SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spyder (Back to overview)

Spyder

There is no description at this point.

References
2022-05-04CybereasonChen Erlich, Fusao Tanida, Ofir Ozer, Akihiro Tomita, Niv Yona, Daniel Frank, Assaf Dahan
@online{erlich:20220504:operation:0d23595, author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan}, title = {{Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques}}, date = {2022-05-04}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques}, language = {English}, urldate = {2022-05-09} } Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
PRIVATELOG Spyder STASHLOG Winnti
2022-05-04CybereasonChen Erlich, Fusao Tanida, Ofir Ozer, Akihiro Tomita, Niv Yona, Daniel Frank, Assaf Dahan
@online{erlich:20220504:operation:e40ec58, author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan}, title = {{Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive}}, date = {2022-05-04}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive}, language = {English}, urldate = {2022-05-05} } Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
PRIVATELOG Spyder STASHLOG Winnti
2021-12-16TEAMT5Charles Li, Aragorn Tseng, Peter Syu, Tom Lai
@online{li:20211216:winnti:adce3fa, author = {Charles Li and Aragorn Tseng and Peter Syu and Tom Lai}, title = {{Winnti is Coming - Evolution after Prosecution}}, date = {2021-12-16}, organization = {TEAMT5}, url = {https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021}, language = {English}, urldate = {2023-04-28} } Winnti is Coming - Evolution after Prosecution
Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder
2021-07-08Recorded FutureInsikt Group®
@online{group:20210708:chinese:98d34d3, author = {Insikt Group®}, title = {{Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling}}, date = {2021-07-08}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/}, language = {English}, urldate = {2021-07-12} } Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti
2021-04-29NTTThreat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4, author = {Threat Detection NTT Ltd.}, title = {{The Operations of Winnti group}}, date = {2021-04-29}, institution = {NTT}, url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf}, language = {English}, urldate = {2021-08-09} } The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca
2021-03-26SonicWallSonicWall CaptureLabs Threats Research Team
@online{team:20210326:chinas:d31ffa4, author = {SonicWall CaptureLabs Threats Research Team}, title = {{China’s “Winnti” Spyder Module}}, date = {2021-03-26}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/}, language = {English}, urldate = {2021-07-20} } China’s “Winnti” Spyder Module
Spyder
2021-03-01Dr.WebDr.Web
@techreport{drweb:20210301:study:f18b66b, author = {Dr.Web}, title = {{Study of the Spyder modularbackdoor for targeted attacks}}, date = {2021-03-01}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf}, language = {English}, urldate = {2021-03-24} } Study of the Spyder modularbackdoor for targeted attacks
Spyder
2020-03-01Dr.WebDr.Web
@online{drweb:20200301:backdoorspyder1:c9f5b5c, author = {Dr.Web}, title = {{BackDoor.Spyder.1}}, date = {2020-03-01}, organization = {Dr.Web}, url = {https://vms.drweb.com/virus/?i=23648386}, language = {English}, urldate = {2022-05-05} } BackDoor.Spyder.1
Spyder
Yara Rules
[TLP:WHITE] win_spyder_auto (20230407 | Detects win.spyder.)
rule win_spyder_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.spyder."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883d8ff c3 4053 4883ec40 488bd9 }
            // n = 5, score = 500
            //   4883d8ff             | lea                 eax, [0x1576]
            //   c3                   | dec                 eax
            //   4053                 | lea                 eax, [0x14b0]
            //   4883ec40             | dec                 eax
            //   488bd9               | sbb                 eax, -1

        $sequence_1 = { 443bce 753c 4585d2 7537 488d4b04 4c8d05173e0000 }
            // n = 6, score = 500
            //   443bce               | jne                 0xde
            //   753c                 | dec                 eax
            //   4585d2               | lea                 ecx, [0x5f93]
            //   7537                 | test                eax, eax
            //   488d4b04             | jne                 0x1e
            //   4c8d05173e0000       | dec                 eax

        $sequence_2 = { 48391d???????? 488bf8 0f85d5000000 488d0d935f0000 ff15???????? }
            // n = 5, score = 500
            //   48391d????????       |                     
            //   488bf8               | dec                 eax
            //   0f85d5000000         | sub                 esp, 0x40
            //   488d0d935f0000       | dec                 eax
            //   ff15????????         |                     

        $sequence_3 = { 488d0590200000 488905???????? 488d0576150000 488905???????? 488d05b0140000 488905???????? }
            // n = 6, score = 500
            //   488d0590200000       | dec                 eax
            //   488905????????       |                     
            //   488d0576150000       | lea                 eax, [0x2090]
            //   488905????????       |                     
            //   488d05b0140000       | dec                 eax
            //   488905????????       |                     

