SYMBOLCOMMON_NAMEaka. SYNONYMS
win.forest_tiger (Back to overview)

ForestTiger

aka: ScoringMathTea

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References
2023-10-18MicrosoftMicrosoft Threat Intelligence
Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
FeedLoad ForestTiger HazyLoad RollSling Silent Chollima
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-04-12Kaspersky LabsSeongsu Park
Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN ForestTiger LambLoad LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
Yara Rules
[TLP:WHITE] win_forest_tiger_auto (20230808 | Detects win.forest_tiger.)
rule win_forest_tiger_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.forest_tiger."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.forest_tiger"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 833f01 0f94c0 84c0 7407 }
            // n = 4, score = 200
            //   833f01               | test                eax, eax
            //   0f94c0               | je                  0x3cc
            //   84c0                 | jb                  0x2fb
            //   7407                 | cmp                 dword ptr [esp + 0x2c], 0

        $sequence_1 = { 833f01 0f94c0 84c0 7407 e8???????? eb05 }
            // n = 6, score = 200
            //   833f01               | mov                 eax, 0x16
            //   0f94c0               | dec                 eax
            //   84c0                 | lea                 ecx, [esp + 0x30]
            //   7407                 | dec                 eax
            //   e8????????           |                     
            //   eb05                 | mov                 eax, ebx

        $sequence_2 = { 833f01 0f94c0 84c0 7407 e8???????? }
            // n = 5, score = 200
            //   833f01               | push                edx
            //   0f94c0               | push                edi
            //   84c0                 | lea                 edx, [esp + 0x678]
            //   7407                 | push                edx
            //   e8????????           |                     

        $sequence_3 = { 833f01 0f94c0 84c0 7407 e8???????? eb05 e8???????? }
            // n = 7, score = 200
            //   833f01               | test                eax, eax
            //   0f94c0               | sete                bl
            //   84c0                 | dec                 eax
            //   7407                 | cmp                 dword ptr [ebp - 0x58], 8
            //   e8????????           |                     
            //   eb05                 | jb                  0x18a
            //   e8????????           |                     

        $sequence_4 = { 6a0c 51 e8???????? 83c410 8b858cf8ffff 3bc3 746e }
            // n = 7, score = 100
            //   6a0c                 | mov                 dword ptr [edx + 0x10], eax
            //   51                   | mov                 word ptr [edx], ax
            //   e8????????           |                     
            //   83c410               | dec                 eax
            //   8b858cf8ffff         | lea                 edx, [ecx + 0x980]
            //   3bc3                 | dec                 eax
            //   746e                 | sub                 esp, 0x20

        $sequence_5 = { 4885c9 740c e8???????? 4c8935???????? 488d0ddf710200 ff15???????? }
            // n = 6, score = 100
            //   4885c9               | mov                 eax, dword ptr [ebp - 8]
            //   740c                 | mov                 ecx, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   4c8935????????       |                     
            //   488d0ddf710200       | cmp                 eax, ecx
            //   ff15????????         |                     

        $sequence_6 = { 741b 498d8c243a250000 458ac6 b213 e8???????? f7d8 1bdb }
            // n = 7, score = 100
            //   741b                 | dec                 ecx
            //   498d8c243a250000     | mov                 edi, dword ptr [ebp + 0x95]
            //   458ac6               | dec                 eax
            //   b213                 | mov                 dword ptr [esp + 0x48], esi
            //   e8????????           |                     
            //   f7d8                 | mov                 ecx, eax
            //   1bdb                 | dec                 eax

        $sequence_7 = { 51 e8???????? 83c410 81c6a8000000 8bc6 8d5002 668b08 }
            // n = 7, score = 100
            //   51                   | cmp                 ecx, eax
            //   e8????????           |                     
            //   83c410               | jl                  0x16b7
            //   81c6a8000000         | add                 edi, ebp
            //   8bc6                 | dec                 eax
            //   8d5002               | add                 edx, 4
            //   668b08               | cmp                 edi, 0x1c

        $sequence_8 = { c20400 8b4508 c7462c00000080 c74644ffffffff 85c0 7403 894644 }
            // n = 7, score = 100
            //   c20400               | inc                 eax
            //   8b4508               | test                ch, 8
            //   c7462c00000080       | jbe                 0x1963
            //   c74644ffffffff       | mov                 ecx, dword ptr [ebp - 0x1c]
            //   85c0                 | lea                 edx, [ecx + 1]
            //   7403                 | mov                 eax, ecx
            //   894644               | sub                 eax, edx

        $sequence_9 = { 7416 4883ffff 7410 8bcd e8???????? 488bcf ffd0 }
            // n = 7, score = 100
            //   7416                 | sub                 esp, 0x60
            //   4883ffff             | dec                 eax
            //   7410                 | mov                 ebx, dword ptr [esp + 0xa0]
            //   8bcd                 | and                 dword ptr [eax - 0x28], 0
            //   e8????????           |                     
            //   488bcf               | dec                 eax
            //   ffd0                 | mov                 dword ptr [eax + 0x20], esi

    condition:
        7 of them and filesize < 709632
}
Download all Yara Rules