BOLDMOVE (Malware Family)

BOLDMOVE

According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet's SSL-VPN (CVE-2022-42475).
References

2023-01-20 ⋅ The Hacker News ⋅ Ravie Lakshmanan
Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop Malware
BOLDMOVE BOLDMOVE
2023-01-19 ⋅ Mandiant ⋅ Scott Henderson, Cristiana Kittner, Sarah Hawley, Mark Lechtik
Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475)
BOLDMOVE BOLDMOVE
Yara Rules

[TLP:WHITE] win_boldmove_auto (20230407 | Detects win.boldmove.)
rule win_boldmove_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.boldmove."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 47 83ff10 0f84c4010000 8b94be88000000 85d2 75e0 ebe9 }
            // n = 7, score = 100
            //   47                   | inc                 edi
            //   83ff10               | cmp                 edi, 0x10
            //   0f84c4010000         | je                  0x1ca
            //   8b94be88000000       | mov                 edx, dword ptr [esi + edi*4 + 0x88]
            //   85d2                 | test                edx, edx
            //   75e0                 | jne                 0xffffffe2
            //   ebe9                 | jmp                 0xffffffeb

        $sequence_1 = { 89d8 e8???????? 837d0c01 0f8587000000 8d45d4 c745d401000000 }
            // n = 6, score = 100
            //   89d8                 | mov                 eax, ebx
            //   e8????????           |                     
            //   837d0c01             | cmp                 dword ptr [ebp + 0xc], 1
            //   0f8587000000         | jne                 0x8d
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   c745d401000000       | mov                 dword ptr [ebp - 0x2c], 1

        $sequence_2 = { 89442404 891c24 e8???????? 89442428 85c0 }
            // n = 5, score = 100
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   85c0                 | test                eax, eax

        $sequence_3 = { 90 f6c201 740c dc0cc5e06a4100 b901000000 83c001 d1fa }
            // n = 7, score = 100
            //   90                   | nop                 
            //   f6c201               | test                dl, 1
            //   740c                 | je                  0xe
            //   dc0cc5e06a4100       | fmul                qword ptr [eax*8 + 0x416ae0]
            //   b901000000           | mov                 ecx, 1
            //   83c001               | add                 eax, 1
            //   d1fa                 | sar                 edx, 1

        $sequence_4 = { 8b5c2430 29c3 895c2438 85db 0f84d9edffff 8b9424ac000000 0f8e9d030000 }
            // n = 7, score = 100
            //   8b5c2430             | mov                 ebx, dword ptr [esp + 0x30]
            //   29c3                 | sub                 ebx, eax
            //   895c2438             | mov                 dword ptr [esp + 0x38], ebx
            //   85db                 | test                ebx, ebx
            //   0f84d9edffff         | je                  0xffffeddf
            //   8b9424ac000000       | mov                 edx, dword ptr [esp + 0xac]
            //   0f8e9d030000         | jle                 0x3a3

        $sequence_5 = { 898590feffff 0f85be000000 807b0123 7452 890424 e8???????? }
            // n = 6, score = 100
            //   898590feffff         | mov                 dword ptr [ebp - 0x170], eax
            //   0f85be000000         | jne                 0xc4
            //   807b0123             | cmp                 byte ptr [ebx + 1], 0x23
            //   7452                 | je                  0x54
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_6 = { 85ff 75ca 8b442428 c744240801000000 8894248b000000 8944240c 8d84248b000000 }
            // n = 7, score = 100
            //   85ff                 | test                edi, edi
            //   75ca                 | jne                 0xffffffcc
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   c744240801000000     | mov                 dword ptr [esp + 8], 1
            //   8894248b000000       | mov                 byte ptr [esp + 0x8b], dl
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8d84248b000000       | lea                 eax, [esp + 0x8b]

        $sequence_7 = { 83c104 894c2438 668902 e9???????? 837c244400 0f84f6f9ffff 8b542444 }
            // n = 7, score = 100
            //   83c104               | add                 ecx, 4
            //   894c2438             | mov                 dword ptr [esp + 0x38], ecx
            //   668902               | mov                 word ptr [edx], ax
            //   e9????????           |                     
            //   837c244400           | cmp                 dword ptr [esp + 0x44], 0
            //   0f84f6f9ffff         | je                  0xfffff9fc
            //   8b542444             | mov                 edx, dword ptr [esp + 0x44]

        $sequence_8 = { dd5b08 c7431400000000 c7431800000000 e8???????? c7042404000000 }
            // n = 5, score = 100
            //   dd5b08               | fstp                qword ptr [ebx + 8]
            //   c7431400000000       | mov                 dword ptr [ebx + 0x14], 0
            //   c7431800000000       | mov                 dword ptr [ebx + 0x18], 0
            //   e8????????           |                     
            //   c7042404000000       | mov                 dword ptr [esp], 4

        $sequence_9 = { 8b442440 896c2428 89f5 89de }
            // n = 4, score = 100
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   896c2428             | mov                 dword ptr [esp + 0x28], ebp
            //   89f5                 | mov                 ebp, esi
            //   89de                 | mov                 esi, ebx

    condition:
        7 of them and filesize < 242688
}
Download all Yara Rules
BOLDMOVE Propose Change

References

Yara Rules

BOLDMOVE
