SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stuxnet (Back to overview)

Stuxnet


There is no description at this point.

References
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
@techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2021-05-17Medium s2wlabHyunmin Suh, Denise Dasom Kim, Jungyeon Lim, YH Jeong
@online{suh:20210517:w3:0e9b789, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim and YH Jeong}, title = {{W3 May | EN | Story of the week: Code Signing Certificate on the Darkweb}}, date = {2021-05-17}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001}, language = {English}, urldate = {2021-06-16} } W3 May | EN | Story of the week: Code Signing Certificate on the Darkweb
Stuxnet
2021-02-11DomainToolsJoe Slowik
@online{slowik:20210211:visibility:5d2f96e, author = {Joe Slowik}, title = {{Visibility, Monitoring, and Critical Infrastructure Security}}, date = {2021-02-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security}, language = {English}, urldate = {2021-02-20} } Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-09-28fmmresearch wordpressFacundo Muñoz
@online{muoz:20200928:emerald:07900c2, author = {Facundo Muñoz}, title = {{The Emerald Connection: EquationGroup collaboration with Stuxnet}}, date = {2020-09-28}, organization = {fmmresearch wordpress}, url = {https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/}, language = {English}, urldate = {2020-10-04} } The Emerald Connection: EquationGroup collaboration with Stuxnet
Fanny Stuxnet
2020-09-28fmmresearch wordpressFacundo Muñoz
@techreport{muoz:20200928:emerald:1e7fceb, author = {Facundo Muñoz}, title = {{The Emerald Connection: Equation Group collaboration with Stuxnet}}, date = {2020-09-28}, institution = {fmmresearch wordpress}, url = {https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf}, language = {English}, urldate = {2020-10-04} } The Emerald Connection: Equation Group collaboration with Stuxnet
Fanny Stuxnet
2020-07-29Atlantic CouncilTrey Herr, June Lee, William Loomis, Stewart Scott
@techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain
EternalPetya GoldenSpy Kwampirs Stuxnet
2020-06-17Der SpiegelPatrick Beuth
@online{beuth:20200617:die:4272009, author = {Patrick Beuth}, title = {{Die erste Cyberwaffe und ihre Folgen}}, date = {2020-06-17}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147}, language = {German}, urldate = {2020-06-18} } Die erste Cyberwaffe und ihre Folgen
Stuxnet
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-09-02Yahoo NewsKim Zetter, Huib Modderkolk
@online{zetter:20190902:revealed:d33539b, author = {Kim Zetter and Huib Modderkolk}, title = {{Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran}}, date = {2019-09-02}, organization = {Yahoo News}, url = {https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html}, language = {English}, urldate = {2020-01-07} } Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran
Stuxnet
2019-04-09Chronicle SecurityJuan Andrés Guerrero-Saade, Silas Cutler
@techreport{guerrerosaade:20190409:oldest:062ea25, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{The Oldest Stuxnet Component Dials Up}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf}, language = {English}, urldate = {2019-12-04} } The Oldest Stuxnet Component Dials Up
FlowerShop Stuxnet
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2017-04-13A blog about rootkits research and the Windows kernelArtem Baranov
@online{baranov:20170413:stuxnet:c221f57, author = {Artem Baranov}, title = {{Stuxnet drivers: detailed analysis}}, date = {2017-04-13}, organization = {A blog about rootkits research and the Windows kernel}, url = {http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html}, language = {English}, urldate = {2020-01-08} } Stuxnet drivers: detailed analysis
Stuxnet
2016-09-07Virus BulletinBrian Bartholomew, Juan Andrés Guerrero-Saade
@techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
DuQu JripBot Sinowal Stuxnet Wipbot
2011-09-09CodeProjectAmrThabet
@online{amrthabet:20110909:stuxnet:07c5348, author = {AmrThabet}, title = {{Stuxnet Malware Analysis Paper}}, date = {2011-09-09}, organization = {CodeProject}, url = {https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper}, language = {English}, urldate = {2020-11-13} } Stuxnet Malware Analysis Paper
Stuxnet
2011-01-03ESET ResearchAleksandr Matrosov, Eugene Rodionov, David Harley, Juraj Malcho
@techreport{matrosov:20110103:stuxnet:420d733, author = {Aleksandr Matrosov and Eugene Rodionov and David Harley and Juraj Malcho}, title = {{Stuxnet Under the Microscope}}, date = {2011-01-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf}, language = {English}, urldate = {2019-12-20} } Stuxnet Under the Microscope
Stuxnet
2010-12-27media.ccc.deBruce Dang, Peter Ferrie
@online{dang:20101227:adventures:a04e4f7, author = {Bruce Dang and Peter Ferrie}, title = {{Adventures in analyzing Stuxnet}}, date = {2010-12-27}, organization = {media.ccc.de}, url = {https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet}, language = {English}, urldate = {2022-09-12} } Adventures in analyzing Stuxnet
Stuxnet
Yara Rules
[TLP:WHITE] win_stuxnet_auto (20220808 | Detects win.stuxnet.)
rule win_stuxnet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.stuxnet."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c645fc02 c700???????? c645fc03 c700???????? 885dfc eb02 33c0 }
            // n = 7, score = 200
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   c700????????         |                     
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   c700????????         |                     
            //   885dfc               | mov                 byte ptr [ebp - 4], bl
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { c645fc02 8d45b4 50 68???????? e8???????? 59 59 }
            // n = 7, score = 200
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8d45b4               | lea                 eax, [ebp - 0x4c]
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_2 = { c21000 56 8bf0 81fe24499204 7605 e8???????? 8bce }
            // n = 7, score = 200
            //   c21000               | ret                 0x10
            //   56                   | push                esi
            //   8bf0                 | mov                 esi, eax
            //   81fe24499204         | cmp                 esi, 0x4924924
            //   7605                 | jbe                 7
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi

