SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whitebird (Back to overview)

WhiteBird


According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain "working_hours" with a granularity of one minute.

References
2020-09-25Dr.WebDr.Web
@techreport{drweb:20200925:spear:aeadfac, author = {Dr.Web}, title = {{Spear phishing campaigns threaten Russian fuel and energy companies}}, date = {2020-09-25}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf}, language = {English}, urldate = {2020-10-02} } Spear phishing campaigns threaten Russian fuel and energy companies
WhiteBird
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
Yara Rules
[TLP:WHITE] win_whitebird_auto (20220516 | Detects win.whitebird.)
rule win_whitebird_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.whitebird."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a4301 3c01 7404 3c02 }
            // n = 4, score = 400
            //   8a4301               | push                0x73
            //   3c01                 | push                0x7a
            //   7404                 | pop                 eax
            //   3c02                 | mov                 word ptr [ebp - 0x3c], ax

        $sequence_1 = { eb09 80f92f 0f95c1 80c13f }
            // n = 4, score = 400
            //   eb09                 | mov                 eax, dword ptr [ebp - 0x43c]
            //   80f92f               | push                dword ptr [eax - 0x1c]
            //   0f95c1               | push                0
            //   80c13f               | mov                 dword ptr [ebp - 0xa38], ebx

        $sequence_2 = { 8a4302 84c0 7408 3c01 7404 }
            // n = 5, score = 400
            //   8a4302               | mov                 ecx, dword ptr [esp + 0x38]
            //   84c0                 | dec                 esp
            //   7408                 | lea                 eax, [0x4cf2]
            //   3c01                 | dec                 eax
            //   7404                 | lea                 edx, [0xffff9b5f]

        $sequence_3 = { 8a4302 84c0 7408 3c01 7404 3c02 }
            // n = 6, score = 400
            //   8a4302               | dec                 eax
            //   84c0                 | lea                 ecx, [esp + 0x60]
            //   7408                 | dec                 ebp
            //   3c01                 | mov                 eax, esp
            //   7404                 | dec                 eax
            //   3c02                 | mov                 edx, edi

        $sequence_4 = { 8a4302 84c0 7408 3c01 }
            // n = 4, score = 400
            //   8a4302               | mov                 eax, edi
            //   84c0                 | push                0x7a
            //   7408                 | pop                 eax
            //   3c01                 | mov                 word ptr [ebp - 0x1a], ax

        $sequence_5 = { 6644899c24ce000000 664489b424d0000000 6644899c24d2000000 664489a424d8000000 66898424e0000000 6689bc24da000000 }
            // n = 6, score = 200
            //   6644899c24ce000000     | dec    esp
            //   664489b424d0000000     | mov    esp, ecx
            //   6644899c24d2000000     | dec    eax
            //   664489a424d8000000     | lea    esi, [ecx + 0x250]
            //   66898424e0000000     | dec                 ecx
            //   6689bc24da000000     | lea                 ecx, [esp + 0x260]

        $sequence_6 = { 57 e8???????? e9???????? 83f854 7744 743e 83e850 }
            // n = 7, score = 200
            //   57                   | mov                 eax, ebx
            //   e8????????           |                     
            //   e9????????           |                     
            //   83f854               | dec                 ecx
            //   7744                 | inc                 edx
            //   743e                 | dec                 eax
            //   83e850               | not                 ecx

        $sequence_7 = { ff15???????? ba01000000 448d4205 418bcf ff15???????? 488be8 4885c0 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   ba01000000           | jne                 0x1294
            //   448d4205             | push                eax
            //   418bcf               | push                esi
            //   ff15????????         |                     
            //   488be8               | call                edi
            //   4885c0               | mov                 dword ptr [ebp - 0x25c], eax

        $sequence_8 = { 0fb78598fdffff 99 6a18 59 f7f9 0fb7859afdffff 6a3c }
            // n = 7, score = 200
            //   0fb78598fdffff       | mov                 word ptr [esp + 0xb6], dx
            //   99                   | lea                 edx, [esi + 3]
            //   6a18                 | mov                 word ptr [esp + 0x6e], bp
            //   59                   | mov                 word ptr [esp + 0xb8], dx
            //   f7f9                 | inc                 esp
            //   0fb7859afdffff       | mov                 byte ptr [esp + 0x40], dl
            //   6a3c                 | mov                 word ptr [esp + 0x74], di

        $sequence_9 = { 0f8e99000000 8d443803 3bc2 0f8f8d000000 6818030000 8d85acfcffff 6a00 }
            // n = 7, score = 200
            //   0f8e99000000         | mov                 word ptr [ebp - 0x2a], ax
            //   8d443803             | mov                 word ptr [ebp - 0x2a], ax
            //   3bc2                 | mov                 eax, esi
            //   0f8f8d000000         | mov                 word ptr [ebp - 0x28], ax
            //   6818030000           | xor                 eax, eax
            //   8d85acfcffff         | mov                 word ptr [ebp - 0x26], ax
            //   6a00                 | mov                 byte ptr [ebp - 8], al

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules