SYMBOLCOMMON_NAMEaka. SYNONYMS
win.comebacker (Back to overview)

ComeBacker

Actor(s): Lazarus Group

VTCollection    

ComeBacker was found in a backdoored Visual Studio project that was used to target security researchers in Q4 2020 and early 2021.

It is an HTTP(S) downloader.

It uses the AES CBC cipher implemented through the OpenSSL's EVP interface for decryption of its configuration, and also for encryption and decryption of the client-server communication.

The parameter names in HTTP POST requests of the client are generated randomly. As the initial connection, the client exchanges the keys with the server via the Diffie–Hellman key agreement protocol for the elliptic curve secp521r1. The client generates a random 32-bytes long private key, and the server responds with its public key in a buffer starting with the wide character "0".

Next, the clients sends the current local time, and the server responds with a buffer containing multiple values separated with the pipe symbol. The typical values are the encrypted payload, the export to execute, and the MD5 hash of the decrypted DLL to verify the authenticity of the payload.

There are variants of ComeBacker without statically linked OpenSSL. In that case, the key exchange is omitted and AES CBC is replaced with HC-256.

References
2023-11-10HAURIHAURI
Detailed analysis report: Malware disguised as Putty (Lazarus APT)
ComeBacker
2021-04-01AhnLabASEC Analysis Team
ASEC REPORT VOL.102 Q1 2021
ComeBacker JessieConTea LCPDot
2021-02-01One Night in NorfolkKevin Perlow
DPRK Targeting Researchers II: .Sys Payload and Registry Hunting
ComeBacker
2021-01-30Microstep Intelligence BureauMicrostep online research response team
Analysis of Lazarus attacks against security researchers
ComeBacker
2021-01-29NSFOCUSFuying Laboratory
认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析
ComeBacker DRATzarus Torisma
2021-01-28MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
ZINC attacks against security researchers
ComeBacker Klackring
2021-01-26One Night in NorfolkKevin Perlow
DPRK Malware Targeting Security Researchers
ComeBacker
2021-01-26ComaeMatt Suiche
PANDORABOX - North Koreans target security researchers
ComeBacker
2021-01-25GoogleAdam Weidemann
New campaign targeting security researchers
ComeBacker DRATzarus
Yara Rules
[TLP:WHITE] win_comebacker_auto (20230808 | Detects win.comebacker.)
rule win_comebacker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.comebacker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6683f809 7f04 0430 eb02 }
            // n = 4, score = 500
            //   6683f809             | cmp                 ax, 9
            //   7f04                 | jg                  6
            //   0430                 | add                 al, 0x30
            //   eb02                 | jmp                 4

        $sequence_1 = { 4c8d0d7ad60300 8d5049 8d48e0 448d4013 c7442420bb020000 e8???????? }
            // n = 6, score = 400
            //   4c8d0d7ad60300       | lea                 ebx, [ebp + 0x7b0]
            //   8d5049               | dec                 eax
            //   8d48e0               | lea                 eax, [ebp + 0x280]
            //   448d4013             | dec                 esp
            //   c7442420bb020000     | mov                 dword ptr [esp + 0x40], ebx
            //   e8????????           |                     

        $sequence_2 = { 41894704 418bc4 48c1e810 0fb6c8 418bc0 0fb6943170e30400 }
            // n = 6, score = 400
            //   41894704             | inc                 ecx
            //   418bc4               | mov                 dword ptr [edi + 4], eax
            //   48c1e810             | inc                 ecx
            //   0fb6c8               | mov                 eax, esp
            //   418bc0               | dec                 eax
            //   0fb6943170e30400     | shr                 eax, 0x10

        $sequence_3 = { 4c8d0dc2a10300 8d5078 8d4803 448d4041 }
            // n = 4, score = 400
            //   4c8d0dc2a10300       | inc                 esp
            //   8d5078               | lea                 eax, [eax + 0x13]
            //   8d4803               | mov                 dword ptr [esp + 0x20], 0x2bb
            //   448d4041             | dec                 esp

        $sequence_4 = { 4c8d9db0070000 488d8580020000 4c895c2440 89742438 4489742430 }
            // n = 5, score = 400
            //   4c8d9db0070000       | movzx               ecx, al
            //   488d8580020000       | inc                 ecx
            //   4c895c2440           | mov                 eax, eax
            //   89742438             | movzx               edx, byte ptr [ecx + esi + 0x4e370]
            //   4489742430           | dec                 esp

