Stuxnet (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.stuxnet (Back to overview)

Stuxnet

VTCollection

There is no description at this point.

References

2023-04-11 ⋅ China Cybersecurity Industry Alliance ⋅ China Cybersecurity Industry Alliance
Review of Cyberattacks from US Intelligence Agencies - Based on Global Cybersecurity Communities' Analyses
DuQu Flame Gauss Stuxnet

2021-12-01 ⋅ ESET Research ⋅ Alexis Dorais-Joncas, Facundo Muñoz
Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry

2021-08-05 ⋅ Symantec ⋅ Threat Hunter Team
Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet

2021-05-17 ⋅ Medium s2wlab ⋅ Denise Dasom Kim, Hyunmin Suh, Jungyeon Lim, YH Jeong
W3 May | EN | Story of the week: Code Signing Certificate on the Darkweb
Stuxnet

2021-02-11 ⋅ DomainTools ⋅ Joe Slowik
Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton

2020-09-28 ⋅ fmmresearch wordpress ⋅ Facundo Muñoz
The Emerald Connection: EquationGroup collaboration with Stuxnet
Fanny Stuxnet

2020-09-28 ⋅ fmmresearch wordpress ⋅ Facundo Muñoz
The Emerald Connection: Equation Group collaboration with Stuxnet
Fanny Stuxnet

2020-07-29 ⋅ Atlantic Council ⋅ June Lee, Stewart Scott, Trey Herr, William Loomis
BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain
EternalPetya GoldenSpy Kwampirs Stuxnet

2020-06-17 ⋅ ⋅ Der Spiegel ⋅ Patrick Beuth
Die erste Cyberwaffe und ihre Folgen
Stuxnet

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2019-09-02 ⋅ Yahoo News ⋅ Huib Modderkolk, Kim Zetter
Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran
Stuxnet

2019-04-09 ⋅ Chronicle Security ⋅ Juan Andrés Guerrero-Saade, Silas Cutler
The Oldest Stuxnet Component Dials Up
FlowerShop Stuxnet

2018-03-01 ⋅ CrySyS Lab ⋅ Boldizsar Bencsath
Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos

2017-04-13 ⋅ A blog about rootkits research and the Windows kernel ⋅ Artem Baranov
Stuxnet drivers: detailed analysis
Stuxnet

2016-09-07 ⋅ Virus Bulletin ⋅ Brian Bartholomew, Juan Andrés Guerrero-Saade
Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
DuQu JripBot Sinowal Stuxnet Wipbot

2011-09-09 ⋅ CodeProject ⋅ AmrThabet
Stuxnet Malware Analysis Paper
Stuxnet

2011-01-03 ⋅ ESET Research ⋅ Aleksandr Matrosov, David Harley, Eugene Rodionov, Juraj Malcho
Stuxnet Under the Microscope
Stuxnet

2010-12-27 ⋅ media.ccc.de ⋅ Bruce Dang, Peter Ferrie
Adventures in analyzing Stuxnet
Stuxnet

Yara Rules

[TLP:WHITE] win_stuxnet_auto (20241030 | Detects win.stuxnet.)

rule win_stuxnet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.stuxnet."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? ff7508 8b45ec 8b4008 ff75f0 03c6 50 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   03c6                 | add                 eax, esi
            //   50                   | push                eax

        $sequence_1 = { a1???????? 85c0 7507 b805400080 eb39 56 ff7518 }
            // n = 7, score = 200
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   b805400080           | mov                 eax, 0x80004005
            //   eb39                 | jmp                 0x3b
            //   56                   | push                esi
            //   ff7518               | push                dword ptr [ebp + 0x18]

        $sequence_2 = { ff760c e8???????? 59 6bdb38 8b4508 03d8 895e14 }
            // n = 7, score = 200
            //   ff760c               | push                dword ptr [esi + 0xc]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   6bdb38               | imul                ebx, ebx, 0x38
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   03d8                 | add                 ebx, eax
            //   895e14               | mov                 dword ptr [esi + 0x14], ebx

        $sequence_3 = { e8???????? eb08 ff7508 e8???????? 59 8b4df4 64890d00000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   eb08                 | jmp                 0xa
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx

        $sequence_4 = { b8???????? c3 b8???????? e8???????? 56 8b7508 57 }
            // n = 7, score = 200
            //   b8????????           |                     
            //   c3                   | ret                 
            //   b8????????           |                     
            //   e8????????           |                     
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi

        $sequence_5 = { 6a24 e8???????? 59 8945ec 33f6 46 8975fc }
            // n = 7, score = 200
            //   6a24                 | push                0x24
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   8975fc               | mov                 dword ptr [ebp - 4], esi

        $sequence_6 = { e8???????? 84c0 744b 68???????? 8d442440 50 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   744b                 | je                  0x4d
            //   68????????           |                     
            //   8d442440             | lea                 eax, [esp + 0x40]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { e8???????? 8945ec 8d45a8 50 e8???????? 8365fc00 8d45c4 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8d45a8               | lea                 eax, [ebp - 0x58]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8d45c4               | lea                 eax, [ebp - 0x3c]

        $sequence_8 = { ff75e8 ff15???????? 3bc3 7505 e8???????? ffd0 85c0 }
            // n = 7, score = 200
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ff15????????         |                     
            //   3bc3                 | cmp                 eax, ebx
            //   7505                 | jne                 7
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax

        $sequence_9 = { 8d55d8 52 ff7510 ff750c ff7508 51 50 }
            // n = 7, score = 200
            //   8d55d8               | lea                 edx, [ebp - 0x28]
            //   52                   | push                edx
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   50                   | push                eax

    condition:
        7 of them and filesize < 2495488
}

[TLP:WHITE] win_stuxnet_w0 (20190418 | Stuxshop standalone sample configuration)

rule win_stuxnet_w0 {
    meta:
        author = "JAG-S (turla@chronicle.security)"
        hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
        description = "Stuxshop standalone sample configuration"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_version = "20190418"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cnc1 = "http://211.24.237.226/index.php?data=" ascii wide
        $cnc2 = "http://todaysfutbol.com/index.php?data=" ascii wide
        $cnc3 = "http://78.111.169.146/index.php?data=" ascii wide
        $cnc4 = "http://mypremierfutbol.com/index.php?data=" ascii wide
        $regkey1  =  "Software\\Microsoft\\Windows\\CurrentVersion\\MS-DOS Emulation" ascii wide
        $regkey2  =  "NTVDMParams" ascii wide
        $flowerOverlap1 = { 85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15 }
        $flowerOverlap2 = { 85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15 }
        $flowerOverlap3  = { 55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 5068 19 00 02 00 6A 00 FF 75 0C FF 75 08 }
        $flowerOverlap4  = { 55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 }
        $flowerOverlap5  = { 85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06 }
        $flowerOverlap6  = {   85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15 }
    condition:
        all of  ($flowerOverlap*) or 2 of ($cnc*) or all of  ($regkey*)
}

[TLP:WHITE] win_stuxnet_w1 (20190418 | No description)

rule win_stuxnet_w1 {
    meta:
        author = "Silas Cutler (havex@Chronicle.Security)"
        desc = "Identifies the OS Check function in STUXSHOP and CheshireCat"
        hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_version = "20190418"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00 00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05 5E }
        $ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80 68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6 }
    condition:
        any of them
}

Download all Yara Rules

Stuxnet Propose Change

References

Yara Rules

Stuxnet