Skipper (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.skipper (Back to overview)
Skipper

aka: Kotel
Actor(s): Turla Group
There is no description at this point.
References

2020-03-12 ⋅ ESET Research ⋅ Matthieu Faou
Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020 ⋅ Secureworks ⋅ SecureWorks
IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla
2019-05-19 ⋅ Telsy ⋅ Webmaster
Following the Turla’s Skipper over the ocean of cyber operations
Skipper
2018-10-04 ⋅ Kaspersky Labs ⋅ GReAT
Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-06-06 ⋅ ESET Research ⋅ Jean-Ian Boutin
Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
HTML5 Encoding Skipper
2016-06-30 ⋅ Bitdefender ⋅ Bitdefender
Pacifier APT
Skipper
2015 ⋅ Bitdefender ⋅ Cristian Istrate, Andrei Ardelean, Claudiu Cobliș, Marius Tivadar
New Pacifier APT Components Point to Russian-Linked Turla Group
Skipper
Yara Rules

[TLP:WHITE] win_skipper_auto (20220808 | Detects win.skipper.)
rule win_skipper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.skipper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a03 68???????? 68???????? 6a50 }
            // n = 5, score = 600
            //   6a00                 | dec                 eax
            //   6a03                 | lea                 edx, [esp]
            //   68????????           |                     
            //   68????????           |                     
            //   6a50                 | inc                 esp

        $sequence_1 = { 59 5d c3 55 8bec 33c0 50 }
            // n = 7, score = 500
            //   59                   | inc                 ecx
            //   5d                   | and                 edx, 0x800000ff
            //   c3                   | inc                 ecx
            //   55                   | cmp                 ecx, 0x100
            //   8bec                 | jl                  0xffffff9c
            //   33c0                 | dec                 eax
            //   50                   | mov                 ebx, ebp

        $sequence_2 = { 50 ff15???????? 6a00 6a00 6a00 6a00 50 }
            // n = 7, score = 500
            //   50                   | mov                 eax, ecx
            //   ff15????????         |                     
            //   6a00                 | nop                 dword ptr [eax + eax]
            //   6a00                 | xor                 ecx, ecx
            //   6a00                 | dec                 ecx
            //   6a00                 | arpl                cx, bp
            //   50                   | dec                 ecx

        $sequence_3 = { 6804010000 e8???????? 6804010000 8bf8 6a00 }
            // n = 5, score = 500
            //   6804010000           | movzx               ecx, byte ptr [eax]
            //   e8????????           |                     
            //   6804010000           | dec                 eax
            //   8bf8                 | add                 edx, eax
            //   6a00                 | movzx               eax, byte ptr [edx]

        $sequence_4 = { e8???????? 6804010000 8bd8 6a00 53 e8???????? 53 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   6804010000           | mov                 byte ptr [ebx - 1], dl
            //   8bd8                 | dec                 eax
            //   6a00                 | dec                 ebx
            //   53                   | jne                 0xffffffb4
            //   e8????????           |                     
            //   53                   | push                0

        $sequence_5 = { 7cb1 8b750c 8bbdecfeffff 85f6 }
            // n = 4, score = 400
            //   7cb1                 | movzx               edx, byte ptr [esp + eax]
            //   8b750c               | inc                 edx
            //   8bbdecfeffff         | xor                 dl, byte ptr [edi + ebx - 1]
            //   85f6                 | inc                 ecx

        $sequence_6 = { be???????? 6804010000 6a00 57 e8???????? 6a32 6a00 }
            // n = 7, score = 400
            //   be????????           |                     
            //   6804010000           | mov                 ecx, ecx
            //   6a00                 | dec                 eax
            //   57                   | lea                 ebx, [esp]
            //   e8????????           |                     
            //   6a32                 | dec                 ecx
            //   6a00                 | inc                 ebx

        $sequence_7 = { 6a11 68???????? b9???????? e8???????? 6a04 e8???????? }
            // n = 6, score = 400
            //   6a11                 | mov                 eax, ecx
            //   68????????           |                     
            //   b9????????           |                     
            //   e8????????           |                     
            //   6a04                 | inc                 esp
            //   e8????????           |                     

        $sequence_8 = { 6800308000 6a00 6a00 68???????? }
            // n = 4, score = 300
            //   6800308000           | push                0
            //   6a00                 | push                edi
            //   6a00                 | mov                 byte ptr [edi - 1], al
            //   68????????           |                     

        $sequence_9 = { e8???????? 83c404 6a00 6a64 52 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   83c404               | push                0
            //   6a00                 | push                edi
            //   6a64                 | push                0x32
            //   52                   | push                0

