SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fuwuqidrama (Back to overview)

FuwuqiDrama

Actor(s): Lazarus Group

FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.

It contains two distinguishing hardcoded lists.

First is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can't Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012).

Second is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.

FuwuqiDrama stores its configuration in the INI file data\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi – the romanized Chinese word for server.

References
2018-10-03Virus BulletinPeter Kálnai, Michal Poslušný
@techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{Lazarus Group A Mahjong Game Played with Different Sets of Tiles}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2023-08-31} } Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor

There is no Yara-Signature yet.