SYMBOLCOMMON_NAMEaka. SYNONYMS
win.eyservice (Back to overview)

EYService

Actor(s): Nazar


EYService is the main part of the backdoor used by Nazar APT. This a passive backdoor that relies on, now discontinued, Packet Sniffer SDK (PSSDK) from Microolap.

References
2020-05-05CheckpointCheck Point Research
@online{research:20200505:nazar:a4d2c7c, author = {Check Point Research}, title = {{Nazar: Spirits of the Past}}, date = {2020-05-05}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/nazar-spirits-of-the-past/}, language = {English}, urldate = {2020-05-05} } Nazar: Spirits of the Past
EYService
2020-04-27MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200427:quick:e6bf310, author = {Maciej Kotowicz}, title = {{Quick look at Nazar's backdoor - Network Communication}}, date = {2020-04-27}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice_comm/}, language = {English}, urldate = {2020-05-05} } Quick look at Nazar's backdoor - Network Communication
EYService
2020-04-23MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200423:quick:ce2218e, author = {Maciej Kotowicz}, title = {{Quick look at Nazar backdoor - Capabilities}}, date = {2020-04-23}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice/}, language = {English}, urldate = {2020-05-05} } Quick look at Nazar backdoor - Capabilities
EYService
2020-04-22EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200422:nazar:0c5eef8, author = {Juan Andrés Guerrero-Saade}, title = {{Nazar: A Lost Amulet}}, date = {2020-04-22}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/the-lost-nazar}, language = {English}, urldate = {2020-05-05} } Nazar: A Lost Amulet
EYService Nazar
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
Yara Rules
[TLP:WHITE] win_eyservice_auto (20221125 | Detects win.eyservice.)
rule win_eyservice_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.eyservice."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b44241c 50 ff15???????? 8b4c2424 56 83c104 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   56                   | push                esi
            //   83c104               | add                 ecx, 4

        $sequence_1 = { 8986d0000000 8900 899ec8000000 8d86dc000000 899ed8000000 8986e0000000 5e }
            // n = 7, score = 100
            //   8986d0000000         | mov                 dword ptr [esi + 0xd0], eax
            //   8900                 | mov                 dword ptr [eax], eax
            //   899ec8000000         | mov                 dword ptr [esi + 0xc8], ebx
            //   8d86dc000000         | lea                 eax, [esi + 0xdc]
            //   899ed8000000         | mov                 dword ptr [esi + 0xd8], ebx
            //   8986e0000000         | mov                 dword ptr [esi + 0xe0], eax
            //   5e                   | pop                 esi

        $sequence_2 = { 8bc3 5b c3 33c0 66890477 bb7a000780 5f }
            // n = 7, score = 100
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   66890477             | mov                 word ptr [edi + esi*2], ax
            //   bb7a000780           | mov                 ebx, 0x8007007a
            //   5f                   | pop                 edi

        $sequence_3 = { 50 50 50 50 50 8d4c2448 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   50                   | push                eax
            //   50                   | push                eax
            //   50                   | push                eax
            //   50                   | push                eax
            //   8d4c2448             | lea                 ecx, [esp + 0x48]

        $sequence_4 = { 50 6802000080 ff15???????? 85c0 7567 8b54241c 8d4c2418 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7567                 | jne                 0x69
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   8d4c2418             | lea                 ecx, [esp + 0x18]

        $sequence_5 = { 8dbe50010000 8d9e54010000 8dae4c010000 56 c70700000000 c70300000000 c7450000000000 }
            // n = 7, score = 100
            //   8dbe50010000         | lea                 edi, [esi + 0x150]
            //   8d9e54010000         | lea                 ebx, [esi + 0x154]
            //   8dae4c010000         | lea                 ebp, [esi + 0x14c]
            //   56                   | push                esi
            //   c70700000000         | mov                 dword ptr [edi], 0
            //   c70300000000         | mov                 dword ptr [ebx], 0
            //   c7450000000000       | mov                 dword ptr [ebp], 0

        $sequence_6 = { 57 8b7c2408 85ff 742b 837f0400 7625 56 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   8b7c2408             | mov                 edi, dword ptr [esp + 8]
            //   85ff                 | test                edi, edi
            //   742b                 | je                  0x2d
            //   837f0400             | cmp                 dword ptr [edi + 4], 0
            //   7625                 | jbe                 0x27
            //   56                   | push                esi

        $sequence_7 = { 8b442410 50 e8???????? 83c404 5f 5d 5b }
            // n = 7, score = 100
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx

        $sequence_8 = { e8???????? 8d9ea8010000 8d4308 3900 7427 57 8bcb }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d9ea8010000         | lea                 ebx, [esi + 0x1a8]
            //   8d4308               | lea                 eax, [ebx + 8]
            //   3900                 | cmp                 dword ptr [eax], eax
            //   7427                 | je                  0x29
            //   57                   | push                edi
            //   8bcb                 | mov                 ecx, ebx

        $sequence_9 = { 6a01 8d442470 50 eb48 8b4c2414 49 51 }
            // n = 7, score = 100
            //   6a01                 | push                1
            //   8d442470             | lea                 eax, [esp + 0x70]
            //   50                   | push                eax
            //   eb48                 | jmp                 0x4a
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   49                   | dec                 ecx
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 452608
}
Download all Yara Rules