Update to the REF2924 intrusion set and related campaigns — Elastic Security Labs
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 1035ec89-fc35-49cc-a42f-e247664e9f8d |
| Fingerprint | ad3059306cfb8585 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 7, 2023, midnight |
| Added to db | Nov. 20, 2023, 1:02 a.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | Update to the REF2924 intrusion set and related campaigns |
| Title | Update to the REF2924 intrusion set and related campaigns — Elastic Security Labs |
| Detected Hints/Tags/Attributes | 104/2/38 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 306 | ✔ | Elastic Security Labs | https://www.elastic.co/security-labs/rss/feed.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 32 | graph.microsoft.com |
|
| Details | Domain | 9 | dns.question.name |
|
| Details | Domain | 55 | process.name |
|
| Details | Domain | 96 | malpedia.caad.fkie.fraunhofer.de |
|
| Details | Domain | 98 | www.secureworks.com |
|
| Details | Domain | 57 | www.ptsecurity.com |
|
| Details | File | 748 | kernel32.dll |
|
| Details | File | 128 | w3wp.exe |
|
| Details | File | 1 | image26.jpg |
|
| Details | File | 3 | core.bin |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 1 | c:\foo\file.txt |
|
| Details | File | 130 | ws2_32.dll |
|
| Details | File | 53 | iphlpapi.dll |
|
| Details | File | 25 | log.dll |
|
| Details | File | 6 | bdreinit.exe |
|
| Details | File | 3 | ar.exe |
|
| Details | File | 1122 | svchost.exe |
|
| Details | File | 16 | wmplayer.exe |
|
| Details | File | 172 | dllhost.exe |
|
| Details | File | 2 | trojan.sie |
|
| Details | File | 1 | winnti-2020-eng.pdf |
|
| Details | md5 | 1 | 79cfdd0e92b120faadd7eb253eb800d0 |
|
| Details | md5 | 1 | 5a430ab45c7e142c70018b99fe0d2da3 |
|
| Details | sha256 | 6 | 386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd |
|
| Details | Url | 1 | https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry |
|
| Details | Url | 1 | https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers |
|
| Details | Url | 1 | https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad |
|
| Details | Url | 3 | https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new |
|
| Details | Url | 2 | https://www.secureworks.com/research/shadowpad-malware-analysis |
|
| Details | Url | 1 | https://www.secureworks.com/research/threat-profiles/bronze-university |
|
| Details | Url | 1 | https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf |
|
| Details | Url | 2 | https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang |
|
| Details | Yara rule | 1 | rule Windows_Trojan_DoorMe {
meta:
author = "Elastic Security"
creation_date = "2022-12-09"
last_modified = "2022-12-15"
os = "Windows"
arch = "x86"
category_type = "Trojan"
family = "DoorMe"
threat_name = "Windows.Trojan.DoorMe"
license = "Elastic License v2"
strings:
$seq_aes_crypto = { 8B 6C 24 ?? C1 E5 ?? 8B 5C 24 ?? 8D 34 9D ?? ?? ?? ?? 0F B6 04 31 32 44 24 ?? 88 04 29 8D 04 9D ?? ?? ?? ?? 0F B6 04 01 32 44 24 ?? 88 44 29 ?? 8D 04 9D ?? ?? ?? ?? 0F B6 04 01 44 30 F8 88 44 29 ?? 8D 04 9D ?? ?? ?? ?? 0F B6 04 01 44 30 E0 88 44 29 ?? 8B 74 24 ?? }
$seq_copy_str = { 48 8B 44 24 ?? 48 89 58 ?? 48 89 F1 4C 89 F2 49 89 D8 E8 ?? ?? ?? ?? C6 04 1E ?? }
