SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whitebird (Back to overview)

WhiteBird


According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain "working_hours" with a granularity of one minute.

References
2020-09-25Dr.WebDr.Web
@techreport{drweb:20200925:spear:aeadfac, author = {Dr.Web}, title = {{Spear phishing campaigns threaten Russian fuel and energy companies}}, date = {2020-09-25}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf}, language = {English}, urldate = {2020-10-02} } Spear phishing campaigns threaten Russian fuel and energy companies
WhiteBird
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
Yara Rules
[TLP:WHITE] win_whitebird_auto (20221125 | Detects win.whitebird.)
rule win_whitebird_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.whitebird."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a4301 3c01 7404 3c02 }
            // n = 4, score = 400
            //   8a4301               | mov                 al, byte ptr [ebx + 1]
            //   3c01                 | cmp                 al, 1
            //   7404                 | je                  6
            //   3c02                 | cmp                 al, 2

        $sequence_1 = { 8a4302 84c0 7408 3c01 }
            // n = 4, score = 400
            //   8a4302               | mov                 al, byte ptr [ebx + 2]
            //   84c0                 | test                al, al
            //   7408                 | je                  0xa
            //   3c01                 | cmp                 al, 1

        $sequence_2 = { eb09 80f92f 0f95c1 80c13f }
            // n = 4, score = 400
            //   eb09                 | jmp                 0xb
            //   80f92f               | cmp                 cl, 0x2f
            //   0f95c1               | setne               cl
            //   80c13f               | add                 cl, 0x3f

        $sequence_3 = { a3???????? 8d8534ffffff 50 e8???????? 85c0 0f8545ffffff }
            // n = 6, score = 200
            //   a3????????           |                     
            //   8d8534ffffff         | lea                 eax, [ebp - 0xcc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8545ffffff         | jne                 0xffffff4b

        $sequence_4 = { e8???????? 4c8d44246c 4533c9 418bd5 488bcd 4c896c2468 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   4c8d44246c           | dec                 esp
            //   4533c9               | lea                 eax, [esp + 0x6c]
            //   418bd5               | inc                 ebp
            //   488bcd               | xor                 ecx, ecx
            //   4c896c2468           | inc                 ecx

        $sequence_5 = { e9???????? 81bc241c010000c8000000 0f8491050000 81bc241c01000097010000 }
            // n = 4, score = 200
            //   e9????????           |                     
            //   81bc241c010000c8000000     | lea    eax, [ecx - 0x45]
            //   0f8491050000         | je                  0x12b
            //   81bc241c01000097010000     | inc    ebp

        $sequence_6 = { 0f8425010000 4533c9 448bc3 488bd0 }
            // n = 4, score = 200
            //   0f8425010000         | mov                 word ptr [esp + 0x3e], cx
            //   4533c9               | mov                 word ptr [esp + 0x48], cx
            //   448bc3               | mov                 word ptr [esp + 0x40], ax
            //   488bd0               | mov                 word ptr [esp + 0x42], ax

        $sequence_7 = { c744246c01000000 c744247c02000000 4c89bc2480000000 89442478 }
            // n = 4, score = 200
            //   c744246c01000000     | xor                 ecx, ecx
            //   c744247c02000000     | inc                 esp
            //   4c89bc2480000000     | mov                 eax, ebx
            //   89442478             | dec                 eax

        $sequence_8 = { 68???????? 50 e8???????? 33c9 83c428 398df0feffff 7c46 }
            // n = 7, score = 200
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   83c428               | add                 esp, 0x28
            //   398df0feffff         | cmp                 dword ptr [ebp - 0x110], ecx
            //   7c46                 | jl                  0x48

        $sequence_9 = { 56 8d85fcfbffff 50 ffb5e8faffff ff15???????? 83f80a }
            // n = 6, score = 200
            //   56                   | push                esi
            //   8d85fcfbffff         | lea                 eax, [ebp - 0x404]
            //   50                   | push                eax
            //   ffb5e8faffff         | push                dword ptr [ebp - 0x518]
            //   ff15????????         |                     
            //   83f80a               | cmp                 eax, 0xa

        $sequence_10 = { 66894c243e 66894c2448 6689442440 6689442442 8d41bb }
            // n = 5, score = 200
            //   66894c243e           | mov                 edx, ebp
            //   66894c2448           | dec                 eax
            //   6689442440           | mov                 ecx, ebp
            //   6689442442           | dec                 esp
            //   8d41bb               | mov                 dword ptr [esp + 0x68], ebp

        $sequence_11 = { 8d85f0dbffff 83c424 8d4801 8a10 40 }
            // n = 5, score = 200
            //   8d85f0dbffff         | lea                 eax, [ebp - 0x2410]
            //   83c424               | add                 esp, 0x24
            //   8d4801               | lea                 ecx, [eax + 1]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax

        $sequence_12 = { 8b4004 eb02 8bc6 8b5804 }
            // n = 4, score = 200
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   eb02                 | jmp                 4
            //   8bc6                 | mov                 eax, esi
            //   8b5804               | mov                 ebx, dword ptr [eax + 4]

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules