Multiple blogs have reported about recent activities and tooling of UAC-0056 (also known as Nodaria, SaintBear, TA471).
Malwarebytes (April 22) and Mandiant (July 22) report about the “Elephant toolchain” apparently used by UAC-0056. The toolchain consists of Elephant Stealer (GraphSteel), Elephant Implant (GrimPlant), Elephant Downloader, and Elephant Dropper.
A very recent article by Symantec reports about the new “Graphiron” tooling of UAC-0056. It consists of two stages, a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron). Like the Elephant tools, the new tools are written in Go. The blog also links the toolsets by exploring similarities between the recent Graphiron tooling and the previous Elephant tooling based on the reuse of legitimate but rather unique libraries.
This has prompted us to carry out a code similarity analysis on the Elephant and Graphion families to complement existing findings. To this end we’ve used our code search engine, which can identify function-level code reuse in sample sets, and which can retro-hunt for functions through our data set of millions of malware samples.
For the code reuse analysis we have looked at the Elephant and Graphiron sample set from the articles mentioned above. We have found that they all share a similar string decryption routine.
String decryption is implemented by having one dedicated decryption routine per obfuscated string which is hard coded in the respective routine. So there are typically multiple string decryption routines per sample. Our findings are that the decryption functions within a sample and across samples are similar in terms of their flow graphs and semantics but different in terms of instruction sequences (see image below illustrating our findings per tool family). Loosely speaking, it is a kind of simple string decryption pattern that is reused within and across samples.
String decryption capabilities were mentioned in the Mandiant and Malwarebytes articles, and we can confirm that this decryption routine is the same as the one shown in the Mandiant post.
We have also performed a retro-hunt for this common string decryption routine in our sample collection and have only found matches in samples from the families mentioned above. This leads us to believe that the string decryption routine is highly characteristic for the current UAC-0056 toolset and thus useful for tracking and linking attacks.
Samples shown in the image
The table below shows the samples that have been used to generate the image containing the disassemblies above as well as the respective address of the decryption routine.
About Threatray
Threatray is a novel malware analysis and intelligence platform. We support all key malware defense use cases, including identification / detection, hunting, response, and analysis. Threatray helps security teams of all skill levels to effectively identify and analyze ongoing and past compromises.
At the core of Threatray are highly scalable code similarity search algorithms that find code reuse between a new and millions of known samples in seconds. Our core search algorithms do not make use of traditional byte pattern matches and are thus highly resilient to code mutations.
Our user facing features are based on the core search technology. They include best of class threat family identification and detection, easy to use real-time retro-hunting and retro-detection, cluster analysis to quickly find relevant IOCs, and low-level multi-binary analysis capabilities. Some of our binary analysis capabilities have been used for the research presented in this report.
Contact us at https://threatray.com/contact-us or https://twitter.com/threatray
