Feodo Spyware/Threat details:

Name:             Feodo Spyware

Description:           Feodo was an ebanking Trojan used to commit e-banking fraud and to steal sensitive information from the victim’s computer, such as credit card details or credentials by cybercriminals. Since 2010, various malware families evolved from Feodo, such as Cridex, Dridex, Geodo, Heodo and Emotet. Dridex also known as Bugat and Cridex specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word. The targets of this malware are Windows users who open an email attachment in Word or Excel, causing macros to activate and download Dridex, infecting the computer and opening the victim to banking theft.

Reference URL:         

  • https://attack.mitre.org/
  • https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo
  • https://www.fireeye.com/blog/threat-research/2010/10/feodosoff-a-new-botnet-on-the-rise.html

ATT&CK STRATEGIES:

  • T1071.001 Application Layer Protocol: Web Protocols
  • T1185   Man in the Browser
  • T1087.003  Account Discovery: Email Account
  • T1040 Network Sniffing

IOCs URL/DOMAIN/HASH VALUE:

URL:

  • http://kakaorp.com
  • http://it.imarketkorea.com/favicon.ico
  • http://mail.kakaorp.com/
  • http://sns4u.net/favicon.ico

DOMAIN:

  • rpnet.co.kr
  • todaydrip.com
  • Sns4u.net
  • kakaorp.com

IP ADDRESS TO SEARCH SPECIFIC : 

  • 1.234.20.244
  • 103.122.228.44
  • 103.140.207.110
  • 103.161.172.109

HASH VALUES TO BLOCK:

File hashes:

MD5:

45ea069bb339a499610c05ec076f0fc9

82903df7bf92c5aec6b90fdeb1662c31

311ec03dcf25390b46d55d9d94319e41

SHA-1:

5c20454d1ae13e194b876c938f90e81c876c14fe

070fd6030197b14ffaf282ace15d172e12ed9ecc

2b94acfbddddd4bc0ca9343f5af5085646667b2f

SHA-256:

2e91491bbcf5d0f389ba15f8b97c8daee8032874c243a202ee8325191d866d98

91b7a3393a083c663fb65ec686ba798256304d2d139f964574c5eb6b092f7cff

caa76e0c77792e9e4a862a96ad7b8c86b59ba413f438c64c320480d5a74ff719

YARA RULES

The following YARA rule was authored to catch the Feodo malware:

rule win_feodo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.feodo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 6a00 6838040000 ff15???????? 8bf0 85f6 }
            // n = 6, score = 1100
            //   56                   | push                esi
            //   6a00                 | push                0
            //   6838040000           | push                0x438
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi

        $sequence_1 = { 56 6a00 68???????? 56 }
            // n = 4, score = 1100
            //   56                   | push                esi
            //   6a00                 | push                0
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_2 = { 741b 8d442404 50 687e660480 }
            // n = 4, score = 1100
            //   741b                 | je                  0x1d
            //   8d442404             | lea                 eax, dword ptr [esp + 4]
            //   50                   | push                eax
            //   687e660480           | push                0x8004667e

        $sequence_3 = { 50 51 ff15???????? c3 8b4c2404 b801000000 }
            // n = 6, score = 1100
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   c3                   | ret                 
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]
            //   b801000000           | mov                 eax, 1

        $sequence_4 = { 50 6a18 51 c744241000000000 ff15???????? 85c0 }
            // n = 6, score = 1100
            //   50                   | push                eax
            //   6a18                 | push                0x18
            //   51                   | push                ecx
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_5 = { 68???????? 68???????? 83c004 68???????? }
            // n = 4, score = 1100
            //   68????????           |                     
            //   68????????           |                     
            //   83c004               | add                 eax, 4
            //   68????????           |                     

        $sequence_6 = { 81ec08020000 6808020000 8d442404 50 }
            // n = 4, score = 1100
            //   81ec08020000         | sub                 esp, 0x208
            //   6808020000           | push                0x208
            //   8d442404             | lea                 eax, dword ptr [esp + 4]
            //   50                   | push                eax

        $sequence_7 = { 7408 83c001 83f801 72f2 }
            // n = 4, score = 1100
            //   7408                 | je                  0xa
            //   83c001               | add                 eax, 1
            //   83f801               | cmp                 eax, 1
            //   72f2                 | jb                  0xfffffff4

        $sequence_8 = { 0404 0404 0404 0404 0404 0316 16 }
            // n = 7, score = 100
            //   0404                 | add                 al, 4
            //   0404                 | add                 al, 4
            //   0404                 | add                 al, 4
            //   0404                 | add                 al, 4
            //   0404                 | add                 al, 4
            //   0316                 | add                 edx, dword ptr [esi]
            //   16                   | push                ss

        $sequence_9 = { 100e 0f44bebee8b686 0ced fb 3e18e8 7e67 }
            // n = 6, score = 100
            //   100e                 | adc                 byte ptr [esi], cl
            //   0f44bebee8b686       | cmove               edi, dword ptr [esi - 0x79491742]
            //   0ced                 | or                  al, 0xed
            //   fb                   | sti                 
            //   3e18e8               | sbb                 al, ch
            //   7e67                 | jle                 0x69

        $sequence_10 = { e2c3 7474 7474 7474 7474 7474 7474 }
            // n = 7, score = 100
            //   e2c3                 | loop                0xffffffc5
            //   7474                 | je                  0x76
            //   7474                 | je                  0x76
            //   7474                 | je                  0x76
            //   7474                 | je                  0x76
            //   7474                 | je                  0x76
            //   7474                 | je                  0x76

        $sequence_11 = { cd0f 20696a 60 6848f67824 }
            // n = 4, score = 100
            //   cd0f                 | int                 0xf
            //   20696a               | and                 byte ptr [ecx + 0x6a], ch
            //   60                   | pushal              
            //   6848f67824           | push                0x2478f648

        $sequence_12 = { 9a519a519a2e2e 2e2e20640444 4c 4c 63ab08080808 08c9 75eb }
            // n = 7, score = 100
            //   9a519a519a2e2e       | lcall               0x2e2e:0x9a519a51
            //   2e2e20640444         | and                 byte ptr cs:[esp + eax + 0x44], ah
            //   4c                   | dec                 esp
            //   4c                   | dec                 esp
            //   63ab08080808         | arpl                word ptr [ebx + 0x8080808], bp
            //   08c9                 | or                  cl, cl
            //   75eb                 | jne                 0xffffffed

        $sequence_13 = { 0e 97 0e 0e 27 }
            // n = 5, score = 100
            //   0e                   | push                cs
            //   97                   | xchg                eax, edi
            //   0e                   | push                cs
            //   0e                   | push                cs
            //   27                   | daa                 

        $sequence_14 = { 53 b9864c7474 44 44 44 3452 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   b9864c7474           | mov                 ecx, 0x74744c86
            //   44                   | inc                 esp
            //   44                   | inc                 esp
            //   44                   | inc                 esp
            //   3452                 | xor                 al, 0x52

        $sequence_15 = { fb 3e18e8 7e67 08ee 73fe 6c }
            // n = 6, score = 100
            //   fb                   | sti                 
            //   3e18e8               | sbb                 al, ch
            //   7e67                 | jle                 0x69
            //   08ee                 | or                  dh, ch
            //   73fe                 | jae                 0
            //   6c                   | insb                byte ptr es:[edi], dx

    condition:
        7 of them and filesize < 270336
}