        $sequence_10 = { 0fb6d2 8a8415f0feffff 8885eefeffff 8b4d10 }
            // n = 4, score = 200
            //   0fb6d2               | mov                 eax, dword ptr [ebp - 0x128]
            //   8a8415f0feffff       | push                eax
            //   8885eefeffff         | mov                 ecx, dword ptr [ebp - 0x130]
            //   8b4d10               | push                ecx

        $sequence_11 = { 81ca00ffffff ffc2 0fb6c2 49ffc3 }
            // n = 4, score = 200
            //   81ca00ffffff         | dec                 eax
            //   ffc2                 | sar                 edi, 5
            //   0fb6c2               | cmp                 eax, 0x100
            //   49ffc3               | jl                  0xfffffff3

        $sequence_12 = { 448bd1 8bc1 0f1f840000000000 8802 ffc0 488d5201 }
            // n = 6, score = 200
            //   448bd1               | inc                 esp
            //   8bc1                 | mov                 eax, ecx
            //   0f1f840000000000     | inc                 esp
            //   8802                 | mov                 ecx, ecx
            //   ffc0                 | inc                 ecx
            //   488d5201             | imul                ecx

        $sequence_13 = { 408832 4181f900010000 7c9a 488bdd }
            // n = 4, score = 200
            //   408832               | dec                 eax
            //   4181f900010000       | dec                 ebp
            //   7c9a                 | jne                 0xffffffd9
            //   488bdd               | dec                 eax

        $sequence_14 = { 8945f4 c745f800000000 c745fc00000000 c785e4feffff00000000 eb0f 8b85e4feffff }
            // n = 6, score = 200
            //   8945f4               | push                eax
            //   c745f800000000       | push                0
            //   c745fc00000000       | mov                 ecx, dword ptr [ebp - 0x12c]
            //   c785e4feffff00000000     | push    ecx
            //   eb0f                 | push                edx
            //   8b85e4feffff         | push                0

        $sequence_15 = { 41f7e9 c1fa02 8bc2 c1e81f 03d0 418bc1 8d1492 }
            // n = 7, score = 200
            //   41f7e9               | mov                 dword ptr [ebx], eax
            //   c1fa02               | dec                 eax
            //   8bc2                 | mov                 eax, ebx
            //   c1e81f               | dec                 eax
            //   03d0                 | add                 esp, 0x20
            //   418bc1               | dec                 eax
            //   8d1492               | add                 ebx, 0x10

        $sequence_16 = { 4863c1 0fb61404 4403d2 4181e2ff000080 7d0d }
            // n = 5, score = 200
            //   4863c1               | lea                 ebx, [0xa4f7]
            //   0fb61404             | dec                 eax
            //   4403d2               | mov                 ecx, dword ptr [ebx - 8]
            //   4181e2ff000080       | dec                 eax
            //   7d0d                 | test                ecx, ecx

        $sequence_17 = { 0d00ffffff 40 8945f8 8b4df8 0fb6940df0feffff 0355fc }
            // n = 6, score = 200
            //   0d00ffffff           | mov                 al, byte ptr [ebp + edx - 0x110]
            //   40                   | mov                 byte ptr [ebp - 0x112], al
            //   8945f8               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b4df8               | mov                 dword ptr [ebp - 0x120], eax
            //   0fb6940df0feffff     | cmp                 dword ptr [ebp - 0x120], 0x100
            //   0355fc               | jge                 0x8a

        $sequence_18 = { 8a8c15f0feffff 888c05f0feffff 0fb655fc 8a85effeffff 888415f0feffff 0fb64df8 }
            // n = 6, score = 200
            //   8a8c15f0feffff       | mov                 dword ptr [ebp - 0x118], eax
            //   888c05f0feffff       | xor                 edi, edi
            //   0fb655fc             | mov                 dword ptr [ebp - 4], edi
            //   8a85effeffff         | cmp                 ebx, dword ptr [edi*8 + 0x23a918]
            //   888415f0feffff       | je                  0xba
            //   0fb64df8             | inc                 edi

        $sequence_19 = { 038ddcfeffff 0fbe11 0fb685eefeffff 33d0 8b4d18 }
            // n = 5, score = 200
            //   038ddcfeffff         | mov                 dword ptr [ebp - 4], 0
            //   0fbe11               | mov                 dword ptr [ebp - 0x11c], 0
            //   0fb685eefeffff       | jmp                 0x29
            //   33d0                 | mov                 eax, dword ptr [ebp - 0x11c]
            //   8b4d18               | movzx               edx, dl

        $sequence_20 = { 4c03c0 410fb6c2 450fb608 4803d0 0fb602 418800 44880a }
            // n = 7, score = 200
            //   4c03c0               | lea                 edx, [edx + edx*4]
            //   410fb6c2             | inc                 eax
            //   450fb608             | mov                 byte ptr [edx], dh
            //   4803d0               | inc                 ecx
            //   0fb602               | cmp                 ecx, 0x100
            //   418800               | jl                  0xffffffa3
            //   44880a               | dec                 eax

