SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloudburst (Back to overview)

CLOUDBURST

aka: NickelLoader

Actor(s): Lazarus Group

VTCollection    

CLOUDBURST aka NickelLoader is an HTTP(S) downloader.

It recognizes a set of four basic commands, all five letters long, like abcde, avdrq, gabnc and dcrqv (alternatively: eknag, eacec, hjmwk, wohnp). The most important functionality is to load a received buffer, either as a DLL via the MemoryModule implementation, or as a shellcode.

It uses AES for encryption and decryption of network traffic. It usually sends the following information back to its C&C server: computer name, product name and the list of running processes. Typically, it uses two hardcoded parameter names for its initial HTTP POST requests: gametype and type (alternatively: type and code).

The CLOUDBURST payload is disguised as mscoree.dll and is side-loaded via a legitimate Windows binary PresentationHost.exe with the argument -embeddingObject. It comes either as a trojanized plugin project for Notepad++ (usually FingerText by erinata), or as a standalone DLL loaded by a dropper, which is a trojanized plugin project as well (usually NppyPlugin by Jari Pennanen).

The CLOUDBURST malware was used in Operation DreamJob attacks against an aerospace company and a network running Microsoft Intune software in Q2-Q3 2022.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-09-29ESET ResearchPeter Kálnai
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CLOUDBURST LightlessCan miniBlindingCan sRDI
2023-03-09MandiantMandiant Intelligence
Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970
CLOUDBURST TOUCHMOVE TOUCHSHIFT
2022-09-29MicrosoftLinkedIn Threat Prevention and Defense, Microsoft Security Threat Intelligence
ZINC weaponizing open-source software
BLINDINGCAN CLOUDBURST miniBlindingCan
Yara Rules
[TLP:WHITE] win_cloudburst_auto (20230808 | Detects win.cloudburst.)
rule win_cloudburst_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.cloudburst."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4533c2 4133e8 45894424f8 41896c24fc 8bc5 }
            // n = 5, score = 300
            //   4533c2               | lea                 edi, [0xc24d5]
            //   4133e8               | dec                 eax
            //   45894424f8           | mov                 esi, ebx
            //   41896c24fc           | dec                 eax
            //   8bc5                 | lea                 edi, [0xc22d7]

        $sequence_1 = { 4883ec08 8b05???????? 41be01000000 4c892c24 85c0 }
            // n = 5, score = 300
            //   4883ec08             | movzx               ecx, byte ptr [esi]
            //   8b05????????         |                     
            //   41be01000000         | movzx               eax, cl
            //   4c892c24             | and                 al, 0xc0
            //   85c0                 | cmp                 al, 0x80

        $sequence_2 = { 4c892c24 85c0 4c8bd9 4c8bd2 410f44c6 4533ed }
            // n = 6, score = 300
            //   4c892c24             | xor                 ebx, ebx
            //   85c0                 | nop                 dword ptr [eax + eax]
            //   4c8bd9               | dec                 esp
            //   4c8bd2               | mov                 edi, dword ptr [ebp]
            //   410f44c6             | dec                 ebp
            //   4533ed               | mov                 esi, dword ptr [esp]

        $sequence_3 = { 488b0d???????? 488d542444 4533c9 4533c0 488bf8 418bdd ff15???????? }
            // n = 7, score = 300
            //   488b0d????????       |                     
            //   488d542444           | mov                 dword ptr [esp + 0x50], ebp
            //   4533c9               | mov                 byte ptr [esp + 0x40], al
            //   4533c0               | inc                 esp
            //   488bf8               | lea                 eax, [eax + 7]
            //   418bdd               | dec                 eax
            //   ff15????????         |                     

        $sequence_4 = { 458942f4 458b4c24f8 418bc1 c1e818 }
            // n = 4, score = 300
            //   458942f4             | xor                 ecx, eax
            //   458b4c24f8           | inc                 esp
            //   418bc1               | xor                 ecx, ecx
            //   c1e818               | test                edx, edx

        $sequence_5 = { ba00080000 488bcb e8???????? 4c8d442430 }
            // n = 4, score = 300
            //   ba00080000           | mov                 eax, dword ptr [edi + esi*8 + 0x10]
            //   488bcb               | dec                 esp
            //   e8????????           |                     
            //   4c8d442430           | lea                 esi, [eax + eax*2]

        $sequence_6 = { 8b05???????? 41be01000000 4c892c24 85c0 4c8bd9 }
            // n = 5, score = 300
            //   8b05????????         |                     
            //   41be01000000         | arpl                word ptr [edi + ebp*8 + 4], cx
            //   4c892c24             | dec                 eax
            //   85c0                 | mov                 dword ptr [ebp - 0x38], esi
            //   4c8bd9               | dec                 eax

        $sequence_7 = { 03c2 8bc8 83e00f 3bc2 7407 }
            // n = 5, score = 300
            //   03c2                 | lea                 ecx, [ebp + 0x80]
            //   8bc8                 | jne                 0x13e8
            //   83e00f               | dec                 eax
            //   3bc2                 | lea                 edx, [0xc0c18]
            //   7407                 | dec                 eax

        $sequence_8 = { 33d6 41891424 4133d3 33fa 4189542404 33df 41897c2408 }
            // n = 7, score = 300
            //   33d6                 | jmp                 ecx
            //   41891424             | dec                 esp
            //   4133d3               | lea                 ecx, [0xbed79]
            //   33fa                 | dec                 eax
            //   4189542404           | lea                 edx, [0x15e74]
            //   33df                 | dec                 eax
            //   41897c2408           | mov                 ecx, esi

        $sequence_9 = { 41b904000000 4c8d442440 418d5101 ff15???????? 85c0 74b1 }
            // n = 6, score = 300
            //   41b904000000         | dec                 eax
            //   4c8d442440           | mov                 ecx, dword ptr [esp + 0x60]
            //   418d5101             | inc                 esp
            //   ff15????????         |                     
            //   85c0                 | mov                 eax, edi
            //   74b1                 | dec                 eax

    condition:
        7 of them and filesize < 2363392
}
Download all Yara Rules