        $sequence_4 = { e8???????? 85c0 751a 488d1588890000 41b810200100 488bcd }
            // n = 6, score = 500
            //   e8????????           |                     
            //   85c0                 | mov                 ebx, ecx
            //   751a                 | dec                 eax
            //   488d1588890000       | lea                 eax, [0x1625]
            //   41b810200100         | dec                 eax
            //   488bcd               | lea                 ecx, [0x216e]

        $sequence_5 = { ff15???????? 488bf0 4885c0 0f8493010000 488d156a5f0000 488bc8 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   488bf0               | lea                 edx, [0x8988]
            //   4885c0               | inc                 ecx
            //   0f8493010000         | mov                 eax, 0x12010
            //   488d156a5f0000       | dec                 eax
            //   488bc8               | mov                 ecx, ebp

        $sequence_6 = { 488d0525160000 488d0d6e210000 488905???????? 488d0500160000 }
            // n = 4, score = 500
            //   488d0525160000       | ret                 
            //   488d0d6e210000       | inc                 eax
            //   488905????????       |                     
            //   488d0500160000       | push                ebx

        $sequence_7 = { ff15???????? 496374243c 4903f4 813e50450000 740b }
            // n = 5, score = 500
            //   ff15????????         |                     
            //   496374243c           | dec                 eax
            //   4903f4               | lea                 eax, [0x1600]
            //   813e50450000         | dec                 eax
            //   740b                 | mov                 edi, eax

        $sequence_8 = { 8088014a091008 40 3dff000000 72f1 53 e8???????? 59 }
            // n = 7, score = 100
            //   8088014a091008       | or                  byte ptr [eax + 0x10094a01], 8
            //   40                   | inc                 eax
            //   3dff000000           | cmp                 eax, 0xff
            //   72f1                 | jb                  0xfffffff3
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_9 = { 8bf1 8bc1 c1fe05 83e01f 8b34b5204b0910 }
            // n = 5, score = 100
            //   8bf1                 | mov                 esi, ecx
            //   8bc1                 | mov                 eax, ecx
            //   c1fe05               | sar                 esi, 5
            //   83e01f               | and                 eax, 0x1f
            //   8b34b5204b0910       | mov                 esi, dword ptr [esi*4 + 0x10094b20]

        $sequence_10 = { 3bfb 7e16 8a8c04880d0000 80f162 888c04880d0000 }
            // n = 5, score = 100
            //   3bfb                 | cmp                 edi, ebx
            //   7e16                 | jle                 0x18
            //   8a8c04880d0000       | mov                 cl, byte ptr [esp + eax + 0xd88]
            //   80f162               | xor                 cl, 0x62
            //   888c04880d0000       | mov                 byte ptr [esp + eax + 0xd88], cl

        $sequence_11 = { b9ff000000 33c0 8dbc2489010000 889c2488010000 }
            // n = 4, score = 100
            //   b9ff000000           | mov                 ecx, 0xff
            //   33c0                 | xor                 eax, eax
            //   8dbc2489010000       | lea                 edi, [esp + 0x189]
            //   889c2488010000       | mov                 byte ptr [esp + 0x188], bl

        $sequence_12 = { 83c404 85c0 7514 68???????? e8???????? 83c404 }
            // n = 6, score = 100
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7514                 | jne                 0x16
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_13 = { 80f162 888c04880d0000 40 3bc7 }
            // n = 4, score = 100
            //   80f162               | xor                 cl, 0x62
            //   888c04880d0000       | mov                 byte ptr [esp + eax + 0xd88], cl
            //   40                   | inc                 eax
            //   3bc7                 | cmp                 eax, edi

        $sequence_14 = { 0fb6da f683014a091004 7406 8816 }
            // n = 4, score = 100
            //   0fb6da               | movzx               ebx, dl
            //   f683014a091004       | test                byte ptr [ebx + 0x10094a01], 4
            //   7406                 | je                  8
            //   8816                 | mov                 byte ptr [esi], dl

        $sequence_15 = { 57 50 56 895c2430 ff15???????? 56 ff15???????? }
            // n = 7, score = 100
            //   57                   | push                edi
            //   50                   | push                eax
            //   56                   | push                esi
            //   895c2430             | mov                 dword ptr [esp + 0x30], ebx
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 1458176
}
Download all Yara Rules