Unidentified 099 (APT29 Dropbox Loader) (Malware Family)

Unidentified 099 (APT29 Dropbox Loader)

Actor(s): APT29

This malware uses DropBox for C2 and was spread via spear-phishing attack at government organizations. It is different from win.boombox, which is another APT29 attributed malware using DropBox (written in .NET).

References

2022-09-06 ⋅ INCIBE-CERT ⋅ INCIBE
Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage

2022-05-16 ⋅ Github (Dump-GUY) ⋅ Jiří Vinopal
Malware Analysis Report – APT29 C2-Client Dropbox Loader
Unidentified 099 (APT29 Dropbox Loader)

Yara Rules

[TLP:WHITE] win_unidentified_099_auto (20230808 | Detects win.unidentified_099.)

rule win_unidentified_099_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.unidentified_099."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_099"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4d8bc4 418bd6 498bcf e8???????? 4c8d8df0010000 458bc6 498bd7 }
            // n = 7, score = 100
            //   4d8bc4               | dec                 eax
            //   418bd6               | add                 ecx, ebp
            //   498bcf               | inc                 esp
            //   e8????????           |                     
            //   4c8d8df0010000       | mov                 eax, dword ptr [esp + 0x80]
            //   458bc6               | mov                 ecx, dword ptr [esp + 0x38]
            //   498bd7               | dec                 eax

        $sequence_1 = { 488d4808 e8???????? 488d057dec0000 488903 488bc3 }
            // n = 5, score = 100
            //   488d4808             | mov                 word ptr [ecx + 0x10], ax
            //   e8????????           |                     
            //   488d057dec0000       | dec                 eax
            //   488903               | lea                 ecx, [ebx + 0x26]
            //   488bc3               | dec                 eax

        $sequence_2 = { 488d0deb1effff 48c1e602 0fb784b910600100 488d9100570100 488d8d24030000 4c8bc6 4803cb }
            // n = 7, score = 100
            //   488d0deb1effff       | mov                 dword ptr [esp + 0x20], eax
            //   48c1e602             | dec                 esp
            //   0fb784b910600100     | mov                 dword ptr [esp + 0x60], esp
            //   488d9100570100       | dec                 eax
            //   488d8d24030000       | mov                 ecx, dword ptr [esp + 0x60]
            //   4c8bc6               | dec                 eax
            //   4803cb               | test                ecx, ecx

        $sequence_3 = { 0fb6842930ef0100 4883c103 8802 488d5201 4881f959010000 7ce5 4533c9 }
            // n = 7, score = 100
            //   0fb6842930ef0100     | dec                 eax
            //   4883c103             | lea                 eax, [0x9dfb]
            //   8802                 | dec                 eax
            //   488d5201             | mov                 dword ptr [ebp - 0x31], eax
            //   4881f959010000       | dec                 eax
            //   7ce5                 | mov                 dword ptr [ebp - 0x29], eax
            //   4533c9               | dec                 eax

        $sequence_4 = { 443820 75e4 8bca ffc2 4803c9 }
            // n = 5, score = 100
            //   443820               | jl                  0xf03
            //   75e4                 | inc                 ebp
            //   8bca                 | lea                 esi, [ebx + 0x39]
            //   ffc2                 | dec                 ecx
            //   4803c9               | arpl                si, cx

        $sequence_5 = { 488bd6 488be8 4d8d4715 488d442468 488bcd 4889442420 e8???????? }
            // n = 7, score = 100
            //   488bd6               | test                eax, eax
            //   488be8               | je                  0xa0b
            //   4d8d4715             | mov                 edx, 0x5c
            //   488d442468           | dec                 ecx
            //   488bcd               | mov                 ecx, esp
            //   4889442420           | dec                 eax
            //   e8????????           |                     

        $sequence_6 = { 85c0 7424 8b15???????? 33c0 85d2 7418 }
            // n = 6, score = 100
            //   85c0                 | sub                 esp, 0x20
            //   7424                 | inc                 esp
            //   8b15????????         |                     
            //   33c0                 | mov                 edi, ecx
            //   85d2                 | dec                 esp
            //   7418                 | lea                 esi, [0xffff3d52]

        $sequence_7 = { 488d5b01 4883ef01 75d8 33c0 488dbdf0010000 }
            // n = 5, score = 100
            //   488d5b01             | dec                 eax
            //   4883ef01             | mov                 dword ptr [esp + 0x60], eax
            //   75d8                 | dec                 eax
            //   33c0                 | mov                 dword ptr [esp + 0x68], eax
            //   488dbdf0010000       | xor                 eax, eax

        $sequence_8 = { ba02000000 660f1f440000 488d8980000000 0f1000 0f104810 }
            // n = 5, score = 100
            //   ba02000000           | mov                 ecx, dword ptr [esp + 0x60]
            //   660f1f440000         | dec                 eax
            //   488d8980000000       | test                ecx, ecx
            //   0f1000               | dec                 eax
            //   0f104810             | mov                 dword ptr [esp + 0x20], eax

        $sequence_9 = { c7442470fedcba98 c744247476543210 660f1f440000 49ffc0 42803c0000 75f6 488d55d0 }
            // n = 7, score = 100
            //   c7442470fedcba98     | dec                 esp
            //   c744247476543210     | mov                 esp, dword ptr [esp + 0x40]
            //   660f1f440000         | dec                 eax
            //   49ffc0               | mov                 ebx, dword ptr [esp + 0x48]
            //   42803c0000           | or                  dword ptr [esp + 0x40], 0x180
            //   75f6                 | dec                 esp
            //   488d55d0             | lea                 eax, [esp + 0x40]

    condition:
        7 of them and filesize < 314368
}

Download all Yara Rules

Unidentified 099 (APT29 Dropbox Loader) Propose Change

References

Yara Rules

Unidentified 099 (APT29 Dropbox Loader)