptr [ebp + 0x100]
            //   c7452400000000       | mov                 dword ptr [ebp + 4], 0
            //   488b85a0010000       | mov                 edx, 1
            //   4883b8a614000000     | mov                 ecx, 0x3f0000

        $sequence_10 = { c7450400000000 83bd0801000000 7515 488d15ce130f00 }
            // n = 4, score = 100
            //   c7450400000000       | dec                 esp
            //   83bd0801000000       | lea                 ecx, [0xe544]
            //   7515                 | mov                 ecx, 0x19
            //   488d15ce130f00       | dec                 esp

        $sequence_11 = { c7450400000000 ba01000000 b900003f00 e8???????? }
            // n = 4, score = 100
            //   c7450400000000       | mov                 dword ptr [ebp + 4], 0
            //   ba01000000           | cmp                 dword ptr [ebp + 4], 0
            //   b900003f00           | jne                 0x36
            //   e8????????           |                     

        $sequence_12 = { c7450400000000 c7452400000000 488b8540010000 8b808c140000 }
            // n = 4, score = 100
            //   c7450400000000       | cmp                 dword ptr [eax], 0
            //   c7452400000000       | je                  0x4e
            //   488b8540010000       | mov                 dword ptr [ebp + 4], 0
            //   8b808c140000         | cmp                 dword ptr [ebp + 4], 0

        $sequence_13 = { c7450400000000 837d0400 7534 488b8580010000 }
            // n = 4, score = 100
            //   c7450400000000       | dec                 eax
            //   837d0400             | lea                 edx, [0x1d1ca]
            //   7534                 | jmp                 9
            //   488b8580010000       | dec                 eax

    condition:
        7 of them and filesize < 3760128
}
[TLP:WHITE] win_reedbed_w0   (20250218 | detects the loader for reedbed)
rule win_reedbed_w0 {
    meta:
        author = "defender2yara"
        detection_name = "Trojan:Win64/ReedBed.B!ldr"
        threat_id = "2147927915"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "ReedBed"
        description = "detects the loader for reedbed"
        severity = "Critical"
        info = "ldr: loader component of a malware"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20250218"
        malpedia_hash = ""
        malpedia_version = "20250218"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x_1_1 = {4c 8b 71 30 41 bf 01 00 00 ?? 4c 23 f0 48 03 d9 45 2b e7 44 8b 5b 20 41 f7 d4 4c 8d 43 18 4d 0b de 48 8b f2}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
[TLP:WHITE] win_reedbed_w1   (20250218 | detects the reedbed payload)
rule win_reedbed_w1 {
    meta:
        author = "defender2yara"
        detection_name = "Trojan:Win64/ReedBed.A"
        threat_id = "2147927914"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "ReedBed"
        description = "detects the reedbed payload"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20250218"
        malpedia_hash = ""
        malpedia_version = "20250218"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x_1_1 = "HookNtCreateUserProcess(): ok!" ascii //weight: 1
        $x_1_2 = "HookRtlExitUserProcess(): RtlExitUserProcess not found hNtdll=%#p" ascii //weight: 1
        $x_1_3 = "\\bc_ssl_client." ascii //weight: 1
        $x_1_4 = "send_pipe_ssl(): SSL_write(): SSL_ERROR_WANT_WRITE" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (2 of ($x*))
}
[TLP:WHITE] win_reedbed_w2   (20250411 | No description)
rule win_reedbed_w2 {
    meta:
        author = "defender2yara"
        detection_name = "Trojan:Win64/Sidlodll.DB!MTB"
        threat_id = "2147926705"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "Sidlodll"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "24"
        strings_accuracy = "High"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20250411"
        malpedia_hash = ""
        malpedia_version = "20250411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x_10_1 = "RunShellcodeProc()" ascii //weight: 10
        $x_10_2 = "ReadPayloadFromDisc()" ascii //weight: 10
        $x_1_3 = "logger_init()" ascii //weight: 1
        $x_1_4 = "Client hook" ascii //weight: 1
        $x_1_5 = "c:\\debug_log\\" ascii //weight: 1
        $x_1_6 = "rc4Key" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Download all Yara Rules