SYMBOLCOMMON_NAMEaka. SYNONYMS
win.seduploader (Back to overview)

Seduploader

aka: jhuhugit, jkeyskw, downrage, carberplike, GAMEFISH

Actor(s): Sofacy


simple tool to facilitate download and persistence of a next-stage tool; collects system information and metadata probably in an attempt to tell sandbox-environments apart from real targets on the server-side; uses domains of search engines like Google to check for Internet connectivity; XOR-based string obfuscation with a 16-byte key

References
2020SecureworksSecureWorks
@online{secureworks:2020:iron:48c68a0, author = {SecureWorks}, title = {{IRON TWILIGHT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-twilight}, language = {English}, urldate = {2020-05-23} } IRON TWILIGHT
X-Agent X-Agent X-Agent Computrace HideDRV Sedreco Seduploader X-Agent XTunnel Zebrocy Zebrocy (AutoIT)
2019-04-18YoroiZLAB-Yoroi
@online{zlabyoroi:20190418:apt28:709f72a, author = {ZLAB-Yoroi}, title = {{APT28 and Upcoming Elections: Evidence of Possible Interference (Part II)}}, date = {2019-04-18}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/}, language = {English}, urldate = {2022-03-14} } APT28 and Upcoming Elections: Evidence of Possible Interference (Part II)
Seduploader
2018-12-21Emanuele De Lucia
@online{lucia:20181221:apt28:466f390, author = {Emanuele De Lucia}, title = {{APT28 / Sofacy – SedUploader under the Christmas tree}}, date = {2018-12-21}, url = {https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/}, language = {English}, urldate = {2020-03-30} } APT28 / Sofacy – SedUploader under the Christmas tree
Seduploader
2018-10-04SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181004:apt28:97a1356, author = {Critical Attack Discovery and Intelligence Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2020-04-21} } APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy APT28
2018-02-20Kaspersky LabsGReAT
@online{great:20180220:slice:0f910f7, author = {GReAT}, title = {{A Slice of 2017 Sofacy Activity}}, date = {2018-02-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-slice-of-2017-sofacy-activity/83930/}, language = {English}, urldate = {2022-03-14} } A Slice of 2017 Sofacy Activity
Seduploader APT28
2017-12-21ESET ResearchESET Research
@online{research:20171221:sednit:630ff7c, author = {ESET Research}, title = {{Sednit update: How Fancy Bear Spent the Year}}, date = {2017-12-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/}, language = {English}, urldate = {2019-11-14} } Sednit update: How Fancy Bear Spent the Year
Seduploader X-Agent
2017-10-22CiscoWarren Mercer, Paul Rascagnères, Vitor Ventura
@online{mercer:20171022:cyber:b26ac86, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{“Cyber Conflict” Decoy Document Used In Real Cyber Conflict}}, date = {2017-10-22}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html}, language = {English}, urldate = {2020-01-07} } “Cyber Conflict” Decoy Document Used In Real Cyber Conflict
Seduploader
2017-10-19ProofpointKafeine, Pierre T
@online{kafeine:20171019:apt28:927b889, author = {Kafeine and Pierre T}, title = {{APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed}}, date = {2017-10-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed}, language = {English}, urldate = {2019-12-20} } APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed
Seduploader
2017-08-13Adam Chester
@online{chester:20170813:analysis:11db4f8, author = {Adam Chester}, title = {{Analysis of APT28 hospitality malware (Part 2)}}, date = {2017-08-13}, url = {https://blog.xpnsec.com/apt28-hospitality-malware-part-2/}, language = {English}, urldate = {2020-01-08} } Analysis of APT28 hospitality malware (Part 2)
Seduploader
2017-08-11FireEyeLindsay Smith, Ben Read
@online{smith:20170811:apt28:a39510a, author = {Lindsay Smith and Ben Read}, title = {{APT28 Targets Hospitality Sector, Presents Threat to Travelers}}, date = {2017-08-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html}, language = {English}, urldate = {2019-12-20} } APT28 Targets Hospitality Sector, Presents Threat to Travelers
Seduploader
2017-05-09ESET ResearchESET Research
@online{research:20170509:sednit:dde92c1, author = {ESET Research}, title = {{Sednit adds two zero‑day exploits using ‘Trump’s attack on Syria’ as a decoy}}, date = {2017-05-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/}, language = {English}, urldate = {2019-12-20} } Sednit adds two zero‑day exploits using ‘Trump’s attack on Syria’ as a decoy
Seduploader
2017-02-20Contagio DumpMila Parkour
@online{parkour:20170220:part:c54b5de, author = {Mila Parkour}, title = {{Part I. Russian APT - APT28 collection of samples including OSX XAgent}}, date = {2017-02-20}, organization = {Contagio Dump}, url = {https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html}, language = {English}, urldate = {2019-11-26} } Part I. Russian APT - APT28 collection of samples including OSX XAgent
X-Agent Komplex Coreshell Downdelph HideDRV SEADADDY Sedreco Seduploader X-Agent XTunnel
2017-01-10FireEyeFireEye iSIGHT Intelligence
@techreport{intelligence:20170110:apt28:2f371ee, author = {FireEye iSIGHT Intelligence}, title = {{APT28: At The Center Of The Storm}}, date = {2017-01-10}, institution = {FireEye}, url = {https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf}, language = {English}, urldate = {2022-05-04} } APT28: At The Center Of The Storm
Coreshell OLDBAIT Sedreco Seduploader X-Agent
2016-08ESET ResearchESET Research
@techreport{research:201608:en:0617083, author = {ESET Research}, title = {{En Route with Sednit - Part 1: Approaching the Target}}, date = {2016-08}, institution = {ESET Research}, url = {http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf}, language = {English}, urldate = {2019-12-10} } En Route with Sednit - Part 1: Approaching the Target
Komplex Seduploader
2016-06-15CrowdStrikeDmitri Alperovitch
@online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2022-03-14} } Bears in the Midst: Intrusion into the Democratic National Committee
X-Agent ATI-Agent SEADADDY Seduploader X-Agent XTunnel APT28
2016-06-14Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20160614:new:b51d1ab, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2020-09-15} } New Sofacy Attacks Against US Government Agency
Seduploader APT28
2015-12-04Kaspersky LabsGReAT
@online{great:20151204:sofacy:b437b35, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/}, language = {English}, urldate = {2020-08-30} } Sofacy APT hits high profile targets with updated toolset
Coreshell Sedreco Seduploader X-Agent APT28
2015-10-13Trend MicroBrooks Li, Feike Hacquebord, Peter Pi
@online{li:20151013:new:34dc6b1, author = {Brooks Li and Feike Hacquebord and Peter Pi}, title = {{New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries}}, date = {2015-10-13}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/}, language = {English}, urldate = {2019-10-15} } New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries
Seduploader
2014-10-27Trend MicroLoucif Kharouni, Feike Hacquebord, Numaan Huq, Jim Gogolinski, Fernando Mercês, Alfred Remorin, Douglas Otis
@techreport{kharouni:20141027:operation:1b13f15, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10-27}, institution = {Trend Micro}, url = {https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2020-09-15} } Operation Pawn Storm: Using Decoys to Evade Detection
Sedreco Seduploader APT28
Yara Rules
[TLP:WHITE] win_seduploader_auto (20221125 | Detects win.seduploader.)
rule win_seduploader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.seduploader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4510 83c6fe 8930 8d4601 50 }
            // n = 5, score = 2400
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   83c6fe               | add                 esi, -2
            //   8930                 | mov                 dword ptr [eax], esi
            //   8d4601               | lea                 eax, [esi + 1]
            //   50                   | push                eax

