{ "Event": { "analysis": "2", "date": "2017-07-21", "extends_uuid": "", "info": "OSINT - Rurktar - Spyware under Construction", "publish_timestamp": "1500647729", "published": true, "threat_level_id": "3", "timestamp": "1500647714", "uuid": "59720fc0-19c8-47f0-92e2-4dff950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1500647714", "to_ids": false, "type": "link", "uuid": "59721042-1400-40a3-80c9-473b950d210f", "value": "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1500647714", "to_ids": false, "type": "text", "uuid": "5972104f-4280-47eb-8fb6-4fa5950d210f", "value": "Researchers at G DATA - have examined a new spyware which still seems to be in a development stage. But what is it about and what are its objectives?\r\nThe development of any kind of software takes time. Not every function that is planned for the final product is implemented right from the start. It does not come as a surprise that this is also true for the development of malware. At the G DATA Security Labs, a file has sparked the interest of our researchers - this file is interesting for a number of reasons.\r\n\r\nWho commissioned it?\r\nThe new espionage tool which was was christened \"Rurktar\" allows some conclusions as to its origin. It is very likely that it originates from Russia. There is quite some evidence to support this: some of the internal error messages of Rurktar are in Russian. Also, the IP addresses used for remote control of the spyware are located in Russia.\r\n\r\nIt is not 100 per cent clear whether Rurktar is the work of a single individual or a development team. What we can say, though, is that a Dropbox folder is used as a working directory. There are several possible reasons for this. One of them is that several developers are cooperating here and consolidate their work through a Dropbox. What Dropbox can also be used for by a single individual is a crude and very basic versioning system - some Dropbox accounts offer the possibility of restoring earlier versions of a file. Therefore, it can be used to track changes, but it is not ideal from a developer's stand point. Using Dropbox as a backup is, of course, also a possibility to be considered here." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1500647714", "to_ids": false, "type": "link", "uuid": "5972105c-5c74-4639-99e2-4bc2950d210f", "value": "https://file.gdatasoftware.com/web/en/documents/whitepaper/Rurktar.pdf" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A", "deleted": false, "disable_correlation": false, "timestamp": "1500647714", "to_ids": true, "type": "sha256", "uuid": "5972107b-91b0-42f4-8e60-45f6950d210f", "value": "b4b75bda475ea58f2a5cf3329e311a70fa56745ba6cb2785523fa53139d4e37f" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A", "deleted": false, "disable_correlation": false, "timestamp": "1500647714", "to_ids": true, "type": "sha256", "uuid": "5972107b-709c-4caa-be1f-425d950d210f", "value": "54f25a6820b8a0e3fc26bdf4599e7db695ef7aefb7dcefaa2c2581bb58426a40" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A", "deleted": false, "disable_correlation": false, "timestamp": "1500647714", "to_ids": true, "type": "sha256", "uuid": "5972107b-f3fc-4302-855f-48bc950d210f", "value": "89110710eddd0da23ea206a6047c252bf1e16a2d1957729973d77a58219e614b" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A", "deleted": false, "disable_correlation": false, "timestamp": "1500647714", "to_ids": true, "type": "sha256", "uuid": "5972107b-2858-4d4e-9fca-47a9950d210f", "value": "618908e3d368301a323ee8ae7df867db8d7f5a98b513cfb8c961fb945e62a9b6" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1500647714", "to_ids": true, "type": "yara", "uuid": "597210b0-4b54-4f70-be6a-47ab950d210f", "value": "rule Rurktar\r\n{\r\nmeta:\r\nauthor = \"Nathan Stern\"\r\ndescription = \"Rurktar detection rule\"\r\nstrings:\r\n $a = \"FriendlyID\" wide ascii nocase\r\n $a2 = \"CaptureMode\" wide ascii nocase\r\n $a3 = \"CaptureStart\" wide ascii nocase\r\n $a4 = \"CaptureMonikerString\" wide ascii nocase\r\n $a5 = \"ACaptureMonikerString\" wide ascii nocase\r\n $a6 = \"VideoCap\" wide ascii nocase\r\n $a7 = \"SkipFrames\" wide ascii nocase\r\n $a8 = \"SkipDetectionFrames\" wide ascii nocase\r\n $a9 = \"SkipTakeFrames\" wide ascii nocase\r\n $a10 = \"DetectionPreBuffer\" wide ascii nocase\r\n $a11 = \"MaxCaptureFrames\" wide ascii nocase\r\n $a12 = \"MaxCaptureFolderSize\" wide ascii nocase\r\n $a13 = \"NetworkImageQ\" wide ascii nocase\r\n $a14 = \"CaptureDirectory\" wide ascii nocase\r\n $a15 = \"DefPass\" wide ascii nocase\r\n $a16 = \"CaptureStopProcess1\" wide ascii nocase\r\n $a17 = \"CaptureStopProcess2\" wide ascii nocase\r\n$a18 = \"DetectPorog\" wide ascii nocase\r\n $a19 = \"WatchFiles\" wide ascii nocase\r\n $a20 = \"AutoSendPreviews\" wide ascii nocase\r\n $a21 = \"ControlExt\" wide ascii nocase\r\n $a22 = \"SendOriginPreviews\" wide ascii nocase\r\n $a23 = \"CopyOriginsToCaptureDir\" wide ascii nocase\r\n $a24 = \"WatchProc\" wide ascii nocase\r\n $a25 = \"ScreenshotExt\" wide ascii nocase\r\n $a26 = \"ScreenshotAutoCapture\" wide ascii nocase\r\n $a27 = \"ScreenshotAutoStartProcess\" wide ascii nocase\r\n $a28 = \"ScreenshotPause\" wide ascii nocase\r\n $a29 = \"ProxyEnabled\" wide ascii nocase\r\n $b = \"\\\\R_C_S.ini\" wide ascii nocase\r\n $b2 = \"\\\\RCS.ini\" wide ascii nocase\r\n $b3 = \"RCS.log\" wide ascii nocase\r\n $b4 = \"RCSU.exe\" wide ascii nocase\r\n $b5 = \"RCS.log\" wide ascii nocase\r\n $c = \"?share*\" wide ascii nocase\r\n $c2 = \"?find*\" wide ascii nocase\r\n $c3 = \"user?