Author: Carlos Rubio from Threatray Labs
Published on: 01.03.2023
Multiple blogs have reported about recent activities and tooling of UAC-0056 (also known as Nodaria, SaintBear, TA471).
Malwarebytes (April 22) and Mandiant (July 22) report about the “Elephant toolchain” apparently used by UAC-0056. The toolchain consists of Elephant Stealer (GraphSteel), Elephant Implant (GrimPlant), Elephant Downloader, and Elephant Dropper.
A very recent article by Symantec reports about the new “Graphiron” tooling of UAC-0056. It consists of two stages, a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron). Like the Elephant tools, the new tools are written in Go. The blog also links the toolsets by exploring similarities between the recent Graphiron tooling and the previous Elephant tooling based on the reuse of legitimate but rather unique libraries.
This has prompted us to carry out a code similarity analysis on the Elephant and Graphion families to complement existing findings. To this end we’ve used our code search engine, which can identify function-level code reuse in sample sets, and which can retro-hunt for functions through our data set of millions of malware samples.
For the code reuse analysis we have looked at the Elephant and Graphiron sample set from the articles mentioned above. We have found that they all share a similar string decryption routine.
String decryption is implemented by having one dedicated decryption routine per obfuscated string which is hard coded in the respective routine. So there are typically multiple string decryption routines per sample. Our findings are that the decryption functions within a sample and across samples are similar in terms of their flow graphs and semantics but different in terms of instruction sequences (see image below illustrating our findings per tool family). Loosely speaking, it is a kind of simple string decryption pattern that is reused within and across samples.
String decryption capabilities were mentioned in the Mandiant and Malwarebytes articles, and we can confirm that this decryption routine is the same as the one shown in the Mandiant post.
We have also performed a retro-hunt for this common string decryption routine in our sample collection and have only found matches in samples from the families mentioned above. This leads us to believe that the string decryption routine is highly characteristic for the current UAC-0056 toolset and thus useful for tracking and linking attacks.
Samples shown in the image
The table below shows the samples that have been used to generate the image containing the disassemblies above as well as the respective address of the decryption routine.
| Name | String decryption routine function address | SHA256 |
| Graphiron Downloader | 0x622640 | 0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63 |
| Graphiron Stealer | 0x92C0C0 | 80e6a9079deffd6837363709f230f6ab3b2fe80af5ad30e46f6470a0c73e75a7 |
| Elephant Dropper | 0x5F9080 | 9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a |
| Elephant Downloader | 0x69FA80 | 8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1 |
| Elephant Implant (GrimPlant) | 0x5D1B00 | 99a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532 |
| Elephant Client (GraphSteel) | 0x77F720 | 47a734e624dac47b9043606c8833001dde8f341d71f77129da2eade4e02b3878 |
About Threatray
Threatray is a novel malware analysis and intelligence platform. We support all key malware defense use cases, including identification / detection, hunting, response, and analysis. Threatray helps security teams of all skill levels to effectively identify and analyze ongoing and past compromises.
At the core of Threatray are highly scalable code similarity search algorithms that find code reuse between a new and millions of known samples in seconds. Our core search algorithms do not make use of traditional byte pattern matches and are thus highly resilient to code mutations.
Our user facing features are based on the core search technology. They include best of class threat family identification and detection, easy to use real-time retro-hunting and retro-detection, cluster analysis to quickly find relevant IOCs, and low-level multi-binary analysis capabilities. Some of our binary analysis capabilities have been used for the research presented in this report.
Contact us at https://threatray.com/contact-us or https://twitter.com/threatray
Antti Tikkanen
Antti Tikkanen has nearly two decades of experience in malware research and malware detection methods. He worked as Director of Response at F-Secure Corporation (now WithSecure), protecting millions of end users from cyberattacks.
While working as Engineering Manager in the Google TAG threat intelligence team in Zurich, his team built large-scale malware analysis pipelines to protect Google and its users.
The team was responsible for tracking state-sponsored attacks and cybercrime across the globe.
Antti currently leads the digital forensics and incident management EMEA team at Snap Inc.
