SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whitebird (Back to overview)

WhiteBird


According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain "working_hours" with a granularity of one minute.

References
2020-09-25Dr.WebDr.Web
@techreport{drweb:20200925:spear:aeadfac, author = {Dr.Web}, title = {{Spear phishing campaigns threaten Russian fuel and energy companies}}, date = {2020-09-25}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf}, language = {English}, urldate = {2020-10-02} } Spear phishing campaigns threaten Russian fuel and energy companies
WhiteBird
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
Yara Rules
[TLP:WHITE] win_whitebird_auto (20210616 | Detects win.whitebird.)
rule win_whitebird_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.whitebird."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a4302 84c0 7408 3c01 7404 }
            // n = 5, score = 400
            //   8a4302               | cmp                 eax, esi
            //   84c0                 | je                  0x13ac
            //   7408                 | dec                 esp
            //   3c01                 | mov                 ecx, eax
            //   7404                 | dec                 esp

        $sequence_1 = { 8a4302 84c0 7408 3c01 7404 3c02 }
            // n = 6, score = 400
            //   8a4302               | mov                 dword ptr [esp + 0x24], 0x40
            //   84c0                 | jmp                 0x1678
            //   7408                 | dec                 eax
            //   3c01                 | lea                 eax, dword ptr [0xffffd981]
            //   7404                 | dec                 eax
            //   3c02                 | lea                 ecx, dword ptr [esp + 0x20]

        $sequence_2 = { 8a4302 84c0 7408 3c01 }
            // n = 4, score = 400
            //   8a4302               | mov                 word ptr [esp + 0xd6], ax
            //   84c0                 | mov                 word ptr [esp + 0xd6], ax
            //   7408                 | lea                 eax, dword ptr [edi + 0x4a]
            //   3c01                 | inc                 sp

        $sequence_3 = { eb09 80f92f 0f95c1 80c13f }
            // n = 4, score = 400
            //   eb09                 | push                edi
            //   80f92f               | lea                 eax, dword ptr [ebp - 0x20c]
            //   0f95c1               | cmp                 esi, -1
            //   80c13f               | je                  0x2b8

        $sequence_4 = { 8a4301 3c01 7404 3c02 }
            // n = 4, score = 400
            //   8a4301               | mov                 word ptr [esp + 0xd4], ax
            //   3c01                 | lea                 eax, dword ptr [edi + 0x31]
            //   7404                 | inc                 sp
            //   3c02                 | mov                 dword ptr [esp + 0xc2], ebx

        $sequence_5 = { 0fb603 4903da c1e008 0bc8 8bc1 c1e106 }
            // n = 6, score = 200
            //   0fb603               | lea                 eax, dword ptr [ebp - 0x290]
            //   4903da               | and                 dword ptr [ebp - 0x248c], 0
            //   c1e008               | mov                 dword ptr [ebp - 0x24b4], eax
            //   0bc8                 | mov                 eax, dword ptr [ebp + 0x1c]
            //   8bc1                 | push                6
            //   c1e106               | mov                 dword ptr [ebp - 0x24a8], eax

        $sequence_6 = { 33db 89b5d0fdffff e8???????? 83c40c 56 6a02 e8???????? }
            // n = 7, score = 200
            //   33db                 | cmp                 ecx, edi
            //   89b5d0fdffff         | je                  0x1b77
            //   e8????????           |                     
            //   83c40c               | je                  0x1bee
            //   56                   | dec                 esp
            //   6a02                 | lea                 eax, dword ptr [esp + 0x1c0]
            //   e8????????           |                     

        $sequence_7 = { 8d45f8 50 8d8684000000 50 c745f840000000 ff15???????? 8d862c010000 }
            // n = 7, score = 200
            //   8d45f8               | mov                 ebp, ecx
            //   50                   | dec                 eax
            //   8d8684000000         | test                edi, edi
            //   50                   | je                  0xa11
            //   c745f840000000       | dec                 eax
            //   ff15????????         |                     
            //   8d862c010000         | xor                 eax, esp

        $sequence_8 = { 7f31 4863d7 488bcd 4803d6 e8???????? 85c0 7e22 }
            // n = 7, score = 200
            //   7f31                 | inc                 ecx
            //   4863d7               | mov                 byte ptr [ecx], al
            //   488bcd               | movzx               eax, byte ptr [esp + 0x18]
            //   4803d6               | and                 eax, 3
            //   e8????????           |                     
            //   85c0                 | shl                 eax, 4
            //   7e22                 | dec                 eax

        $sequence_9 = { 57 8b7d0c 803f3d 0f84a8000000 8a0f 84c9 7443 }
            // n = 7, score = 200
            //   57                   | push                ebx
            //   8b7d0c               | test                eax, eax
            //   803f3d               | jne                 0x13b5
            //   0f84a8000000         | push                ebx
            //   8a0f                 | push                ebx
            //   84c9                 | push                dword ptr [ebp - 0xa1c]
            //   7443                 | mov                 eax, dword ptr [ebp - 0xa14]

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules