SYMBOLCOMMON_NAMEaka. SYNONYMS
win.eyservice (Back to overview)

EYService

Actor(s): Nazar


EYService is the main part of the backdoor used by Nazar APT. This a passive backdoor that relies on, now discontinued, Packet Sniffer SDK (PSSDK) from Microolap.

References
2020-05-05CheckpointCheck Point Research
@online{research:20200505:nazar:a4d2c7c, author = {Check Point Research}, title = {{Nazar: Spirits of the Past}}, date = {2020-05-05}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/nazar-spirits-of-the-past/}, language = {English}, urldate = {2020-05-05} } Nazar: Spirits of the Past
EYService
2020-04-27MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200427:quick:e6bf310, author = {Maciej Kotowicz}, title = {{Quick look at Nazar's backdoor - Network Communication}}, date = {2020-04-27}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice_comm/}, language = {English}, urldate = {2020-05-05} } Quick look at Nazar's backdoor - Network Communication
EYService
2020-04-23MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200423:quick:ce2218e, author = {Maciej Kotowicz}, title = {{Quick look at Nazar backdoor - Capabilities}}, date = {2020-04-23}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice/}, language = {English}, urldate = {2020-05-05} } Quick look at Nazar backdoor - Capabilities
EYService
2020-04-22EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200422:nazar:0c5eef8, author = {Juan Andrés Guerrero-Saade}, title = {{Nazar: A Lost Amulet}}, date = {2020-04-22}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/the-lost-nazar}, language = {English}, urldate = {2020-05-05} } Nazar: A Lost Amulet
EYService Nazar
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
Yara Rules
[TLP:WHITE] win_eyservice_auto (20230715 | Detects win.eyservice.)
rule win_eyservice_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.eyservice."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7c2418 57 8bce e8???????? 8b4f04 8b86a4000000 8b3f }
            // n = 7, score = 100
            //   8b7c2418             | mov                 edi, dword ptr [esp + 0x18]
            //   57                   | push                edi
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]
            //   8b86a4000000         | mov                 eax, dword ptr [esi + 0xa4]
            //   8b3f                 | mov                 edi, dword ptr [edi]

        $sequence_1 = { 8d942424090000 68???????? 52 ff15???????? 83c408 57 85c0 }
            // n = 7, score = 100
            //   8d942424090000       | lea                 edx, [esp + 0x924]
            //   68????????           |                     
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8
            //   57                   | push                edi
            //   85c0                 | test                eax, eax

        $sequence_2 = { 8d4e04 e8???????? c744241400000000 e8???????? 8d462c 50 c706ffffffff }
            // n = 7, score = 100
            //   8d4e04               | lea                 ecx, [esi + 4]
            //   e8????????           |                     
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   e8????????           |                     
            //   8d462c               | lea                 eax, [esi + 0x2c]
            //   50                   | push                eax
            //   c706ffffffff         | mov                 dword ptr [esi], 0xffffffff

        $sequence_3 = { e9???????? 8b35???????? 57 6aff 68???????? 6aff 8d542474 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b35????????         |                     
            //   57                   | push                edi
            //   6aff                 | push                -1
            //   68????????           |                     
            //   6aff                 | push                -1
            //   8d542474             | lea                 edx, [esp + 0x74]

        $sequence_4 = { 5e 5d 8d42f9 5b 59 c20400 8b7c2418 }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   8d42f9               | lea                 eax, [edx - 7]
            //   5b                   | pop                 ebx
            //   59                   | pop                 ecx
            //   c20400               | ret                 4
            //   8b7c2418             | mov                 edi, dword ptr [esp + 0x18]

        $sequence_5 = { 6a00 52 50 55 ff15???????? 89460c 83f8ff }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   52                   | push                edx
            //   50                   | push                eax
            //   55                   | push                ebp
            //   ff15????????         |                     
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   83f8ff               | cmp                 eax, -1

        $sequence_6 = { 52 6a00 68???????? 50 c744242408020000 c744242801000000 ffd3 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   6a00                 | push                0
            //   68????????           |                     
            //   50                   | push                eax
            //   c744242408020000     | mov                 dword ptr [esp + 0x24], 0x208
            //   c744242801000000     | mov                 dword ptr [esp + 0x28], 1
            //   ffd3                 | call                ebx

        $sequence_7 = { 2bf0 7424 3bf1 7602 8bf1 8b4f0c }
            // n = 6, score = 100
            //   2bf0                 | sub                 esi, eax
            //   7424                 | je                  0x26
            //   3bf1                 | cmp                 esi, ecx
            //   7602                 | jbe                 4
            //   8bf1                 | mov                 esi, ecx
            //   8b4f0c               | mov                 ecx, dword ptr [edi + 0xc]

        $sequence_8 = { 8a8ee4000000 80f902 7318 57 8b3d???????? 90 6a01 }
            // n = 7, score = 100
            //   8a8ee4000000         | mov                 cl, byte ptr [esi + 0xe4]
            //   80f902               | cmp                 cl, 2
            //   7318                 | jae                 0x1a
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   90                   | nop                 
            //   6a01                 | push                1

        $sequence_9 = { 8b74240c 8b462c 33db 57 3bc3 7415 }
            // n = 6, score = 100
            //   8b74240c             | mov                 esi, dword ptr [esp + 0xc]
            //   8b462c               | mov                 eax, dword ptr [esi + 0x2c]
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   3bc3                 | cmp                 eax, ebx
            //   7415                 | je                  0x17

    condition:
        7 of them and filesize < 452608
}
Download all Yara Rules