OLD DOGS NEW TRICKS: ATTACKERS ADOPT EXOTIC PROGRAMMING LANGUAGES
Common Information
| Type | Value |
|---|---|
| UUID | db8e8c8f-2136-486a-99c8-fe3fcebaaf13 |
| Fingerprint | bd034f1858205893b134be4a349669ae4772a6461cc02e4f6c2a264f8343e13a |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | July 23, 2021, 10:03 a.m. |
| Added to db | April 14, 2024, 1:05 a.m. |
| Last updated | Aug. 31, 2024, 6:18 a.m. |
| Headline | OLD DOGS NEW TRICKS: ATTACKERS ADOPT EXOTIC PROGRAMMING LANGUAGES |
| Title | OLD DOGS NEW TRICKS: ATTACKERS ADOPT EXOTIC PROGRAMMING LANGUAGES |
| Detected Hints/Tags/Attributes | 250/3/128 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 21 | cve-2021-3156 |
|
| Details | Domain | 26 | crates.io |
|
| Details | Domain | 32 | golang.org |
|
| Details | Domain | 144 | cock.li |
|
| Details | Domain | 675 | www.linkedin.com |
|
| Details | Domain | 53 | blogs.blackberry.com |
|
| Details | Domain | 622 | en.wikipedia.org |
|
| Details | Domain | 251 | www.bleepingcomputer.com |
|
| Details | Domain | 247 | www.virusbulletin.com |
|
| Details | Domain | 184 | www.fireeye.com |
|
| Details | Domain | 138 | www.darkreading.com |
|
| Details | Domain | 38 | blog.netlab.360.com |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 13 | www.binarydefense.com |
|
| Details | Domain | 14 | gs.statcounter.com |
|
| Details | Domain | 71 | blogs.jpcert.or.jp |
|
| Details | Domain | 23 | www.intezer.com |
|
| Details | Domain | 1 | 1c7qp243xy9g1qeffp1k1nvo-wpengine.netdna-ssl.com |
|
| Details | Domain | 1 | dlang.org |
|
| Details | Domain | 1 | livebook.manning.com |
|
| Details | Domain | 105 | web.archive.org |
|
| Details | Domain | 3 | nim-lang.org |
|
| Details | Domain | 1 | foundation.rust-lang.org |
|
| Details | Domain | 2 | stackoverflow.blog |
|
| Details | Domain | 3 | www.memorysafety.org |
|
| Details | Domain | 175 | www.zdnet.com |
|
| Details | Domain | 2 | doc.rust-lang.org |
|
| Details | Domain | 21 | news.drweb.com |
|
| Details | Domain | 1 | talks.golang.org |
|
| Details | Domain | 2 | golangbot.com |
|
| Details | Domain | 3 | wiki.debian.org |
|
| Details | Domain | 13 | broadcom.com |
|
| Details | Domain | 8 | www.kryptoslogic.com |
|
| Details | Domain | 1 | www.goggleheadedhacker.com |
|
| Details | Domain | 41 | www.cisecurity.org |
|
| Details | Domain | 172 | www.crowdstrike.com |
|
| Details | Domain | 2 | blog.golang.org |
|
| Details | Domain | 1373 | twitter.com |
|
| Details | Domain | 29 | blackberry.com |
|
| Details | 2 | vovanandlexus@cock.li |
||
| Details | File | 674 | node.js |
|
| Details | File | 2 | dirtytest.exe |
|
| Details | File | 1 | vovalex.txt |
|
| Details | File | 1 | use-of-delphi-packer-to-evade-malware-classification.html |
|
| Details | File | 85 | www.bin |
|
| Details | File | 8 | malware-wellmes-9b78.html |
|
| Details | File | 1 | vs-malware-white-paper.pdf |
|
| Details | File | 1 | areas-of-d-usage.html |
|
| Details | File | 1 | details-of-recent-cyber-attack-actions-to-protect-community.html |
|
| Details | File | 6 | news.html |
|
| Details | File | 1 | version-0102-released.html |
|
| Details | File | 1 | why-cargo-exists.html |
|
| Details | Github username | 2 | burrowers |
|
| Details | Github username | 1 | moloch-- |
|
| Details | Github username | 1 | casualx |
|
| Details | Github username | 1 | graydon |
|
| Details | Github username | 48 | microsoft |
|
| Details | Github username | 1 | indygreg |
|
| Details | Github username | 1 | darkarp |
|
| Details | Github username | 1 | stratisiot |
|
| Details | Github username | 21 | fireeye |
|
| Details | Github username | 3 | epi052 |
|
| Details | md5 | 1 | 06f23da70e8da5f1231dae542708d4b9 |
|
| Details | md5 | 1 | a584e0e9fb9f4fbc415a1ef3c40e8812 |
|
| Details | sha1 | 1 | b0fd440798ab3cfb05c60a1a1bd2894e1618479e |
|
| Details | Threat Actor Identifier - APT | 665 | APT29 |
|
| Details | Threat Actor Identifier - APT | 783 | APT28 |
|