        $sequence_3 = { e9???????? 8d75bc e9???????? 8d8d44ffffff e9???????? 8d75d8 e9???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8d75bc               | lea                 esi, [ebp - 0x44]
            //   e9????????           |                     
            //   8d8d44ffffff         | lea                 ecx, [ebp - 0xbc]
            //   e9????????           |                     
            //   8d75d8               | lea                 esi, [ebp - 0x28]
            //   e9????????           |                     

        $sequence_4 = { b001 84c0 740a f6c310 7505 33c0 40 }
            // n = 7, score = 200
            //   b001                 | mov                 al, 1
            //   84c0                 | test                al, al
            //   740a                 | je                  0xc
            //   f6c310               | test                bl, 0x10
            //   7505                 | jne                 7
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax

        $sequence_5 = { e8???????? c645fc07 8dbd64ffffff e8???????? 8845ef c645fc02 8bce }
            // n = 7, score = 200
            //   e8????????           |                     
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7
            //   8dbd64ffffff         | lea                 edi, [ebp - 0x9c]
            //   e8????????           |                     
            //   8845ef               | mov                 byte ptr [ebp - 0x11], al
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8bce                 | mov                 ecx, esi

        $sequence_6 = { 59 885dfc 8d4de4 e8???????? 8b4df4 64890d00000000 5f }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   885dfc               | mov                 byte ptr [ebp - 4], bl
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   5f                   | pop                 edi

        $sequence_7 = { c645fc02 8d8554ffffff 50 e8???????? c645fc03 8d45d0 50 }
            // n = 7, score = 200
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8d8554ffffff         | lea                 eax, [ebp - 0xac]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   50                   | push                eax

        $sequence_8 = { c645fc05 8d45d4 50 e8???????? 8d4548 50 e8???????? }
            // n = 7, score = 200
            //   c645fc05             | mov                 byte ptr [ebp - 4], 5
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4548               | lea                 eax, [ebp + 0x48]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_9 = { e8???????? c645fc02 6820bf0200 8b45e8 e8???????? 0fb6c0 3bc3 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   6820bf0200           | push                0x2bf20
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   e8????????           |                     
            //   0fb6c0               | movzx               eax, al
            //   3bc3                 | cmp                 eax, ebx

    condition:
        7 of them and filesize < 2495488
}
[TLP:WHITE] win_stuxnet_w0   (20190418 | Stuxshop standalone sample configuration)
rule win_stuxnet_w0 {
    meta:
        author = "JAG-S (turla@chronicle.security)"
        hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
        description = "Stuxshop standalone sample configuration"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_version = "20190418"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cnc1 = "http://211.24.237.226/index.php?data=" ascii wide
        $cnc2 = "http://todaysfutbol.com/index.php?data=" ascii wide
        $cnc3 = "http://78.111.169.146/index.php?data=" ascii wide
        $cnc4 = "http://mypremierfutbol.com/index.php?data=" ascii wide
        $regkey1  =  "Software\\Microsoft\\Windows\\CurrentVersion\\MS-DOS Emulation" ascii wide
        $regkey2  =  "NTVDMParams" ascii wide
        $flowerOverlap1 = { 85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15 }
        $flowerOverlap2 = { 85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15 }
        $flowerOverlap3  = { 55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 5068 19 00 02 00 6A 00 FF 75 0C FF 75 08 }
        $flowerOverlap4  = { 55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 }
        $flowerOverlap5  = { 85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06 }
        $flowerOverlap6  = {   85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15 }
    condition:
        all of  ($flowerOverlap*) or 2 of ($cnc*) or all of  ($regkey*)
}
[TLP:WHITE] win_stuxnet_w1   (20190418 | No description)
rule win_stuxnet_w1 {
    meta:
        author = "Silas Cutler (havex@Chronicle.Security)"
        desc = "Identifies the OS Check function in STUXSHOP and CheshireCat"
        hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_version = "20190418"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00 00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05 5E }
        $ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80 68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6 }
    condition:
        any of them
}
Download all Yara Rules