\" wide ascii nocase\r\n $c4 = \"?prefs*\" wide ascii nocase\r\n $c5 = \"?type*abstract\" wide ascii nocase\r\n $c6 = \"?FriendlyID*\" wide ascii nocase\r\n $c7 = \"?disc*\" wide ascii nocase\r\ncondition:\r\n5 of ($a*) or\r\n3 of ($b*) or\r\n 4 of ($c*)\r\n}" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: 618908e3d368301a323ee8ae7df867db8d7f5a98b513cfb8c961fb945e62a9b6", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": true, "type": "sha1", "uuid": "59721123-362c-4a08-bc48-41fa02de0b81", "value": "a97716c9be9f903c5b797643e458c207ae1c8bee" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: 618908e3d368301a323ee8ae7df867db8d7f5a98b513cfb8c961fb945e62a9b6", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": true, "type": "md5", "uuid": "59721123-58c8-4a8f-a8d3-4c6202de0b81", "value": "921b1b1d2f7a228e753fc43de1b3169c" }, { "category": "External analysis", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: 618908e3d368301a323ee8ae7df867db8d7f5a98b513cfb8c961fb945e62a9b6", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": false, "type": "link", "uuid": "59721123-2cc4-428d-9066-4d5302de0b81", "value": "https://www.virustotal.com/file/618908e3d368301a323ee8ae7df867db8d7f5a98b513cfb8c961fb945e62a9b6/analysis/1489348132/" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: 89110710eddd0da23ea206a6047c252bf1e16a2d1957729973d77a58219e614b", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": true, "type": "sha1", "uuid": "59721123-ed14-4727-af44-417a02de0b81", "value": "77ce9ccf740d394e065ece52fc0f282686e672c1" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: 89110710eddd0da23ea206a6047c252bf1e16a2d1957729973d77a58219e614b", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": true, "type": "md5", "uuid": "59721123-bfc0-4e7f-abef-48d502de0b81", "value": "adcb921fa79845abbe3011237f227773" }, { "category": "External analysis", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: 89110710eddd0da23ea206a6047c252bf1e16a2d1957729973d77a58219e614b", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": false, "type": "link", "uuid": "59721123-f4dc-4e0b-84ff-425e02de0b81", "value": "https://www.virustotal.com/file/89110710eddd0da23ea206a6047c252bf1e16a2d1957729973d77a58219e614b/analysis/1489377772/" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: 54f25a6820b8a0e3fc26bdf4599e7db695ef7aefb7dcefaa2c2581bb58426a40", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": true, "type": "sha1", "uuid": "59721123-8ba0-4f4d-a717-416402de0b81", "value": "8ee7df7a432b9d1c12ac2dcc85a39686e8ade31e" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: 54f25a6820b8a0e3fc26bdf4599e7db695ef7aefb7dcefaa2c2581bb58426a40", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": true, "type": "md5", "uuid": "59721123-8bdc-4a5a-9093-49de02de0b81", "value": "9076a243f64f33841b27643ca71cca1c" }, { "category": "External analysis", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: 54f25a6820b8a0e3fc26bdf4599e7db695ef7aefb7dcefaa2c2581bb58426a40", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": false, "type": "link", "uuid": "59721123-1684-4902-b143-415a02de0b81", "value": "https://www.virustotal.com/file/54f25a6820b8a0e3fc26bdf4599e7db695ef7aefb7dcefaa2c2581bb58426a40/analysis/1497208372/" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: b4b75bda475ea58f2a5cf3329e311a70fa56745ba6cb2785523fa53139d4e37f", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": true, "type": "sha1", "uuid": "59721123-3df4-4d16-8d55-463c02de0b81", "value": "d73470779ebef52d5b81cf9bfe3d28465b2879a3" }, { "category": "Payload delivery", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: b4b75bda475ea58f2a5cf3329e311a70fa56745ba6cb2785523fa53139d4e37f", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": true, "type": "md5", "uuid": "59721123-bf3c-4600-9378-426802de0b81", "value": "684a21cf74dc35fd65b49f3468f2aad1" }, { "category": "External analysis", "comment": "MSIL.Backdoor.Rurktar.A - Xchecked via VT: b4b75bda475ea58f2a5cf3329e311a70fa56745ba6cb2785523fa53139d4e37f", "deleted": false, "disable_correlation": false, "timestamp": "1500647715", "to_ids": false, "type": "link", "uuid": "59721123-20e0-4420-9cea-4a7402de0b81", "value": "https://www.virustotal.com/file/b4b75bda475ea58f2a5cf3329e311a70fa56745ba6cb2785523fa53139d4e37f/analysis/1496056079/" } ] } }