| Details | Url | 1 | https://www.linkedin.com/in/eric-milam |
|
| Details | Url | 1 | https://blogs.blackberry.com/en/author/the-blackberry-research-and-intelligence-team |
|
| Details | Url | 1 | https://en.wikipedia.org/wiki/iloveyou |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/security/bazarloader-used-to-deploy-ryuk-ransomware-on- |
|
| Details | Url | 2 | https://www.virusbulletin.com/virusbulletin/2014/07 |
|
| Details | Url | 1 | https://www.fireeye.com/blog/threat-research/2018/09/increased- |
|
| Details | Url | 1 | https://en.wikipedia.org/wiki/yara |
|
| Details | Url | 2 | https://www.darkreading.com/threat-intelligence |
|
| Details | Url | 1 | https://blog.netlab.360.com/blackrota-a-heavily-obfuscated-backdoor-written-in-go |
|
| Details | Url | 1 | https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat |
|
| Details | Url | 2 | https://github.com/burrowers/garble |
|
| Details | Url | 1 | https://github.com/moloch--/denim |
|
| Details | Url | 1 | https://github.com/casualx/obfstr |
|
| Details | Url | 1 | https://www.binarydefense.com |
|
| Details | Url | 1 | https://gs.statcounter.com/os-market-share |
|
| Details | Url | 7 | https://www.bleepingcomputer.com/news/security |
|
| Details | Url | 1 | https://blogs.blackberry.com/en/2019/08/mirai-botnet-spawns-echobot-malware |
|
| Details | Url | 8 | https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html |
|
| Details | Url | 3 | https://en.wikipedia.org/wiki/cozy_bear |
|
| Details | Url | 1 | https://www.intezer.com/blog/research |
|
| Details | Url | 1 | https://1c7qp243xy9g1qeffp1k1nvo-wpengine.netdna-ssl.com/wp-content/uploads/2015/04/math- |
|
| Details | Url | 1 | https://blogs.blackberry.com/en/2016/07/no-more-sacrificial-lambs |
|
| Details | Url | 1 | https://dlang.org/areas-of-d-usage.html |
|
| Details | Url | 1 | https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares- |
|
| Details | Url | 1 | https://blogs.blackberry.com/en/author |
|
| Details | Url | 1 | https://livebook.manning.com/book/nim-in-action/chapter-1/5 |
|
| Details | Url | 1 | https://web.archive.org/web/20160626002904/http:/nim-lang.org/news.html |
|
| Details | Url | 1 | https://nim-lang.org/blog/2014/12/29/version-0102-released.html |
|
| Details | Url | 1 | https://blogs.blackberry.com/en/2019/09 |
|
| Details | Url | 1 | https://github.com/graydon/rust-prehistory/commit/b0fd440798ab3cfb05c60a1a1bd2894e1618479e |
|
| Details | Url | 1 | https://foundation.rust-lang.org/members |
|
| Details | Url | 1 | https://github.com/microsoft/windows-rs%20 |
|
| Details | Url | 1 | https://stackoverflow.blog/2020/05/27/2020-stack-overflow-developer-survey-results |
|
| Details | Url | 1 | https://www.memorysafety.org/initiative/linux-kernel |
|
| Details | Url | 1 | https://stackoverflow.blog/2020/01/20/what-is-rust-and-why-is-it-so-popular |
|
| Details | Url | 4 | https://www.zdnet.com/article |
|
| Details | Url | 1 | https://doc.rust-lang.org/cargo/guide/why-cargo-exists.html |
|
| Details | Url | 1 | https://blogs.blackberry.com/en/2020/11/the-art-of-targeted-phishing-how-not-to-get-hooked |
|
| Details | Url | 1 | https://news.drweb.com/show/?i=10193&lng=en&c=14 |
|
| Details | Url | 1 | https://github.com/indygreg/pyoxidizer |
|
| Details | Url | 1 | https://github.com/darkarp/chromepass |
|
| Details | Url | 1 | https://talks.golang.org/2012/splash.article46 |
|
| Details | Url | 2 | https://golangbot.com/goroutines |
|
| Details | Url | 1 | https://wiki.debian.org/apt |
|
| Details | Url | 1 | https://github.com/stratisiot/gobfuscator |
|
| Details | Url | 1 | https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation |
|
| Details | Url | 1 | https://www.goggleheadedhacker.com/blog/post/22 |
|
| Details | Url | 1 | https://www.cisecurity.org/solarwinds |
|
| Details | Url | 1 | https://github.com/fireeye |
|
| Details | Url | 60 | https://github.com |
|
| Details | Url | 1 | https://github.com/epi052/feroxbuster |
|