        $sequence_1 = { e8???????? 8b4510 83c6fe 8930 8d4601 50 }
            // n = 6, score = 2400
            //   e8????????           |                     
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   83c6fe               | add                 esi, -2
            //   8930                 | mov                 dword ptr [eax], esi
            //   8d4601               | lea                 eax, [esi + 1]
            //   50                   | push                eax

        $sequence_2 = { 8b4510 83c6fe 8930 8d4601 50 e8???????? }
            // n = 6, score = 2400
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   83c6fe               | add                 esi, -2
            //   8930                 | mov                 dword ptr [eax], esi
            //   8d4601               | lea                 eax, [esi + 1]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_3 = { 5e c3 55 8bec e8???????? 8b4d0c }
            // n = 6, score = 2400
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   e8????????           |                     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_4 = { c3 56 6a3e 8bf1 }
            // n = 4, score = 2400
            //   c3                   | ret                 
            //   56                   | push                esi
            //   6a3e                 | push                0x3e
            //   8bf1                 | mov                 esi, ecx

        $sequence_5 = { e8???????? 8b4510 83c6fe 8930 }
            // n = 4, score = 2400
            //   e8????????           |                     
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   83c6fe               | add                 esi, -2
            //   8930                 | mov                 dword ptr [eax], esi

        $sequence_6 = { 56 6a3e 8bf1 e8???????? }
            // n = 4, score = 2400
            //   56                   | push                esi
            //   6a3e                 | push                0x3e
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     

        $sequence_7 = { 50 e8???????? 8b4510 83c6fe 8930 8d4601 50 }
            // n = 7, score = 2400
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   83c6fe               | add                 esi, -2
            //   8930                 | mov                 dword ptr [eax], esi
            //   8d4601               | lea                 eax, [esi + 1]
            //   50                   | push                eax

        $sequence_8 = { 89b5f0feffff 89b5f4feffff e8???????? 83c40c }
            // n = 4, score = 2400
            //   89b5f0feffff         | mov                 dword ptr [ebp - 0x110], esi
            //   89b5f4feffff         | mov                 dword ptr [ebp - 0x10c], esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_9 = { 89b5ecfeffff 89b5f0feffff 89b5f4feffff e8???????? 83c40c }
            // n = 5, score = 2400
            //   89b5ecfeffff         | mov                 dword ptr [ebp - 0x114], esi
            //   89b5f0feffff         | mov                 dword ptr [ebp - 0x110], esi
            //   89b5f4feffff         | mov                 dword ptr [ebp - 0x10c], esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

    condition:
        7 of them and filesize < 401408
}
Download all Yara Rules