SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vapor_rage (Back to overview)

VaporRage

aka: BOOMMIC

Actor(s): APT29


According to Mandiant, VaporRage or BOOMMIC, is a shellcode downloader written in C that communicates over HTTPS. Shellcode Payloads are retrieved from a hardcoded C2 that uses an encoded host_id generated from the targets domain and account name. BOOMMIC XOR decodes the downloaded shellcode payload in memory and executes it.

References
2022-09-06INCIBE-CERTINCIBE
@techreport{incibe:20220906:estudio:20f14b0, author = {INCIBE}, title = {{Estudio del análisis de Nobelium}}, date = {2022-09-06}, institution = {INCIBE-CERT}, url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf}, language = {Spanish}, urldate = {2022-11-22} } Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-04-29MandiantJohn Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby
@online{wolfram:20220429:trello:c078513, author = {John Wolfram and Sarah Hawley and Tyler McLellan and Nick Simonian and Anders Vejlby}, title = {{Trello From the Other Side: Tracking APT29 Phishing Campaigns}}, date = {2022-04-29}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns}, language = {English}, urldate = {2022-10-19} } Trello From the Other Side: Tracking APT29 Phishing Campaigns
BEATDROP VaporRage
Yara Rules
[TLP:WHITE] win_vapor_rage_auto (20230125 | Detects win.vapor_rage.)
rule win_vapor_rage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.vapor_rage."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vapor_rage"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eba5 8b45f4 0345dc 8945f0 8b4df0 8b55f4 03510c }
            // n = 7, score = 100
            //   eba5                 | jmp                 0xffffffa7
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   0345dc               | add                 eax, dword ptr [ebp - 0x24]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   03510c               | add                 edx, dword ptr [ecx + 0xc]

        $sequence_1 = { 6804010000 e8???????? 83c404 8945a0 8b55a0 8955b4 6804010000 }
            // n = 7, score = 100
            //   6804010000           | push                0x104
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945a0               | mov                 dword ptr [ebp - 0x60], eax
            //   8b55a0               | mov                 edx, dword ptr [ebp - 0x60]
            //   8955b4               | mov                 dword ptr [ebp - 0x4c], edx
            //   6804010000           | push                0x104

        $sequence_2 = { 55 8bec 6804db470d e8???????? 8d642404 b903000000 49 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   6804db470d           | push                0xd47db04
            //   e8????????           |                     
            //   8d642404             | lea                 esp, [esp + 4]
            //   b903000000           | mov                 ecx, 3
            //   49                   | dec                 ecx

        $sequence_3 = { 8bc7 8bcf 83e03f c1f906 6bf030 03348db0fe0110 837e18ff }
            // n = 7, score = 100
            //   8bc7                 | mov                 eax, edi
            //   8bcf                 | mov                 ecx, edi
            //   83e03f               | and                 eax, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bf030               | imul                esi, eax, 0x30
            //   03348db0fe0110       | add                 esi, dword ptr [ecx*4 + 0x1001feb0]
            //   837e18ff             | cmp                 dword ptr [esi + 0x18], -1

        $sequence_4 = { 8be5 5d c3 55 8bec 685ceec603 e8???????? }
            // n = 7, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   685ceec603           | push                0x3c6ee5c
            //   e8????????           |                     

        $sequence_5 = { 6807355bc4 e8???????? 8d642404 b908000000 49 ff748d08 75f9 }
            // n = 7, score = 100
            //   6807355bc4           | push                0xc45b3507
            //   e8????????           |                     
            //   8d642404             | lea                 esp, [esp + 4]
            //   b908000000           | mov                 ecx, 8
            //   49                   | dec                 ecx
            //   ff748d08             | push                dword ptr [ebp + ecx*4 + 8]
            //   75f9                 | jne                 0xfffffffb

        $sequence_6 = { 8d642404 8be5 5d c3 55 8bec 68131b9101 }
            // n = 7, score = 100
            //   8d642404             | lea                 esp, [esp + 4]
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   68131b9101           | push                0x1911b13

        $sequence_7 = { 55 8bec 685d0523e7 e8???????? 8d642404 b901000000 49 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   685d0523e7           | push                0xe723055d
            //   e8????????           |                     
            //   8d642404             | lea                 esp, [esp + 4]
            //   b901000000           | mov                 ecx, 1
            //   49                   | dec                 ecx

        $sequence_8 = { e8???????? 83c408 8945b4 6a0f 68???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   6a0f                 | push                0xf
            //   68????????           |                     

        $sequence_9 = { 55 8bec 51 e8???????? 85c0 7505 83c8ff }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   83c8ff               | or                  eax, 0xffffffff

    condition:
        7 of them and filesize < 296960
}
Download all Yara Rules