SYMBOLCOMMON_NAMEaka. SYNONYMS
win.eyservice (Back to overview)

EYService

Actor(s): Nazar


EYService is the main part of the backdoor used by Nazar APT. This a passive backdoor that relies on, now discontinued, Packet Sniffer SDK (PSSDK) from Microolap.

References
2020-05-05CheckpointCheck Point Research
@online{research:20200505:nazar:a4d2c7c, author = {Check Point Research}, title = {{Nazar: Spirits of the Past}}, date = {2020-05-05}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/nazar-spirits-of-the-past/}, language = {English}, urldate = {2020-05-05} } Nazar: Spirits of the Past
EYService
2020-04-27MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200427:quick:e6bf310, author = {Maciej Kotowicz}, title = {{Quick look at Nazar's backdoor - Network Communication}}, date = {2020-04-27}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice_comm/}, language = {English}, urldate = {2020-05-05} } Quick look at Nazar's backdoor - Network Communication
EYService
2020-04-23MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200423:quick:ce2218e, author = {Maciej Kotowicz}, title = {{Quick look at Nazar backdoor - Capabilities}}, date = {2020-04-23}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice/}, language = {English}, urldate = {2020-05-05} } Quick look at Nazar backdoor - Capabilities
EYService
2020-04-22EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200422:nazar:0c5eef8, author = {Juan Andrés Guerrero-Saade}, title = {{Nazar: A Lost Amulet}}, date = {2020-04-22}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/the-lost-nazar}, language = {English}, urldate = {2020-05-05} } Nazar: A Lost Amulet
EYService Nazar
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
Yara Rules
[TLP:WHITE] win_eyservice_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_eyservice_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a3???????? ff15???????? ffd0 833d????????00 0f84c5000000 53 8b1d???????? }
            // n = 7, score = 100
            //   a3????????           |                     
            //   ff15????????         |                     
            //   ffd0                 | call                eax
            //   833d????????00       |                     
            //   0f84c5000000         | je                  0xcb
            //   53                   | push                ebx
            //   8b1d????????         |                     

        $sequence_1 = { 3bc6 740a 55 8bc8 e8???????? 8bf0 }
            // n = 6, score = 100
            //   3bc6                 | cmp                 eax, esi
            //   740a                 | je                  0xc
            //   55                   | push                ebp
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_2 = { 59 5f 5e 83c448 c20800 8d4c240c c7442450ffffffff }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   83c448               | add                 esp, 0x48
            //   c20800               | ret                 8
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   c7442450ffffffff     | mov                 dword ptr [esp + 0x50], 0xffffffff

        $sequence_3 = { b924000000 66894f08 5f 5e 5d 8d41ea 5b }
            // n = 7, score = 100
            //   b924000000           | mov                 ecx, 0x24
            //   66894f08             | mov                 word ptr [edi + 8], cx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   8d41ea               | lea                 eax, [ecx - 0x16]
            //   5b                   | pop                 ebx

        $sequence_4 = { eb1f 83f806 751a 837c241000 7513 837c241802 }
            // n = 6, score = 100
            //   eb1f                 | jmp                 0x21
            //   83f806               | cmp                 eax, 6
            //   751a                 | jne                 0x1c
            //   837c241000           | cmp                 dword ptr [esp + 0x10], 0
            //   7513                 | jne                 0x15
            //   837c241802           | cmp                 dword ptr [esp + 0x18], 2

        $sequence_5 = { 837e18ff 7519 b809000000 8b4c2448 64890d00000000 59 }
            // n = 6, score = 100
            //   837e18ff             | cmp                 dword ptr [esi + 0x18], -1
            //   7519                 | jne                 0x1b
            //   b809000000           | mov                 eax, 9
            //   8b4c2448             | mov                 ecx, dword ptr [esp + 0x48]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx

        $sequence_6 = { 8d4c240c 51 8bd1 68???????? }
            // n = 4, score = 100
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   51                   | push                ecx
            //   8bd1                 | mov                 edx, ecx
            //   68????????           |                     

        $sequence_7 = { 0fb728 83c002 83ee02 03df 03eb 85f6 7405 }
            // n = 7, score = 100
            //   0fb728               | movzx               ebp, word ptr [eax]
            //   83c002               | add                 eax, 2
            //   83ee02               | sub                 esi, 2
            //   03df                 | add                 ebx, edi
            //   03eb                 | add                 ebp, ebx
            //   85f6                 | test                esi, esi
            //   7405                 | je                  7

        $sequence_8 = { 33c9 52 6689442476 66894c2478 ffd3 668b4c2472 66894c242a }
            // n = 7, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   52                   | push                edx
            //   6689442476           | mov                 word ptr [esp + 0x76], ax
            //   66894c2478           | mov                 word ptr [esp + 0x78], cx
            //   ffd3                 | call                ebx
            //   668b4c2472           | mov                 cx, word ptr [esp + 0x72]
            //   66894c242a           | mov                 word ptr [esp + 0x2a], cx

        $sequence_9 = { 753f 80be9c00000001 6a01 57 7508 8b8e94000000 eb06 }
            // n = 7, score = 100
            //   753f                 | jne                 0x41
            //   80be9c00000001       | cmp                 byte ptr [esi + 0x9c], 1
            //   6a01                 | push                1
            //   57                   | push                edi
            //   7508                 | jne                 0xa
            //   8b8e94000000         | mov                 ecx, dword ptr [esi + 0x94]
            //   eb06                 | jmp                 8

    condition:
        7 of them and filesize < 452608
}
Download all Yara Rules