SYMBOLCOMMON_NAMEaka. SYNONYMS
win.karius (Back to overview)

Karius


According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.

It comes with an injector that loads an intermediate "proxy" component, which in turn loads the actual banker component.

Communication with the c2 are in json format and encrypted with RC4 with a hardcoded key.

In the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.

References
2018-06-06Check PointCheck Point Research
@online{research:20180606:banking:97835c7, author = {Check Point Research}, title = {{Banking Trojans Under Development}}, date = {2018-06-06}, organization = {Check Point}, url = {https://research.checkpoint.com/banking-trojans-development/}, language = {English}, urldate = {2019-11-21} } Banking Trojans Under Development
Karius
2018-03-28Malwrologist
@online{malwrologist:20180328:multistage:0fade2d, author = {Malwrologist}, title = {{Multi-stage Powershell script (Brownies)}}, date = {2018-03-28}, url = {https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/}, language = {English}, urldate = {2020-01-08} } Multi-stage Powershell script (Brownies)
Karius
Yara Rules
[TLP:WHITE] win_karius_auto (20211008 | Detects win.karius.)
rule win_karius_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.karius."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffc8 89442430 833c2400 741b 488b442420 0fb64c2428 8808 }
            // n = 7, score = 400
            //   ffc8                 | dec                 eax
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   833c2400             | cmp                 dword ptr [esp], 0
            //   741b                 | je                  0x1d
            //   488b442420           | dec                 eax
            //   0fb64c2428           | mov                 eax, dword ptr [esp + 0x20]
            //   8808                 | movzx               ecx, byte ptr [esp + 0x28]

        $sequence_1 = { 41837b1400 0f8492000000 458b4320 458b5324 33ed 4d03c6 4d03d6 }
            // n = 7, score = 400
            //   41837b1400           | dec                 eax
            //   0f8492000000         | mov                 eax, dword ptr [esp + 0x20]
            //   458b4320             | mov                 dword ptr [esp], eax
            //   458b5324             | mov                 eax, dword ptr [esp + 0x30]
            //   33ed                 | dec                 eax
            //   4d03c6               | mov                 dword ptr [esp + 0x30], eax
            //   4d03d6               | cmp                 dword ptr [esp], 0

        $sequence_2 = { 0f8477000000 8bb424b0000000 418b10 8bcd }
            // n = 4, score = 400
            //   0f8477000000         | mov                 eax, dword ptr [esp + 0x30]
            //   8bb424b0000000       | dec                 eax
            //   418b10               | cmp                 dword ptr [esp + 0x20], 0
            //   8bcd                 | je                  0xf

        $sequence_3 = { c3 85c0 7505 e8???????? b801000000 }
            // n = 5, score = 400
            //   c3                   | mov                 eax, dword ptr [esp + 0x20]
            //   85c0                 | dec                 ebp
            //   7505                 | add                 ebx, esi
            //   e8????????           |                     
            //   b801000000           | inc                 ecx

        $sequence_4 = { 488b442420 48ffc0 4889442420 ebce }
            // n = 4, score = 400
            //   488b442420           | je                  0x1d
            //   48ffc0               | dec                 eax
            //   4889442420           | mov                 eax, dword ptr [esp + 0x20]
            //   ebce                 | dec                 eax

        $sequence_5 = { 7407 837c243000 7502 eb32 }
            // n = 4, score = 400
            //   7407                 | movzx               ecx, byte ptr [esp + 0x28]
            //   837c243000           | mov                 byte ptr [eax], cl
            //   7502                 | dec                 eax
            //   eb32                 | mov                 eax, dword ptr [esp + 0x20]

        $sequence_6 = { ffd3 4183bf8c00000000 0f84b3000000 458b9f88000000 4d03de }
            // n = 5, score = 400
            //   ffd3                 | je                  0x27
            //   4183bf8c00000000     | mov                 dword ptr [esp + 0x30], eax
            //   0f84b3000000         | cmp                 dword ptr [esp], 0
            //   458b9f88000000       | je                  0x1d
            //   4d03de               | dec                 eax

