TONERJAM (Malware Family)

TONERJAM

According to Symantec, Grager was deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of the backdoor revealed that it used the Graph API to communicate with a C&C server hosted on Microsoft OneDrive. Grager was downloaded from a typosquatted URL mimicking the open-source file archiver 7-Zip.

References

2024-08-07 ⋅ Symantec ⋅ Threat Hunter Team
Cloud Cover: How Malicious Actors Are Leveraging Cloud Services
GoGra MOONTAG Ondritols TONERJAM

2024-04-04 ⋅ Mandiant ⋅ Ashley Pearson, Austin Larsen, Billy Wong, John Wolfram, Joseph Pisano, Josh Murchie, Lukasz Lamparski, Matt Lin, Ron Craft, Ryan Hall, Shawn Chew, Tyler McLellan
Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
TONERJAM

Yara Rules

[TLP:WHITE] win_tonerjam_w0 (20241029 | No description)

rule win_tonerjam_w0 {
    meta:
        author = "Mandiant"
        source = "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonerjam"
        malpedia_version = "20241029"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        $p00_0 = {e9[4]488b41??668338??75??4883c0??488941??b8[4]eb??b8}
        $p00_1 = {8030??488d40??41ffc14183f9??72??ba[4]488d4c24??e8[4]488d0d}

    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
        (
            ($p00_0 in (17000..28000) and $p00_1 in (3700..14000))
        )
}

Download all Yara Rules

TONERJAM Propose Change

References

Yara Rules

TONERJAM