Multiple blogs have reported about recent activities and tooling of UAC-0056 (also known as Nodaria, SaintBear, TA471).

Malwarebytes (April 22) and Mandiant (July 22) report about the “Elephant toolchain” apparently used by UAC-0056. The toolchain consists of Elephant Stealer (GraphSteel), Elephant Implant (GrimPlant), Elephant Downloader, and Elephant Dropper.

A very recent article by Symantec reports about the new “Graphiron” tooling of UAC-0056. It consists of two stages, a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron). Like the Elephant tools, the new tools are written in Go. The blog also links the toolsets by exploring similarities between the recent Graphiron tooling and the previous Elephant tooling based on the reuse of legitimate but rather unique libraries.

This has prompted us to carry out a code similarity analysis on the Elephant and Graphion families to complement existing findings. To this end we’ve used our code search engine, which can identify function-level code reuse in sample sets, and which can retro-hunt for functions through our data set of millions of malware samples.

For the code reuse analysis we have looked at the Elephant and Graphiron sample set from the articles mentioned above. We have found that they all share a similar string decryption routine.

String decryption is implemented by having one dedicated decryption routine per obfuscated string which is hard coded in the respective routine. So there are typically multiple string decryption routines per sample. Our findings are that the decryption functions within a sample and across samples are similar in terms of their flow graphs and semantics but different in terms of instruction sequences (see image below illustrating our findings per tool family). Loosely speaking, it is a kind of simple string decryption pattern that is reused within and across samples.

String decryption capabilities were mentioned in the Mandiant and Malwarebytes articles, and we can confirm that this decryption routine is the same as the one shown in the Mandiant post.

We have also performed a retro-hunt for this common string decryption routine in our sample collection and have only found matches in samples from the families mentioned above. This leads us to believe that the string decryption routine is highly characteristic for the current UAC-0056 toolset and thus useful for tracking and linking attacks.

Samples shown in the image

The table below shows the samples that have been used to generate the image containing the disassemblies above as well as the respective address of the decryption routine.

Name String decryption routine function address SHA256
Graphiron Downloader 0x622640 0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63
Graphiron Stealer 0x92C0C0 80e6a9079deffd6837363709f230f6ab3b2fe80af5ad30e46f6470a0c73e75a7
Elephant Dropper 0x5F9080 9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a
Elephant Downloader 0x69FA80 8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1
Elephant Implant (GrimPlant) 0x5D1B00 99a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532
Elephant Client (GraphSteel) 0x77F720 47a734e624dac47b9043606c8833001dde8f341d71f77129da2eade4e02b3878

About Threatray

Threatray is a novel malware analysis and intelligence platform. We support all key malware defense use cases, including identification / detection, hunting, response, and analysis. Threatray helps security teams of all skill levels to effectively identify and analyze ongoing and past compromises.

At the core of Threatray are highly scalable code similarity search algorithms that find code reuse between a new and millions of known samples in seconds. Our core search algorithms do not make use of traditional byte pattern matches and are thus highly resilient to code mutations.

Our user facing features are based on the core search technology. They include best of class threat family identification and detection, easy to use real-time retro-hunting and retro-detection, cluster analysis to quickly find relevant IOCs, and low-level multi-binary analysis capabilities. Some of our binary analysis capabilities have been used for the research presented in this report.

Contact us at https://threatray.com/contact-us or https://twitter.com/threatray

Ready to find out how Threatray can protect your organization?

Talk to an expert