SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chinotto (Back to overview)

Chinotto

Actor(s): APT37


There is no description at this point.

References
2023-03-28ThreatMonThreatMon Malware Research Team, seyitsec
@online{team:20230328:chinotto:95afa43, author = {ThreatMon Malware Research Team and seyitsec}, title = {{Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon}}, date = {2023-03-28}, organization = {ThreatMon}, url = {https://threatmon.io/chinotto-backdoor-technical-analysis-of-the-apt-reapers-powerful/}, language = {English}, urldate = {2023-03-29} } Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon
Chinotto
2023-03-21ZscalerSudeep Singh, Naveen Selvan
@online{singh:20230321:unintentional:9d7f138, author = {Sudeep Singh and Naveen Selvan}, title = {{The Unintentional Leak: A glimpse into the attack vectors of APT37}}, date = {2023-03-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37}, language = {English}, urldate = {2023-09-18} } The Unintentional Leak: A glimpse into the attack vectors of APT37
Chinotto
2023-03-16SekoiaThreat & Detection Research Team
@online{team:20230316:peeking:347803a, author = {Threat & Detection Research Team}, title = {{Peeking at Reaper’s surveillance operations}}, date = {2023-03-16}, organization = {Sekoia}, url = {https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/}, language = {English}, urldate = {2023-03-20} } Peeking at Reaper’s surveillance operations
Chinotto
2023-01-27ThorCERTTaewoo Lee, Dongwook Kim, Seulgi Lee
@online{lee:20230127:ttps:7fa02fb, author = {Taewoo Lee and Dongwook Kim and Seulgi Lee}, title = {{TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives}}, date = {2023-01-27}, organization = {ThorCERT}, url = {https://thorcert.notion.site/TTPs-9-f04ce99784874947978bd2947738ac92}, language = {Korean}, urldate = {2023-02-14} } TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives
Chinotto
2022-12-05KISAKrCERT
@online{krcert:20221205:ttps9:b319cfe, author = {KrCERT}, title = {{TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals}}, date = {2022-12-05}, organization = {KISA}, url = {https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=67064}, language = {Korean}, urldate = {2023-01-25} } TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals
Chinotto
2021-11-29KasperskyGReAT
@online{great:20211129:scarcruft:986e7f4, author = {GReAT}, title = {{ScarCruft surveilling North Korean defectors and human rights activists}}, date = {2021-11-29}, organization = {Kaspersky}, url = {https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/}, language = {English}, urldate = {2021-12-07} } ScarCruft surveilling North Korean defectors and human rights activists
Chinotto Chinotto PoorWeb
Yara Rules
[TLP:WHITE] win_chinotto_auto (20230715 | Detects win.chinotto.)
rule win_chinotto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.chinotto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7458035003300 c7458437002e00 c7458833003600 c7458c20002800 c745904b004800 c7459454004d00 }
            // n = 6, score = 100
            //   c7458035003300       | mov                 dword ptr [ebp - 0x80], 0x330035
            //   c7458437002e00       | mov                 dword ptr [ebp - 0x7c], 0x2e0037
            //   c7458833003600       | mov                 dword ptr [ebp - 0x78], 0x360033
            //   c7458c20002800       | mov                 dword ptr [ebp - 0x74], 0x280020
            //   c745904b004800       | mov                 dword ptr [ebp - 0x70], 0x48004b
            //   c7459454004d00       | mov                 dword ptr [ebp - 0x6c], 0x4d0054

        $sequence_1 = { 52 53 56 57 c7859cf6ffff00000000 ff15???????? 57 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   c7859cf6ffff00000000     | mov    dword ptr [ebp - 0x964], 0
            //   ff15????????         |                     
            //   57                   | push                edi

        $sequence_2 = { 8bd8 e8???????? 8d95e0fbffff 2bd0 8da42400000000 0fb708 66890c02 }
            // n = 7, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   8d95e0fbffff         | lea                 edx, [ebp - 0x420]
            //   2bd0                 | sub                 edx, eax
            //   8da42400000000       | lea                 esp, [esp]
            //   0fb708               | movzx               ecx, word ptr [eax]
            //   66890c02             | mov                 word ptr [edx + eax], cx

        $sequence_3 = { 8bcf 81e1ff0f0000 83c102 b856555555 f7e9 8bca }
            // n = 6, score = 100
            //   8bcf                 | mov                 ecx, edi
            //   81e1ff0f0000         | and                 ecx, 0xfff
            //   83c102               | add                 ecx, 2
            //   b856555555           | mov                 eax, 0x55555556
            //   f7e9                 | imul                ecx
            //   8bca                 | mov                 ecx, edx

        $sequence_4 = { e8???????? 8be5 5d c3 8d95bcf3ffff }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8d95bcf3ffff         | lea                 edx, [ebp - 0xc44]

        $sequence_5 = { 83c404 85c0 7563 8b4e3c 8b7e28 8b5e2c }
            // n = 6, score = 100
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7563                 | jne                 0x65
            //   8b4e3c               | mov                 ecx, dword ptr [esi + 0x3c]
            //   8b7e28               | mov                 edi, dword ptr [esi + 0x28]
            //   8b5e2c               | mov                 ebx, dword ptr [esi + 0x2c]

        $sequence_6 = { 6a00 6a00 ff15???????? 8b35???????? 53 ffd6 68???????? }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   68????????           |                     

        $sequence_7 = { 0f84b7010000 8d5603 85d2 0f84b1000000 83c606 }
            // n = 5, score = 100
            //   0f84b7010000         | je                  0x1bd
            //   8d5603               | lea                 edx, [esi + 3]
            //   85d2                 | test                edx, edx
            //   0f84b1000000         | je                  0xb7
            //   83c606               | add                 esi, 6

        $sequence_8 = { 89463c 6a00 8bc6 895624 897e28 895e2c 894e38 }
            // n = 7, score = 100
            //   89463c               | mov                 dword ptr [esi + 0x3c], eax
            //   6a00                 | push                0
            //   8bc6                 | mov                 eax, esi
            //   895624               | mov                 dword ptr [esi + 0x24], edx
            //   897e28               | mov                 dword ptr [esi + 0x28], edi
            //   895e2c               | mov                 dword ptr [esi + 0x2c], ebx
            //   894e38               | mov                 dword ptr [esi + 0x38], ecx

        $sequence_9 = { eb03 8b7508 8b465c 33ff }
            // n = 4, score = 100
            //   eb03                 | jmp                 5
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b465c               | mov                 eax, dword ptr [esi + 0x5c]
            //   33ff                 | xor                 edi, edi

    condition:
        7 of them and filesize < 300032
}
Download all Yara Rules