Indicator (IOC)
Essential information
- Value / Name
M_APT_Tunneler_SPAWNMOLE_1- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 09/01/2025 10:03
- Valid until
- 26/10/2025 21:12
- Pattern type
- yara
- Published
- 21/12/2025 08:44
- Modified
- 21/12/2025 08:44
- Author / Source
- AlienVault
Description
M_APT_Tunneler_SPAWNMOLE_1
Detects a specific comparisons in SPAWNMOLE tunneler, which allow malware to filter put its own traffic . SPAWNMOLE is a tunneler written in C and compiled as an ELF32 executable. The sample is capable of hijacking a process on the compromised system with a specific name and hooking into its communication capabilities in order to create a proxy server for tunneling traffic.
Pattern
rule M_APT_Tunneler_SPAWNMOLE_1
{
meta:
author = "Mandiant"
description = "Detects a specific comparisons in SPAWNMOLE tunneler, which allow malware to filter put its own traffic . SPAWNMOLE is a tunneler written in C and compiled as an ELF32 executable. The sample is capable of hijacking a process on the compromised system with a specific name and hooking into its communication capabilities in order to create a proxy server for tunneling traffic."
md5 = "4f79c70cce4207d0ad57a339a9c7f43c"
strings:
/*
3C 16 cmp al, 16h
74 14 jz short loc_5655C038
0F B6 45 C1 movzx eax, [ebp+var_3F]
3C 03 cmp al, 3
74 0C jz short loc_5655C038
0F B6 45 C5 movzx eax, [ebp+var_3B]
3C 01 cmp al, 1
0F 85 ED 00 00 00 jnz loc_5655C125
*/
$comparison1 = { 3C 16 74 [1] 0F B6 [2] 3C 03 74 [1] 0F B6 [2]
3C 01 0F 85 }
/*
81 7D E8 E2 E3 49 FB cmp [ebp+var_18], 0FB49E3E2h
0F 85 CD 00 00 00 jnz loc_5655C128
81 7D E4 61 83 C3 1B cmp [ebp+var_1C], 1BC38361h
0F 85 C0 00 00 00 jnz loc_5655C128
*/
$comparison2 = { 81 [2] E2 E3 49 FB 0F 85 [4] 81 [2] 61 83 C3
1B 0F 85}
condition:
uint32(0) == 0x464c457f and all of them
}Labels / Tags
Marking (TLP)
TLP:CLEAR