SYMBOLCOMMON_NAMEaka. SYNONYMS
win.saitama (Back to overview)

Saitama Backdoor

aka: AMATIAS, Saitama

Actor(s): OilRig


This in .Net witten backdoor abuses the DNS protocoll for its C2 communication. Also other techniques (e.g. long random sleeps, compression) are used to become more stealthy.

References
2023-02-02Trend MicroMohamed Fahmy, Sherif Magdy, Mahmoud Zohdy
@online{fahmy:20230202:new:7d997ea, author = {Mohamed Fahmy and Sherif Magdy and Mahmoud Zohdy}, title = {{New APT34 Malware Targets The Middle East}}, date = {2023-02-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html}, language = {English}, urldate = {2023-02-03} } New APT34 Malware Targets The Middle East
Karkoff RedCap Saitama Backdoor
2022-06-24XJuniorMohamed Ashraf
@online{ashraf:20220624:apt34:92c90d5, author = {Mohamed Ashraf}, title = {{APT34 - Saitama Agent}}, date = {2022-06-24}, organization = {XJunior}, url = {https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html}, language = {English}, urldate = {2022-07-01} } APT34 - Saitama Agent
Saitama Backdoor
2022-06-13SANS ISCRenato Marinho
@online{marinho:20220613:translating:633e46a, author = {Renato Marinho}, title = {{Translating Saitama's DNS tunneling messages}}, date = {2022-06-13}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738}, language = {English}, urldate = {2022-06-16} } Translating Saitama's DNS tunneling messages
Saitama Backdoor
2022-05-11FortinetFred Gutierrez
@online{gutierrez:20220511:please:f67f45c, author = {Fred Gutierrez}, title = {{Please Confirm You Received Our APT}}, date = {2022-05-11}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt}, language = {English}, urldate = {2022-05-17} } Please Confirm You Received Our APT
Saitama Backdoor
2022-05-10Malwarebytes LabsThreat Intelligence Team
@online{team:20220510:apt34:b733b84, author = {Threat Intelligence Team}, title = {{APT34 targets Jordan Government using new Saitama backdoor}}, date = {2022-05-10}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/}, language = {English}, urldate = {2022-05-13} } APT34 targets Jordan Government using new Saitama backdoor
Saitama Backdoor

There is no Yara-Signature yet.