FuwuqiDrama (Malware Family)

FuwuqiDrama

VTCollection

FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.

It contains two distinguishing hardcoded lists.

First is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can't Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012).

Second is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.

FuwuqiDrama stores its configuration in the INI file data\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi – the romanized Chinese word for server.

References

2018-10-03 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor

Yara Rules

[TLP:WHITE] win_fuwuqidrama_auto (20230808 | Detects win.fuwuqidrama.)

rule win_fuwuqidrama_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.fuwuqidrama."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuwuqidrama"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b44241c 8db08c000000 8b8314140000 83f802 764a 8d6b1a 85ed }
            // n = 7, score = 100
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8db08c000000         | lea                 esi, [eax + 0x8c]
            //   8b8314140000         | mov                 eax, dword ptr [ebx + 0x1414]
            //   83f802               | cmp                 eax, 2
            //   764a                 | jbe                 0x4c
            //   8d6b1a               | lea                 ebp, [ebx + 0x1a]
            //   85ed                 | test                ebp, ebp

        $sequence_1 = { 8b842490020000 52 50 8d4c2444 68???????? 51 }
            // n = 6, score = 100
            //   8b842490020000       | mov                 eax, dword ptr [esp + 0x290]
            //   52                   | push                edx
            //   50                   | push                eax
            //   8d4c2444             | lea                 ecx, [esp + 0x44]
            //   68????????           |                     
            //   51                   | push                ecx

        $sequence_2 = { 8917 8b542414 894704 b801000000 894f08 89570c 5f }
            // n = 7, score = 100
            //   8917                 | mov                 dword ptr [edi], edx
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   b801000000           | mov                 eax, 1
            //   894f08               | mov                 dword ptr [edi + 8], ecx
            //   89570c               | mov                 dword ptr [edi + 0xc], edx
            //   5f                   | pop                 edi

        $sequence_3 = { 57 33ff 8bd9 57 57 8d4c2430 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   8bd9                 | mov                 ebx, ecx
            //   57                   | push                edi
            //   57                   | push                edi
            //   8d4c2430             | lea                 ecx, [esp + 0x30]

        $sequence_4 = { 8bdf 036908 c1c305 036c2424 c1c61e 89742418 8b712c }
            // n = 7, score = 100
            //   8bdf                 | mov                 ebx, edi
            //   036908               | add                 ebp, dword ptr [ecx + 8]
            //   c1c305               | rol                 ebx, 5
            //   036c2424             | add                 ebp, dword ptr [esp + 0x24]
            //   c1c61e               | rol                 esi, 0x1e
            //   89742418             | mov                 dword ptr [esp + 0x18], esi
            //   8b712c               | mov                 esi, dword ptr [ecx + 0x2c]

        $sequence_5 = { 83c508 55 ffd7 8a542412 899ec8030000 8896c4030000 899ecc030000 }
            // n = 7, score = 100
            //   83c508               | add                 ebp, 8
            //   55                   | push                ebp
            //   ffd7                 | call                edi
            //   8a542412             | mov                 dl, byte ptr [esp + 0x12]
            //   899ec8030000         | mov                 dword ptr [esi + 0x3c8], ebx
            //   8896c4030000         | mov                 byte ptr [esi + 0x3c4], dl
            //   899ecc030000         | mov                 dword ptr [esi + 0x3cc], ebx

        $sequence_6 = { 8bdf 036918 c1c305 036c2410 c1c61e 89742428 8d9c2bd6c162ca }
            // n = 7, score = 100
            //   8bdf                 | mov                 ebx, edi
            //   036918               | add                 ebp, dword ptr [ecx + 0x18]
            //   c1c305               | rol                 ebx, 5
            //   036c2410             | add                 ebp, dword ptr [esp + 0x10]
            //   c1c61e               | rol                 esi, 0x1e
            //   89742428             | mov                 dword ptr [esp + 0x28], esi
            //   8d9c2bd6c162ca       | lea                 ebx, [ebx + ebp - 0x359d3e2a]

        $sequence_7 = { ff5220 8d460c 50 ff15???????? 8b4624 }
            // n = 5, score = 100
            //   ff5220               | call                dword ptr [edx + 0x20]
            //   8d460c               | lea                 eax, [esi + 0xc]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4624               | mov                 eax, dword ptr [esi + 0x24]

        $sequence_8 = { 50 ffd6 8d4c242c 6a02 8d542418 51 52 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8d4c242c             | lea                 ecx, [esp + 0x2c]
            //   6a02                 | push                2
            //   8d542418             | lea                 edx, [esp + 0x18]
            //   51                   | push                ecx
            //   52                   | push                edx

        $sequence_9 = { 3d10270000 0f87e7020000 8b5708 8b4704 52 50 8bcf }
            // n = 7, score = 100
            //   3d10270000           | cmp                 eax, 0x2710
            //   0f87e7020000         | ja                  0x2ed
            //   8b5708               | mov                 edx, dword ptr [edi + 8]
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   52                   | push                edx
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi

    condition:
        7 of them and filesize < 245760
}

Download all Yara Rules

FuwuqiDrama Propose Change

References

Yara Rules

FuwuqiDrama