BookCodes RAT (Malware Family)

BookCodes RAT

aka: BookCodesTea

VTCollection

BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victim’s filesystem, basic process management and the download and execution of additional tools from the attacker’s arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646.

BookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.

References

2021-10-08 ⋅ Virus Bulletin ⋅ Seongsu Park
Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient

2021-10-07 ⋅ Virus Bulletin ⋅ Byeongjae Kim, Dongwook Kim, Taewoo Lee
Operation Bookcodes – targeting South Korea
BookCodes RAT LPEClient

2020-12-23 ⋅ Kaspersky Labs ⋅ Seongsu Park
Lazarus covets COVID-19-related intelligence
BookCodes RAT wAgentTea

2020-11-16 ⋅ ESET Research ⋅ Anton Cherepanov, Peter Kálnai
Lazarus supply‑chain attack in South Korea
BookCodes RAT Lazarus Group

2020-06-29 ⋅ KISA ⋅ KrCERT
OPERATION BOOKCODES TTPs #2
BookCodes RAT

2020-04-01 ⋅ KISA ⋅ KrCERT
OPERATION BOOKCODES TTPs #1
BookCodes RAT

Yara Rules

[TLP:WHITE] win_bookcodesrat_auto (20230808 | Detects win.bookcodesrat.)

rule win_bookcodesrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.bookcodesrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookcodesrat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 488d0d97900100 ff15???????? 833d????????00 750a b901000000 e8???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d0d97900100       | dec                 esp
            //   ff15????????         |                     
            //   833d????????00       |                     
            //   750a                 | mov                 edx, dword ptr [ebx]
            //   b901000000           | inc                 ebx
            //   e8????????           |                     

        $sequence_1 = { 33c0 48c7471807000000 48894710 668907 4883c728 493bfe 75d7 }
            // n = 7, score = 100
            //   33c0                 | dec                 eax
            //   48c7471807000000     | mov                 dword ptr [ebp - 0x4e], eax
            //   48894710             | mov                 dword ptr [ebp - 0x46], eax
            //   668907               | mov                 word ptr [ebp - 0x42], ax
            //   4883c728             | dec                 eax
            //   493bfe               | mov                 dword ptr [esp + 0x60], 7
            //   75d7                 | dec                 esp

        $sequence_2 = { 488b5c2430 488b742438 4883c420 5f c3 482bf3 66660f1f840000000000 }
            // n = 7, score = 100
            //   488b5c2430           | inc                 ebp
            //   488b742438           | mov                 eax, dword ptr [esi + 0x28]
            //   4883c420             | dec                 eax
            //   5f                   | sar                 eax, 1
            //   c3                   | dec                 ecx
            //   482bf3               | lea                 eax, [eax + eax*2]
            //   66660f1f840000000000     | inc    ebp

        $sequence_3 = { 4883c9ff 33c0 488dbb40080000 66f2af 48f7d1 48ffc9 74e8 }
            // n = 7, score = 100
            //   4883c9ff             | dec                 eax
            //   33c0                 | mov                 dword ptr [esp + 0x20], eax
            //   488dbb40080000       | dec                 eax
            //   66f2af               | lea                 edx, [0x21543]
            //   48f7d1               | dec                 eax
            //   48ffc9               | lea                 ecx, [esp + 0x60]
            //   74e8                 | mov                 dword ptr [esp + 0x20], edi

        $sequence_4 = { 0f858a000000 ba04010000 488bce ffd7 85c0 744e 33c0 }
            // n = 7, score = 100
            //   0f858a000000         | jae                 0x17fc
            //   ba04010000           | dec                 eax
            //   488bce               | mov                 edx, edi
            //   ffd7                 | dec                 eax
            //   85c0                 | cmp                 edi, -2
            //   744e                 | jbe                 0x1805
            //   33c0                 | dec                 eax

        $sequence_5 = { 0f1f440000 ffc6 4c8b4310 4883c8ff 492bc0 4883f801 0f868a000000 }
            // n = 7, score = 100
            //   0f1f440000           | dec                 eax
            //   ffc6                 | lea                 edi, [esp + 0x40]
            //   4c8b4310             | repne scasd         eax, dword ptr es:[edi]
            //   4883c8ff             | dec                 eax
            //   492bc0               | lea                 edx, [esp + 0x40]
            //   4883f801             | dec                 eax
            //   0f868a000000         | not                 ecx

        $sequence_6 = { 75ee 488d8d50010000 33d2 41b808020000 e8???????? 488b4c2438 488d442430 }
            // n = 7, score = 100
            //   75ee                 | jg                  0x271
            //   488d8d50010000       | mov                 eax, dword ptr [ebx + 0x32f8]
            //   33d2                 | mov                 dword ptr [esp + 0x38], 0
            //   41b808020000         | inc                 ecx
            //   e8????????           |                     
            //   488b4c2438           | mov                 ecx, 1
            //   488d442430           | dec                 eax

        $sequence_7 = { 488d4c2420 ba04010000 ff15???????? 33c0 4883c9ff 488d7c2420 66f2af }
            // n = 7, score = 100
            //   488d4c2420           | mov                 eax, ecx
            //   ba04010000           | mov                 edx, ecx
            //   ff15????????         |                     
            //   33c0                 | mov                 byte ptr [ebp + eax + 0x548], cl
            //   4883c9ff             | nop                 dword ptr [eax + eax]
            //   488d7c2420           | inc                 edx
            //   66f2af               | movzx               eax, byte ptr [ebp + eax - 0x78]

        $sequence_8 = { ff15???????? 418985a8010000 32db 48897c2430 897c2428 897c2420 4533c9 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   418985a8010000       | jl                  0x124c
            //   32db                 | dec                 eax
            //   48897c2430           | arpl                dx, ax
            //   897c2428             | dec                 eax
            //   897c2420             | mov                 edx, ecx
            //   4533c9               | mov                 byte ptr [ebp + eax + 0x7f0], cl

        $sequence_9 = { 4863c2 4c8bc1 8bd1 888c0560080000 6690 420fb68405a0020000 49ffc0 }
            // n = 7, score = 100
            //   4863c2               | mov                 dword ptr [esp + 0x40], esp
            //   4c8bc1               | mov                 byte ptr [ebp - 0x40], 0
            //   8bd1                 | dec                 eax
            //   888c0560080000       | mov                 ebx, edx
            //   6690                 | dec                 eax
            //   420fb68405a0020000     | mov    esi, eax
            //   49ffc0               | dec                 eax

    condition:
        7 of them and filesize < 544768
}

Download all Yara Rules

BookCodes RAT Propose Change

References

Yara Rules

BookCodes RAT