$seq_md5 = { 89 F8 44 21 C8 44 89 C9 F7 D1 21 F1 44 01 C0 01 C8 44 8B AC 24 ?? ?? ?? ?? 8B 9C 24 ?? ?? ?? ?? 48 89 B4 24 ?? ?? ?? ?? 44 89 44 24 ?? 46 8D 04 28 41 81 C0 ?? ?? ?? ?? 4C 89 AC 24 ?? ?? ?? ?? 41 C1 C0 ?? 45 01 C8 44 89 C1 44 21 C9 44 89 C2 F7 D2 21 FA 48 89 BC 24 ?? ?? ?? ?? 8D 2C 1E 49 89 DC 01 D5 01 E9 81 C1 ?? ?? ?? ?? C1 C1 ?? 44 01 C1 89 CA 44 21 C2 89 CD F7 D5 44 21 CD 8B 84 24 ?? ?? ?? ?? 48 89 44 24 ?? 8D 1C 07 01 EB 01 DA 81 C2 ?? ?? ?? ?? C1 C2 ?? }
$seq_calc_key = { 31 FF 48 8D 1D ?? ?? ?? ?? 48 83 FF ?? 4C 89 F8 77 ?? 41 0F B6 34 3E 48 89 F1 48 C1 E9 ?? 44 0F B6 04 19 BA ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 83 E6 ?? 44 0F B6 04 1E BA ?? ?? ?? ?? 48 8B 4D ?? E8 ?? ?? ?? ?? 48 83 C7 ?? }
$seq_base64 = { 8A 45 ?? 8A 4D ?? C0 E0 ?? 89 CA C0 EA ?? 80 E2 ?? 08 C2 88 55 ?? C0 E1 ?? 8A 45 ?? C0 E8 ?? 24 ?? 08 C8 88 45 ?? 41 83 C4 ?? 31 F6 44 39 E6 7D ?? 66 90 }
$str_0 = ".?AVDoorme@@" ascii fullword
condition:
3 of ($seq*) or 1 of ($str*)
} |
|
| Details | Yara rule | 1 | rule Windows_Trojan_SiestaGraph {
meta:
author = "Elastic Security"
creation_date = "2022-12-14"
last_modified = "2022-12-15"
os = "windows"
arch_context = "x86"
category_type = "Trojan"
family = "SiestaGraph"
threat_name = "Windows.Trojan.SiestaGraph"
license = "Elastic License v2"
strings:
$a1 = "downloadAsync" ascii nocase fullword
$a2 = "UploadxAsync" ascii nocase fullword
$a3 = "GetAllDriveRootChildren" ascii fullword
$a4 = "GetDriveRoot" ascii fullword
$a5 = "sendsession" wide fullword
$b1 = "ListDrives" wide fullword
$b2 = "Del OK" wide fullword
$b3 = "createEmailDraft" ascii fullword
$b4 = "delMail" ascii fullword
condition:
all of ($a*) and 2 of ($b*)
} |
|
| Details | Yara rule | 1 | rule Windows_Trojan_ShadowPad_1 {
meta:
author = "Elastic Security"
creation_date = "2023-01-23"
last_modified = "2023-01-31"
description = "Target SHADOWPAD obfuscation loader+payload"
os = "Windows"
arch = "x86"
category_type = "Trojan"
family = "ShadowPad"
threat_name = "Windows.Trojan.ShadowPad"
license = "Elastic License v2"
strings:
$a1 = { 87 0? 24 0F 8? }
$a2 = { 9C 0F 8? }
$a3 = { 03 0? 0F 8? }
$a4 = { 9D 0F 8? }
$a5 = { 87 0? 24 0F 8? }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule Windows_Trojan_Shadowpad_2 {
meta:
author = "Elastic Security"
creation_date = "2023-01-31"
last_modified = "2023-01-31"
description = "Target SHADOWPAD loader"
os = "Windows"
arch = "x86"
category_type = "Trojan"
family = "Shadowpad"
threat_name = "Windows.Trojan.Shadowpad"
license = "Elastic License v2"
strings:
$a1 = "{%8.8x-%4.4x-%4.4x-%8.8x%8.8x}"
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule Windows_Trojan_Shadowpad_3 {
meta:
author = "Elastic Security"
creation_date = "2023-01-31"
last_modified = "2023-01-31"
description = "Target SHADOWPAD payload"
os = "Windows"
arch = "x86"
category_type = "Trojan"
family = "Shadowpad"
threat_name = "Windows.Trojan.Shadowpad"
license = "Elastic License v2"
strings:
$a1 = "hH#whH#w" fullword
$a2 = "Yuv~YuvsYuvhYuv]YuvRYuvGYuv1:tv<Yuvb#tv1Yuv-8tv&Yuv" fullword
$a3 = "pH#wpH#w" fullword
$a4 = "HH#wHH#wA" fullword
$a5 = "xH#wxH#w:$" fullword
$re1 = /(HTTPS|TCP|UDP):\/\/[^:]+:443/
condition:
4 of them
} |