        $sequence_5 = { 3241ff 48ffca 88440bff 75ed 488bfe }
            // n = 5, score = 400
            //   3241ff               | lea                 ecx, [0x34daf]
            //   48ffca               | mov                 edx, 0xca
            //   88440bff             | mov                 ecx, 0x10
            //   75ed                 | dec                 eax
            //   488bfe               | mov                 ecx, edi

        $sequence_6 = { 4c8d0daf4d0300 baca000000 b910000000 e8???????? 488bcf }
            // n = 5, score = 400
            //   4c8d0daf4d0300       | mov                 dword ptr [esp + 0x38], esi
            //   baca000000           | inc                 esp
            //   b910000000           | mov                 dword ptr [esp + 0x30], esi
            //   e8????????           |                     
            //   488bcf               | dec                 esp

        $sequence_7 = { 4c89ac2408290300 664489b5a0050000 e8???????? 488d8d92030000 }
            // n = 4, score = 400
            //   4c89ac2408290300     | lea                 ecx, [0x3d67a]
            //   664489b5a0050000     | lea                 edx, [eax + 0x49]
            //   e8????????           |                     
            //   488d8d92030000       | lea                 ecx, [eax - 0x20]

        $sequence_8 = { ff15???????? 83bdc4f8ffff00 741c 68???????? e8???????? 69c0e8030000 83c404 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   83bdc4f8ffff00       | cmp                 dword ptr [ebp - 0x73c], 0
            //   741c                 | je                  0x1e
            //   68????????           |                     
            //   e8????????           |                     
            //   69c0e8030000         | imul                eax, eax, 0x3e8
            //   83c404               | add                 esp, 4

        $sequence_9 = { c74424183ba7ca84 c744241c85ae67bb c74424202bf894fe c744242472f36e3c }
            // n = 4, score = 100
            //   c74424183ba7ca84     | mov                 dword ptr [esp + 0x18], 0x84caa73b
            //   c744241c85ae67bb     | mov                 dword ptr [esp + 0x1c], 0xbb67ae85
            //   c74424202bf894fe     | mov                 dword ptr [esp + 0x20], 0xfe94f82b
            //   c744242472f36e3c     | mov                 dword ptr [esp + 0x24], 0x3c6ef372

        $sequence_10 = { 8a44242a 8b1c8d38640410 8b048538600410 8bca 33c3 }
            // n = 5, score = 100
            //   8a44242a             | mov                 al, byte ptr [esp + 0x2a]
            //   8b1c8d38640410       | mov                 ebx, dword ptr [ecx*4 + 0x10046438]
            //   8b048538600410       | mov                 eax, dword ptr [eax*4 + 0x10046038]
            //   8bca                 | mov                 ecx, edx
            //   33c3                 | xor                 eax, ebx

        $sequence_11 = { 8d1433 52 50 ff15???????? 85c0 0f8435ffffff 8b15???????? }
            // n = 7, score = 100
            //   8d1433               | lea                 edx, [ebx + esi]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8435ffffff         | je                  0xffffff3b
            //   8b15????????         |                     

        $sequence_12 = { 68???????? 52 ffd7 8d85fcf7ffff 83c408 8d5002 668b08 }
            // n = 7, score = 100
            //   68????????           |                     
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   8d85fcf7ffff         | lea                 eax, [ebp - 0x804]
            //   83c408               | add                 esp, 8
            //   8d5002               | lea                 edx, [eax + 2]
            //   668b08               | mov                 cx, word ptr [eax]

        $sequence_13 = { 83f906 0f87c1000000 ff248d302a0210 8b4810 85c9 74d6 8b490c }
            // n = 7, score = 100
            //   83f906               | cmp                 ecx, 6
            //   0f87c1000000         | ja                  0xc7
            //   ff248d302a0210       | jmp                 dword ptr [ecx*4 + 0x10022a30]
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   85c9                 | test                ecx, ecx
            //   74d6                 | je                  0xffffffd8
            //   8b490c               | mov                 ecx, dword ptr [ecx + 0xc]

        $sequence_14 = { 8b8dacfeffff 51 e8???????? 8b9db0feffff }
            // n = 4, score = 100
            //   8b8dacfeffff         | mov                 ecx, dword ptr [ebp - 0x154]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b9db0feffff         | mov                 ebx, dword ptr [ebp - 0x150]

    condition:
        7 of them and filesize < 1429504
}
Download all Yara Rules