| Details | Url | 2 | https://www.crowdstrike.com/blog/guloader-malware-analysis |
|
| Details | Url | 1 | https://blog.golang.org/survey2020-results |
|
| Details | Url | 1 | https://www.linkedin.com/in/stevenumiller |
|
| Details | Url | 1 | https://twitter.com/stvemillertime/status/1404532957604323329 |
|
| Details | Url | 1 | https://twitter.com/stevemk14ebr/status/1399777922743996417 |
|
| Details | Yara rule | 1 | import "pe"
import "math"
import "hash"
rule Mal_InfoStealer_RemcosRAT {
meta:
description = "Dlang wrapped RemcosRAT"
author = "Blackberry Threat Research & Intelligence"
strings:
$f0 = { 48 3A 2F 50 72 75 65 62 61 73 2F 43 }
$f1 = { 43 43 52 59 50 54 45 52 42 4C 41 55 }
$DLang_Str1 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\utf.d" ascii wide
$DLang_Str2 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\file.d" ascii wide
$DLang_Str3 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\format.d" ascii wide
$DLang_Str4 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\base64.d" ascii wide
$DLang_Str5 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 700KB and pe.imphash() == "06f23da70e8da5f1231dae542708d4b9" and all of ($f*) and 3 of ($DLang_Str*)
} |
|
| Details | Yara rule | 1 | import "pe"
import "math"
import "hash"
rule Mal_Ransom_OutCrypt {
meta:
description = "OutCrypt Ransomware"
author = "Blackberry Threat Research & Intelligence"
strings:
$f0 = { B9 E0 79 46 00 B8 2A 00 00 00 }
$f1 = { BB 20 7A 46 00 }
$f2 = { B9 90 79 46 00 51 6A 13 FF 75 24 FF 75 20 BA 50 A7 46 00 52 E8 66 DA 00 00 83 C4 14 52 50 E8 68 19 00 00 8D 45 A8 E8 64 CD 00 00 8D 45 B4 E8 5C CD 00 00 C7 45 FC 01 00 00 00 8D 8D F4 FF FF FF 6A 01 51 68 90 70 46 00 E8 2A DA 00 00 83 C4 0C E8 02 00 00 00 EB 10 }
$f3 = { BA D0 9B 46 00 }
$f4 = "HESOYAMAEZAKMIRIPAZHAHESOYAMAEZAKMIRIPAZHA" ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 700KB and pe.imphash() == "a584e0e9fb9f4fbc415a1ef3c40e8812" and all of ($f*)
} |
|
| Details | Yara rule | 1 | import "pe"
import "math"
import "hash"
rule Mal_Ransom_Vovalex {
meta:
description = "Vovalex Ransomware"
author = "Blackberry Threat Research & Intelligence"
strings:
$f0 = { 52 45 41 44 4D 45 2E 56 4F 56 41 4C }
$f1 = { 6E 6F 74 65 70 61 64 00 }
$rans_note1 = "Send us a mail with proofs of transaction: VovanAndLexus@cock.li"
$rans_note2 = "README.VOVALEX.txt"
$rans_note3 = "VovanAndLexus@cock.li"
$rans_note4 = "Monero: 4B45W7V1sJAZBnPSnvcipa5k7BRyC4w8GCTfQCUL2XRx5CFzG3iJtEk2kqEvFbF7FagEafRYFfQ6FJnZmep5TsnrSfxpMkS"
$rans_note5 = "Send 0.5 XMR to this Monero wallet: 4B45W7V1sJAZBnPSnvcipa5k7BRyC4w8GCTfQCUL2XRx5CFzG3iJtEk2kqEvFbF7FagEafRYFfQ6FJnZmep5TsnrSfxpMkS"
condition:
pe.is_64bit() and all of ($f*) and 4 of ($rans_note*)
} |
|
| Details | Yara rule | 1 | rule Mal_ShellcodeLoader_Go {
meta:
author = "Blackberry Threat Research & Intelligence"
description = "Tags Go Specific build tags and the presence of shell code headers"
strings:
$Go1 = "go.buildid" ascii wide
$Go2 = "Go build ID:" ascii wide
$shellcode_fiber_header_x86 = { FC E8 ( 89 | 82 ) 00 00 00 60 89 E5 31 D2 }
$shellcode_fiber_header_x64 = { FC 48 83 E4 F0 E8 ( C0 | CC ) 00 00 00 }
condition:
uint16(0) == 0x5a4d and ($Go1 or $Go2) and ($shellcode_fiber_header_x86 or $shellcode_fiber_header_x64)
} |
|
| Details | Yara rule | 1 | rule Mal_ShellcodeLoader_Nim {
meta:
author = "Blackberry Threat Research & Intelligence"
description = "Tags Nim Specific function name and either shellcode headers or the presence of the string shellcode"
strings:
$nim_outOfMemHook = { 6F 75 74 4F 66 4D 65 6D 48 6F 6F 6B 5F 5F 6B 5A 4E 61 41 37 75 31 4D 66 53 57 35 5A 65 6F 47 76 77 38 78 67 00 }
$shellcode_fiber_header_x86 = { FC E8 ( 89 | 82 ) 00 00 00 60 89 E5 31 D2 }
$shellcode_fiber_header_x64 = { FC 48 83 E4 F0 E8 ( C0 | CC ) 00 00 00 }
$shellcode = "shellcode" nocase
condition:
uint16(0) == 0x5a4d and $nim_outOfMemHook and (($shellcode_fiber_header_x86 or $shellcode_fiber_header_x64) or $shellcode)
} |