        $sequence_21 = { 41 898de8feffff 8b85e0feffff 8a8c05f0feffff 888deffeffff 0fb695e8feffff 8b85e0feffff }
            // n = 7, score = 200
            //   41                   | inc                 eax
            //   898de8feffff         | jmp                 0xaf
            //   8b85e0feffff         | push                edi
            //   8a8c05f0feffff       | xor                 edi, edi
            //   888deffeffff         | lea                 esi, [edi + 0x23a9d0]
            //   0fb695e8feffff       | push                dword ptr [esi]
            //   8b85e0feffff         | add                 edi, 4

        $sequence_22 = { 8885eefeffff 8b4d10 038ddcfeffff 0fbe11 }
            // n = 4, score = 200
            //   8885eefeffff         | cmp                 eax, 0x100
            //   8b4d10               | jge                 0xc9
            //   038ddcfeffff         | mov                 cl, byte ptr [eax + ebx + 0x11d]
            //   0fbe11               | mov                 byte ptr [eax + 0x23a5b0], cl

        $sequence_23 = { 0f8dcf000000 8b45f8 83c001 25ff000080 7907 }
            // n = 5, score = 200
            //   0f8dcf000000         | mov                 dword ptr [esi + 0x68], 0x23a288
            //   8b45f8               | push                0xd
            //   83c001               | pop                 ecx
            //   25ff000080           | mov                 edx, dword ptr [ebp - 0x11c]
            //   7907                 | push                edx

        $sequence_24 = { 4c8b9c2440010000 33c9 4963e9 498bf8 488d1424 448bd1 }
            // n = 6, score = 200
            //   4c8b9c2440010000     | sar                 edx, 2
            //   33c9                 | mov                 eax, edx
            //   4963e9               | shr                 eax, 0x1f
            //   498bf8               | add                 edx, eax
            //   488d1424             | inc                 ecx
            //   448bd1               | mov                 eax, ecx

        $sequence_25 = { 3d00010000 7cf1 448bc1 448bc9 }
            // n = 4, score = 200
            //   3d00010000           | je                  0x2db
            //   7cf1                 | dec                 eax
            //   448bc1               | lea                 eax, [0x854f]
            //   448bc9               | dec                 eax

        $sequence_26 = { 4883c310 48ffcd 75d4 488d1df7a40000 488b4bf8 4885c9 740b }
            // n = 7, score = 100
            //   4883c310             | inc                 cx
            //   48ffcd               | mov                 dword ptr [eax + ecx*2 + 0x132a0], eax
            //   75d4                 | inc                 edx
            //   488d1df7a40000       | jmp                 0xffffffe6
            //   488b4bf8             | mov                 edx, edi
            //   4885c9               | dec                 eax
            //   740b                 | lea                 eax, [0xa9df]

        $sequence_27 = { 897e70 c686c800000043 c6864b01000043 c7466888a22300 6a0d e8???????? 59 }
            // n = 7, score = 100
            //   897e70               | push                0
            //   c686c800000043       | push                edi
            //   c6864b01000043       | push                0x104
            //   c7466888a22300       | push                0x104
            //   6a0d                 | mov                 edi, eax
            //   e8????????           |                     
            //   59                   | push                0

        $sequence_28 = { 6a00 6a00 6a00 53 6a00 ff15???????? ff75e8 }
            // n = 7, score = 100
            //   6a00                 | push                3
            //   6a00                 | push                0x50
            //   6a00                 | push                3
            //   53                   | push                0x50
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ff75e8               | push                3

        $sequence_29 = { e9???????? 488d05dfa90000 4a8b0ce8 41f6440c0880 0f84cb020000 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   488d05dfa90000       | sub                 esp, 0x20
            //   4a8b0ce8             | dec                 eax
            //   41f6440c0880         | mov                 ebx, ecx
            //   0f84cb020000         | dec                 eax

        $sequence_30 = { 83c40c 68???????? 6810040000 56 e8???????? 83c40c }
            // n = 6, score = 100
            //   83c40c               | push                0x50
            //   68????????           |                     
            //   6810040000           | push                0x104
            //   56                   | push                0x104
            //   e8????????           |                     
            //   83c40c               | mov                 edi, eax

        $sequence_31 = { 0fb7444b0c 6641898448a0320100 ffc2 ebe2 8bd7 }
            // n = 5, score = 100
            //   0fb7444b0c           | cmp                 dword ptr [eax], ecx
            //   6641898448a0320100     | je    0x12
            //   ffc2                 | dec                 eax
            //   ebe2                 | add                 eax, 0x10
            //   8bd7                 | dec                 eax

        $sequence_32 = { 4883ec20 488bd9 e8???????? 488d053bae0000 488903 }
            // n = 5, score = 100
            //   4883ec20             | mov                 ebx, eax
            //   488bd9               | dec                 eax
            //   e8????????           |                     
            //   488d053bae0000       | lea                 eax, [0x9aa5]
            //   488903               | je                  0x11

        $sequence_33 = { e8???????? 488d054f850000 488903 488bc3 4883c420 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   488d054f850000       | lea                 eax, [0xae3b]
            //   488903               | dec                 eax
            //   488bc3               | mov                 dword ptr [ebx], eax
            //   4883c420             | movzx               eax, word ptr [ebx + ecx*2 + 0xc]

        $sequence_34 = { 7526 4c8d3519a30000 493bde 7408 }
            // n = 4, score = 100
            // 
            //   4c8d3519a30000       | dec                 esp
            //   493bde               | lea                 esi, [0xa319]
            //   7408                 | dec                 ecx

        $sequence_35 = { 8b95e4feffff 52 ff15???????? 68???????? ff15???????? 8985e8feffff 68???????? }
            // n = 7, score = 100
            //   8b95e4feffff         | push                edi
            //   52                   | push                0x104
            //   ff15????????         |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   8985e8feffff         | push                0x104
            //   68????????           |                     

        $sequence_36 = { 3d00010000 7d10 8a8c181d010000 8888b0a52300 40 ebe6 ff35???????? }
            // n = 7, score = 100
            //   3d00010000           | push                0
            //   7d10                 | push                eax
            //   8a8c181d010000       | push                0
            //   8888b0a52300         | push                0
            //   40                   | push                0
            //   ebe6                 | push                0
            //   ff35????????         |                     

        $sequence_37 = { 41b904010000 488bcf 488bd0 488bd8 }
            // n = 4, score = 100
            //   41b904010000         | cmp                 ebx, esi
            //   488bcf               | je                  0xa
            //   488bd0               | inc                 ecx
            //   488bd8               | mov                 ecx, 0x104

        $sequence_38 = { 8b8dd4feffff 51 ff15???????? 8985e4feffff }
            // n = 4, score = 100
            //   8b8dd4feffff         | push                0x104
            //   51                   | push                0x104
            //   ff15????????         |                     
            //   8985e4feffff         | mov                 edi, eax

        $sequence_39 = { 57 33ff 8db7d0a92300 ff36 e8???????? 83c704 }
            // n = 6, score = 100
            //   57                   | push                eax
            //   33ff                 | push                0x104
            //   8db7d0a92300         | push                0x104
            //   ff36                 | mov                 edi, eax
            //   e8????????           |                     
            //   83c704               | push                0

        $sequence_40 = { 48833d????????00 488d05a59a0000 740f 3908 740e 4883c010 }
            // n = 6, score = 100
            //   48833d????????00     |                     
            //   488d05a59a0000       | dec                 eax
            //   740f                 | mov                 ecx, edi
            //   3908                 | dec                 eax
            //   740e                 | mov                 edx, eax
            //   4883c010             | dec                 eax

        $sequence_41 = { eb12 8b45e0 8a80b4a62300 08443b1d 0fb64601 }
            // n = 5, score = 100
            //   eb12                 | push                0x50
            //   8b45e0               | push                0x104
            //   8a80b4a62300         | push                0x104
            //   08443b1d             | mov                 edi, eax
            //   0fb64601             | push                0

        $sequence_42 = { 52 6a00 8b85d8feffff 50 8b8dd0feffff 51 6a00 }
            // n = 7, score = 100
            //   52                   | push                ebp
            //   6a00                 | mov                 ebp, esp
            //   8b85d8feffff         | xor                 eax, eax
            //   50                   | push                eax
            //   8b8dd0feffff         | push                0
            //   51                   | push                0
            //   6a00                 | push                0

        $sequence_43 = { 8b5de8 83c40c 8d4e01 51 53 57 }
            // n = 6, score = 100
            //   8b5de8               | dec                 esi
            //   83c40c               | jne                 0xffffff6e
            //   8d4e01               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | pop                 edi
            //   53                   | push                0
            //   57                   | push                0

        $sequence_44 = { 33ff 897dfc 3b1cfd18a92300 7409 47 }
            // n = 5, score = 100
            //   33ff                 | mov                 edi, eax
            //   897dfc               | push                eax
            //   3b1cfd18a92300       | push                0
            //   7409                 | push                0
            //   47                   | push                0

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules
Skipper Propose Change

References

Yara Rules

Skipper
