SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spyder (Back to overview)

Spyder

There is no description at this point.

References
2023-08-07Recorded FutureInsikt Group
@techreport{group:20230807:redhotel:ee4dd20, author = {Insikt Group}, title = {{RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale}}, date = {2023-08-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf}, language = {English}, urldate = {2023-08-09} } RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca
2022-05-04CybereasonChen Erlich, Fusao Tanida, Ofir Ozer, Akihiro Tomita, Niv Yona, Daniel Frank, Assaf Dahan
@online{erlich:20220504:operation:0d23595, author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan}, title = {{Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques}}, date = {2022-05-04}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques}, language = {English}, urldate = {2022-05-09} } Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
PRIVATELOG Spyder STASHLOG Winnti
2022-05-04CybereasonChen Erlich, Fusao Tanida, Ofir Ozer, Akihiro Tomita, Niv Yona, Daniel Frank, Assaf Dahan
@online{erlich:20220504:operation:e40ec58, author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan}, title = {{Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive}}, date = {2022-05-04}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive}, language = {English}, urldate = {2022-05-05} } Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
PRIVATELOG Spyder STASHLOG Winnti
2021-12-16TEAMT5Charles Li, Aragorn Tseng, Peter Syu, Tom Lai
@online{li:20211216:winnti:adce3fa, author = {Charles Li and Aragorn Tseng and Peter Syu and Tom Lai}, title = {{Winnti is Coming - Evolution after Prosecution}}, date = {2021-12-16}, organization = {TEAMT5}, url = {https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021}, language = {English}, urldate = {2023-04-28} } Winnti is Coming - Evolution after Prosecution
Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder
2021-07-08Recorded FutureInsikt Group®
@online{group:20210708:chinese:98d34d3, author = {Insikt Group®}, title = {{Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling}}, date = {2021-07-08}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/}, language = {English}, urldate = {2021-07-12} } Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti
2021-04-29NTTThreat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4, author = {Threat Detection NTT Ltd.}, title = {{The Operations of Winnti group}}, date = {2021-04-29}, institution = {NTT}, url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf}, language = {English}, urldate = {2021-08-09} } The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca
2021-03-26SonicWallSonicWall CaptureLabs Threats Research Team
@online{team:20210326:chinas:d31ffa4, author = {SonicWall CaptureLabs Threats Research Team}, title = {{China’s “Winnti” Spyder Module}}, date = {2021-03-26}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/}, language = {English}, urldate = {2021-07-20} } China’s “Winnti” Spyder Module
Spyder
2021-03-01Dr.WebDr.Web
@techreport{drweb:20210301:study:f18b66b, author = {Dr.Web}, title = {{Study of the Spyder modularbackdoor for targeted attacks}}, date = {2021-03-01}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf}, language = {English}, urldate = {2021-03-24} } Study of the Spyder modularbackdoor for targeted attacks
Spyder
2020-03-01Dr.WebDr.Web
@online{drweb:20200301:backdoorspyder1:c9f5b5c, author = {Dr.Web}, title = {{BackDoor.Spyder.1}}, date = {2020-03-01}, organization = {Dr.Web}, url = {https://vms.drweb.com/virus/?i=23648386}, language = {English}, urldate = {2022-05-05} } BackDoor.Spyder.1
Spyder
Yara Rules
[TLP:WHITE] win_spyder_auto (20230715 | Detects win.spyder.)
rule win_spyder_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.spyder."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d3da8a20000 eb0e 488b03 4885c0 7402 ffd0 4883c308 }
            // n = 7, score = 500
            //   488d3da8a20000       | dec                 eax
            //   eb0e                 | lea                 edi, [0xa2a8]
            //   488b03               | jmp                 0x10
            //   4885c0               | dec                 eax
            //   7402                 | mov                 eax, dword ptr [ebx]
            //   ffd0                 | dec                 eax
            //   4883c308             | test                eax, eax

        $sequence_1 = { 4c8d05928a0000 8bd7 498bcd e8???????? 85c0 7415 4533c9 }
            // n = 7, score = 500
            //   4c8d05928a0000       | arpl                word ptr [esp + 0x3c], si
            //   8bd7                 | dec                 ecx
            //   498bcd               | add                 esi, esp
            //   e8????????           |                     
            //   85c0                 | cmp                 dword ptr [esi], 0x4550
            //   7415                 | test                eax, eax
            //   4533c9               | jne                 0x1e

        $sequence_2 = { 0f8493010000 488d156a5f0000 488bc8 ff15???????? 4885c0 }
            // n = 5, score = 500
            //   0f8493010000         | dec                 eax
            //   488d156a5f0000       | lea                 edx, [0x8988]
            //   488bc8               | inc                 ecx
            //   ff15????????         |                     
            //   4885c0               | mov                 eax, 0x12010

        $sequence_3 = { 488b03 4885c0 7437 482bfb 0f1f8000000000 4c8b4638 498bcc }
            // n = 7, score = 500
            //   488b03               | mov                 edx, edi
            //   4885c0               | dec                 ecx
            //   7437                 | mov                 ecx, ebp
            //   482bfb               | test                eax, eax
            //   0f1f8000000000       | je                  0x25
            //   4c8b4638             | inc                 ebp
            //   498bcc               | xor                 ecx, ecx

        $sequence_4 = { e8???????? 85c0 751a 488d1588890000 41b810200100 488bcd e8???????? }
            // n = 7, score = 500
            //   e8????????           |                     
            //   85c0                 | dec                 ecx
            //   751a                 | mov                 edx, esp
            //   488d1588890000       | je                  0xd
            //   41b810200100         | mov                 ecx, 0xc1
            //   488bcd               | dec                 ecx
            //   e8????????           |                     

        $sequence_5 = { 0f85d5000000 488d0d935f0000 ff15???????? 488bf0 4885c0 }
            // n = 5, score = 500
            //   0f85d5000000         | dec                 eax
            //   488d0d935f0000       | mov                 ecx, ebp
            //   ff15????????         |                     
            //   488bf0               | dec                 esp
            //   4885c0               | lea                 eax, [0x8a92]

        $sequence_6 = { 740b b9c1000000 ff15???????? 496374243c 4903f4 813e50450000 }
            // n = 6, score = 500
            //   740b                 | dec                 eax
            //   b9c1000000           | mov                 dword ptr [esp + 0x20], esi
            //   ff15????????         |                     
            //   496374243c           | int3                
            //   4903f4               | dec                 esp
            //   813e50450000         | lea                 eax, [0x89fc]

        $sequence_7 = { 33d2 33c9 4889742420 e8???????? cc 4c8d05fc890000 498bd4 }
            // n = 7, score = 500
            //   33d2                 | je                  4
            //   33c9                 | call                eax
            //   4889742420           | dec                 eax
            //   e8????????           |                     
            //   cc                   | add                 ebx, 8
            //   4c8d05fc890000       | xor                 edx, edx
            //   498bd4               | xor                 ecx, ecx

        $sequence_8 = { f7d8 83da00 5b c21000 8b542404 }
            // n = 5, score = 100
            //   f7d8                 | test                eax, eax
            //   83da00               | jne                 0xdb
            //   5b                   | dec                 eax
            //   c21000               | lea                 ecx, [0x5f93]
            //   8b542404             | dec                 eax

        $sequence_9 = { 8b4d0c 8a01 4a 0fb6f0 f686014a091004 }
            // n = 5, score = 100
            //   8b4d0c               | inc                 ebp
            //   8a01                 | test                edx, edx
            //   4a                   | jne                 0x3c
            //   0fb6f0               | dec                 eax
            //   f686014a091004       | lea                 ecx, [ebx + 4]

        $sequence_10 = { 53 52 8d8424900d0000 57 50 }
            // n = 5, score = 100
            //   53                   | test                eax, eax
            //   52                   | neg                 eax
            //   8d8424900d0000       | sbb                 edx, 0
            //   57                   | pop                 ebx
            //   50                   | ret                 0x10

        $sequence_11 = { 83e103 50 f3a4 68???????? e8???????? 8b8c2424010000 8b942428010000 }
            // n = 7, score = 100
            //   83e103               | nop                 dword ptr [eax]
            //   50                   | dec                 esp
            //   f3a4                 | mov                 eax, dword ptr [esi + 0x38]
            //   68????????           |                     
            //   e8????????           |                     
            //   8b8c2424010000       | dec                 ecx
            //   8b942428010000       | mov                 ecx, esp

        $sequence_12 = { 8a9405ecfdffff 889000490910 eb1c f6c202 7410 8088????????20 }
            // n = 6, score = 100
            //   8a9405ecfdffff       | mov                 esi, eax
            //   889000490910         | dec                 eax
            //   eb1c                 | test                eax, eax
            //   f6c202               | dec                 eax
            //   7410                 | mov                 eax, dword ptr [ebx]
            //   8088????????20       |                     

        $sequence_13 = { 0fb6fa 3bc7 7714 8b55fc 8a92783d0910 0890014a0910 40 }
            // n = 7, score = 100
            //   0fb6fa               | mov                 edx, dword ptr [esp + 4]
            //   3bc7                 | mov                 dl, byte ptr [ebp + eax - 0x214]
            //   7714                 | mov                 byte ptr [eax + 0x10094900], dl
            //   8b55fc               | jmp                 0x2b
            //   8a92783d0910         | test                dl, 2
            //   0890014a0910         | je                  0x24
            //   40                   | mov                 byte ptr [esp + 0x188], bl

        $sequence_14 = { 889c2488010000 f3ab 8b8c248c150000 8d942488010000 66ab }
            // n = 5, score = 100
            //   889c2488010000       | dec                 eax
            //   f3ab                 | test                eax, eax
            //   8b8c248c150000       | je                  0x3f
            //   8d942488010000       | dec                 eax
            //   66ab                 | sub                 edi, ebx

        $sequence_15 = { e8???????? 83c408 8bf0 8d942488010000 46 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c408               | dec                 esp
            //   8bf0                 | lea                 eax, [0x3e17]
            //   8d942488010000       | inc                 ecx
            //   46                   | lea                 edx, [edx + 0x16]

    condition:
        7 of them and filesize < 1458176
}
Download all Yara Rules