Freddy Dezeure
Freddy Dezeure graduated from the KUL University in Belgium in 1982, with a master of science in engineering. He was CIO of a private company from 1982 until 1987. He joined the European Commission in 1987 where he held a variety of management positions in administrative, financial and operational areas, in particular in information technology.
He founded CERT-EU, the Computer Emergency and Response Team of the EU institutions, agencies and bodies in 2011. Until May 2017 he held the position of the Head of CERT-EU.
Presently, he is an Independent Advisor in cybersecurity and cyber-risk management and he acts as Board Member and Advisory Board Member in several high-tech companies. He is a highly respected keynote speaker and is very active in the cybersecurity community. He is leading the EU MITRE ATT&CK Community.
@FDezeure
Mathias Wegmüller
Matthias is a highly accomplished entrepreneur, board member and investor. He has multi-year expertise in digital transformation, facilitating the effective execution of digital engagement initiatives. A passionate, action-oriented and motivational team leader, Mathias Co-founded Qumram in 2011 and led it in different roles until the successful exit and trade-sale in November 2017 to Dynatrace.
Pierre Noel
Pierre has over 30 years of international experience in Information Security, Data Privacy, and Enterprise Risk Management. He is in charge of the nation-wide Swiss Finance Service cybersecurity information sharing program. Previously, Pierre was the Chief Security Officer for Microsoft, covering the wide Asian region and the Chief Security & Privacy Officer (CSPO) for Huawei Worldwide He designed, built, and operated complete Security and Enterprise Risk Management environments for Governments, Finance, Transport, and large conglomerate industries over the World. Pierre was the advisor to three large nations in Australasia, working directly with their ministers or presidential offices in building nationwide cybersecurity & privacy programs. He is a member of the board of advisors of Airbus Industries and also sits on the board of several established and start-up organizations in the field of CyberSecurity and Privacy.
Thomas Dübendorfer
Thomas Dübendorfer holds a Ph.D. in computer science from ETH Zurich and is the president of the Swiss ICT Investor Club (SICTIC). He has worked at HP Research Labs in Silicon Valley and seven years at Google on security engineering projects. He is an angel investor in more than twenty tech startups in Switzerland. UBS, Nasdaq, Lufthansa, Adobe, Swiss Re and many other highly ranked companies are customers of tech startups that he co-founded. He was honoured as “Top 100 Digital Shapers of Switzerland” in 2016 and 2018 and as “Top 200 most prominent persons of Zurich, Switzerland” in Who Is Who in Zürich 2019. He has published a paper on Web browser security that got downloaded more than 100’000 times and that proved Web browsers with silent security update mechanisms to protect their users significantly better from vulnerabilities than others.
Peter Stalder
After studying Computer Science at the ETH in Zurich, Peter worked as a software developer, system technician, consultant and project lead in multiple industry projects. He was the CTO of Finnova, a leading banking software in Switzerland, for 20 years. At Finnova, he was responsible for the System- and Software Architecture, as well as the development of its core technologies. In 2015, Peter transitioned to independent consulting and now supports startups with his experience.
Ariel F. Lüdi
As the CEO of Hybris Software, Ariel was instrumental to make Hybris become the global leader in omnichannel commerce and the sale to SAP in 2013 for around 1.5 B USD. Since then, Ariel is investing in and coaching innovative IT start-ups. Prior to joining Hybris, he held senior positions at Salesforce.com, BroadVision and Oracle. Ariel studied Physics at ETH in Zurich.
Jonas Wagner
CTO and Co-Founder
Jonas is founder and CTO of Threatray
Jonas has over 10 years of professional experience in software engineering, with a focus on machine learning and cyber security data analysis. He holds a M.Sc. in Computer Science from the Bern University of Applied Sciences, where he spent years researching and developing the core algorithms that now power Threatray.
Endre Bangerter
CEO and Co-Founder
Endre Bangerter is founder and CEO of Threatray.
Endre has over 20 years of experience in Information Security and Cyber Defense. He has been serving as a malware analyst for the government and as a technical consultant for Accenture and IBM. Endre has rich experience in developing novel IT security technologies gained while working at IBM Research in Zurich and as a professor and lab director at Bern University of Applied Sciences. He has a Ph.D. in IT security from the Horst Görtz Institute For IT-security at the University of Bochum in Germany.
