SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bookcodesrat (Back to overview)

BookCodes RAT

aka: BookCodesTea

Actor(s): Lazarus Group


BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victim’s filesystem, basic process management and the download and execution of additional tools from the attacker’s arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646.

BookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.

References
2021-10-08Virus BulletinSeongsu Park
@techreport{park:20211008:multiuniverse:87fc078, author = {Seongsu Park}, title = {{Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections}}, date = {2021-10-08}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2021-Park.pdf}, language = {English}, urldate = {2023-07-24} } Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient
2021-10-07Virus BulletinTaewoo Lee, Dongwook Kim, Byeongjae Kim
@techreport{lee:20211007:operation:0e74d68, author = {Taewoo Lee and Dongwook Kim and Byeongjae Kim}, title = {{Operation Bookcodes – targeting South Korea}}, date = {2021-10-07}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf}, language = {English}, urldate = {2023-07-24} } Operation Bookcodes – targeting South Korea
BookCodes RAT LPEClient
2020-12-23Kaspersky LabsSeongsu Park
@online{park:20201223:lazarus:a1413a8, author = {Seongsu Park}, title = {{Lazarus covets COVID-19-related intelligence}}, date = {2020-12-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/}, language = {English}, urldate = {2023-07-08} } Lazarus covets COVID-19-related intelligence
BookCodes RAT wAgentTea
2020-11-16ESET ResearchAnton Cherepanov, Peter Kálnai
@online{cherepanov:20201116:lazarus:6b90a77, author = {Anton Cherepanov and Peter Kálnai}, title = {{Lazarus supply‑chain attack in South Korea}}, date = {2020-11-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/}, language = {English}, urldate = {2020-11-18} } Lazarus supply‑chain attack in South Korea
BookCodes RAT Lazarus Group
2020-06-29KISAKrCERT
@techreport{krcert:20200629:operation:bbe9f5c, author = {KrCERT}, title = {{OPERATION BOOKCODES TTPs #2}}, date = {2020-06-29}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2612&attach_file_id=EpF2612.pdf}, language = {English}, urldate = {2023-07-05} } OPERATION BOOKCODES TTPs #2
BookCodes RAT
2020-04-01KISAKrCERT
@techreport{krcert:20200401:operation:d6916ea, author = {KrCERT}, title = {{OPERATION BOOKCODES TTPs #1}}, date = {2020-04-01}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2452&attach_file_id=EpF2452.pdf}, language = {English}, urldate = {2023-07-05} } OPERATION BOOKCODES TTPs #1
BookCodes RAT
Yara Rules
[TLP:WHITE] win_bookcodesrat_auto (20230715 | Detects win.bookcodesrat.)
rule win_bookcodesrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.bookcodesrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookcodesrat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bd8 e9???????? 498b5520 488b4cf508 488bc1 4803c9 4c8b44ca08 }
            // n = 7, score = 100
            //   488bd8               | dec                 eax
            //   e9????????           |                     
            //   498b5520             | inc                 edx
            //   488b4cf508           | xor                 al, cl
            //   488bc1               | inc                 ecx
            //   4803c9               | xor                 al, 0x33
            //   4c8b44ca08           | mov                 byte ptr [esp + edx + 0x37], al

        $sequence_1 = { 4883bb0037000000 0f8474050000 4885c0 0f846b050000 }
            // n = 4, score = 100
            //   4883bb0037000000     | movzx               ebx, byte ptr [esp + 0x6b]
            //   0f8474050000         | inc                 esp
            //   4885c0               | movzx               ecx, byte ptr [esp + 0x6d]
            //   0f846b050000         | inc                 esp

        $sequence_2 = { 5f 5e 5d c3 0fb6442460 }
            // n = 5, score = 100
            //   5f                   | inc                 esp
            //   5e                   | lea                 eax, [edx - 5]
            //   5d                   | dec                 eax
            //   c3                   | mov                 ecx, edi
            //   0fb6442460           | dec                 esp

        $sequence_3 = { 488bd9 4c8d44243c 33c9 c744243801000000 c744244402000000 ff15???????? 85c0 }
            // n = 7, score = 100
            //   488bd9               | inc                 ecx
            //   4c8d44243c           | movzx               eax, word ptr [esp]
            //   33c9                 | dec                 eax
            //   c744243801000000     | cmp                 dword ptr [ebp + esi*8 + 8], eax
            //   c744244402000000     | jne                 0x1427
            //   ff15????????         |                     
            //   85c0                 | dec                 ecx

        $sequence_4 = { 488d0d0d8d0200 e8???????? cc 488b4b18 483bcf 731c 488bd7 }
            // n = 7, score = 100
            //   488d0d0d8d0200       | dec                 esp
            //   e8????????           |                     
            //   cc                   | lea                 ebp, [0x15905]
            //   488b4b18             | neg                 esi
            //   483bcf               | dec                 ecx
            //   731c                 | cmp                 eax, 3
            //   488bd7               | setne               al

        $sequence_5 = { 498bd7 89742420 e8???????? 448be0 85c0 0f8559020000 }
            // n = 6, score = 100
            //   498bd7               | mov                 dword ptr [ebp + 0x591], eax
            //   89742420             | mov                 dword ptr [ebp + 0x244], 0x51474442
            //   e8????????           |                     
            //   448be0               | mov                 dword ptr [ebp + 0x248], 0x4a694e55
            //   85c0                 | mov                 dword ptr [ebp + 0x24c], 0x4f585d50
            //   0f8559020000         | mov                 byte ptr [ebp + 0x250], 0x50

        $sequence_6 = { e8???????? 85c0 786b 4c8bc5 488bd7 488bcb e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | jl                  0x17bc
            //   786b                 | dec                 eax
            //   4c8bc5               | arpl                dx, ax
            //   488bd7               | inc                 edx
            //   488bcb               | xor                 al, 0x33
            //   e8????????           |                     

        $sequence_7 = { 498bcf e8???????? 48837f1000 7662 85f6 7e5e 48837b1000 }
            // n = 7, score = 100
            //   498bcf               | lea                 ecx, [ebp - 0x40]
            //   e8????????           |                     
            //   48837f1000           | xor                 eax, eax
            //   7662                 | dec                 eax
            //   85f6                 | or                  ecx, 0xffffffff
            //   7e5e                 | dec                 ebp
            //   48837b1000           | mov                 eax, esi

        $sequence_8 = { 48ffc3 4c3b6de8 0f820cffffff eb1f 4b8b84f8c0cb0300 f644300840 }
            // n = 6, score = 100
            //   48ffc3               | ret                 
            //   4c3b6de8             | dec                 eax
            //   0f820cffffff         | mov                 ecx, dword ptr [ebx + 0x418]
            //   eb1f                 | dec                 esp
            //   4b8b84f8c0cb0300     | mov                 dword ptr [esp + 0x20], esp
            //   f644300840           | call                dword ptr [ebx + 0x3670]

        $sequence_9 = { 4863c2 4c8bc1 8bd1 884c05b8 0f1f840000000000 420fb6840520010000 49ffc0 }
            // n = 7, score = 100
            //   4863c2               | dec                 esp
            //   4c8bc1               | mov                 ecx, esi
            //   8bd1                 | dec                 eax
            //   884c05b8             | mov                 ecx, esi
            //   0f1f840000000000     | dec                 esp
            //   420fb6840520010000     | mov    ebx, eax
            //   49ffc0               | dec                 eax

    condition:
        7 of them and filesize < 544768
}
Download all Yara Rules