SYMBOLCOMMON_NAMEaka. SYNONYMS
win.boldmove (Back to overview)

BOLDMOVE


According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet's SSL-VPN (CVE-2022-42475).

References
2023-01-20The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20230120:chinese:4df7900, author = {Ravie Lakshmanan}, title = {{Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop Malware}}, date = {2023-01-20}, organization = {The Hacker News}, url = {https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html}, language = {English}, urldate = {2023-01-20} } Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop Malware
BOLDMOVE BOLDMOVE
2023-01-19MandiantScott Henderson, Cristiana Kittner, Sarah Hawley, Mark Lechtik
@online{henderson:20230119:suspected:39b0731, author = {Scott Henderson and Cristiana Kittner and Sarah Hawley and Mark Lechtik}, title = {{Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475)}}, date = {2023-01-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw}, language = {English}, urldate = {2023-01-20} } Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475)
BOLDMOVE BOLDMOVE
Yara Rules
[TLP:WHITE] win_boldmove_auto (20230125 | Detects win.boldmove.)
rule win_boldmove_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.boldmove."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b35???????? 89c3 8b470c 83c006 890424 ffd6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b35????????         |                     
            //   89c3                 | mov                 ebx, eax
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   83c006               | add                 eax, 6
            //   890424               | mov                 dword ptr [esp], eax
            //   ffd6                 | call                esi

        $sequence_1 = { b900000000 8b7b04 85c0 8945c0 0f49c8 83c112 f7c700100000 }
            // n = 7, score = 100
            //   b900000000           | mov                 ecx, 0
            //   8b7b04               | mov                 edi, dword ptr [ebx + 4]
            //   85c0                 | test                eax, eax
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   0f49c8               | cmovns              ecx, eax
            //   83c112               | add                 ecx, 0x12
            //   f7c700100000         | test                edi, 0x1000

        $sequence_2 = { e8???????? 8b8554ffffff b910000000 8b35???????? c745a444000000 f3ab }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b8554ffffff         | mov                 eax, dword ptr [ebp - 0xac]
            //   b910000000           | mov                 ecx, 0x10
            //   8b35????????         |                     
            //   c745a444000000       | mov                 dword ptr [ebp - 0x5c], 0x44
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

        $sequence_3 = { 29e9 01d1 39f5 0f4fd1 8d3413 8d2c10 39ee }
            // n = 7, score = 100
            //   29e9                 | sub                 ecx, ebp
            //   01d1                 | add                 ecx, edx
            //   39f5                 | cmp                 ebp, esi
            //   0f4fd1               | cmovg               edx, ecx
            //   8d3413               | lea                 esi, [ebx + edx]
            //   8d2c10               | lea                 ebp, [eax + edx]
            //   39ee                 | cmp                 esi, ebp

        $sequence_4 = { 89ce d8c9 dd5c2420 83fa0f 7fc8 ddd8 }
            // n = 6, score = 100
            //   89ce                 | mov                 esi, ecx
            //   d8c9                 | fmul                st(1)
            //   dd5c2420             | fstp                qword ptr [esp + 0x20]
            //   83fa0f               | cmp                 edx, 0xf
            //   7fc8                 | jg                  0xffffffca
            //   ddd8                 | fstp                st(0)

        $sequence_5 = { 8d6814 8b4010 8d448500 89442428 8d4714 31ff 8944243c }
            // n = 7, score = 100
            //   8d6814               | lea                 ebp, [eax + 0x14]
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]
            //   8d448500             | lea                 eax, [ebp + eax*4]
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   8d4714               | lea                 eax, [edi + 0x14]
            //   31ff                 | xor                 edi, edi
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax

        $sequence_6 = { 89de d3e6 0fb64c2410 09f0 8942fc 89d8 d3e8 }
            // n = 7, score = 100
            //   89de                 | mov                 esi, ebx
            //   d3e6                 | shl                 esi, cl
            //   0fb64c2410           | movzx               ecx, byte ptr [esp + 0x10]
            //   09f0                 | or                  eax, esi
            //   8942fc               | mov                 dword ptr [edx - 4], eax
            //   89d8                 | mov                 eax, ebx
            //   d3e8                 | shr                 eax, cl

        $sequence_7 = { 89c2 c0e906 c0ea07 89e5 57 89c7 56 }
            // n = 7, score = 100
            //   89c2                 | mov                 edx, eax
            //   c0e906               | shr                 cl, 6
            //   c0ea07               | shr                 dl, 7
            //   89e5                 | mov                 ebp, esp
            //   57                   | push                edi
            //   89c7                 | mov                 edi, eax
            //   56                   | push                esi

        $sequence_8 = { c704240c000000 e8???????? 8b4d8c 8b956cffffff 895804 8908 895008 }
            // n = 7, score = 100
            //   c704240c000000       | mov                 dword ptr [esp], 0xc
            //   e8????????           |                     
            //   8b4d8c               | mov                 ecx, dword ptr [ebp - 0x74]
            //   8b956cffffff         | mov                 edx, dword ptr [ebp - 0x94]
            //   895804               | mov                 dword ptr [eax + 4], ebx
            //   8908                 | mov                 dword ptr [eax], ecx
            //   895008               | mov                 dword ptr [eax + 8], edx

        $sequence_9 = { 89442454 8b8c2480000000 8d54247c 89f8 e8???????? 89f2 89842480000000 }
            // n = 7, score = 100
            //   89442454             | mov                 dword ptr [esp + 0x54], eax
            //   8b8c2480000000       | mov                 ecx, dword ptr [esp + 0x80]
            //   8d54247c             | lea                 edx, [esp + 0x7c]
            //   89f8                 | mov                 eax, edi
            //   e8????????           |                     
            //   89f2                 | mov                 edx, esi
            //   89842480000000       | mov                 dword ptr [esp + 0x80], eax

    condition:
        7 of them and filesize < 242688
}
Download all Yara Rules