        $sequence_7 = { 7502 eb32 8b442430 890424 8b442430 }
            // n = 5, score = 400
            //   7502                 | mov                 dword ptr [esp + 0x20], eax
            //   eb32                 | jmp                 0xffffffdd
            //   8b442430             | je                  0x1d
            //   890424               | dec                 eax
            //   8b442430             | mov                 eax, dword ptr [esp + 0x20]

        $sequence_8 = { 4d03de 418b5b18 85db 0f849d000000 }
            // n = 4, score = 400
            //   4d03de               | dec                 eax
            //   418b5b18             | mov                 eax, dword ptr [esp + 0x20]
            //   85db                 | movzx               ecx, byte ptr [esp + 0x28]
            //   0f849d000000         | jne                 4

        $sequence_9 = { 41b900300000 448bc0 33d2 488bce ff15???????? 4c8bf0 4885c0 }
            // n = 7, score = 300
            //   41b900300000         | mov                 dword ptr [esp + 0x20], eax
            //   448bc0               | jmp                 0xffffffdf
            //   33d2                 | je                  0x1d
            //   488bce               | dec                 eax
            //   ff15????????         |                     
            //   4c8bf0               | mov                 eax, dword ptr [esp + 0x20]
            //   4885c0               | movzx               ecx, byte ptr [esp + 0x28]

        $sequence_10 = { 7405 f60001 7502 33c0 }
            // n = 4, score = 300
            //   7405                 | mov                 ebx, dword ptr [ebx + 0x18]
            //   f60001               | test                ebx, ebx
            //   7502                 | je                  0xa5
            //   33c0                 | call                ebx

        $sequence_11 = { 48895c2420 4d8bcc 4d8bc7 488bd0 488bce ff15???????? }
            // n = 6, score = 300
            //   48895c2420           | dec                 eax
            //   4d8bcc               | mov                 eax, dword ptr [esp + 0x20]
            //   4d8bc7               | movzx               ecx, byte ptr [esp + 0x28]
            //   488bd0               | mov                 byte ptr [eax], cl
            //   488bce               | dec                 eax
            //   ff15????????         |                     

        $sequence_12 = { 85c0 7513 ff15???????? a3???????? 85c0 7504 33c0 }
            // n = 7, score = 300
            //   85c0                 | inc                 ecx
            //   7513                 | cmp                 dword ptr [edi + 0x8c], 0
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | je                  0xb9
            //   7504                 | inc                 ebp
            //   33c0                 | mov                 ebx, dword ptr [edi + 0x88]

        $sequence_13 = { 7507 5b 8d4601 5e }
            // n = 4, score = 300
            //   7507                 | dec                 eax
            //   5b                   | mov                 dword ptr [esp + 0x30], eax
            //   8d4601               | cmp                 dword ptr [esp], 0
            //   5e                   | je                  0x2b

        $sequence_14 = { 85c0 7510 8b4508 5e c7400c04000000 8d4104 5d }
            // n = 7, score = 300
            //   85c0                 | dec                 ebp
            //   7510                 | add                 ebx, esi
            //   8b4508               | inc                 ecx
            //   5e                   | mov                 ebx, dword ptr [ebx + 0x18]
            //   c7400c04000000       | test                ebx, ebx
            //   8d4104               | je                  0xa9
            //   5d                   | inc                 ecx

        $sequence_15 = { 7408 90 8b09 40 }
            // n = 4, score = 300
            //   7408                 | cmp                 dword ptr [ebx + 0x14], 0
            //   90                   | je                  0x7d
            //   8b09                 | mov                 esi, dword ptr [esp + 0xb0]
            //   40                   | inc                 ecx

        $sequence_16 = { 803c1700 0f94c0 84c0 7535 8a02 84c0 742f }
            // n = 7, score = 300
            //   803c1700             | cmp                 dword ptr [esp + 0x20], 0
            //   0f94c0               | je                  0xf
            //   84c0                 | cmp                 dword ptr [esp + 0x30], 0
            //   7535                 | jne                 0x11
            //   8a02                 | jmp                 0x43
            //   84c0                 | mov                 dword ptr [esp], eax
            //   742f                 | mov                 eax, dword ptr [esp + 0x30]

        $sequence_17 = { 8bc7 ffc8 7416 ffc8 }
            // n = 4, score = 300
            //   8bc7                 | dec                 eax
            //   ffc8                 | mov                 dword ptr [esp + 0x30], eax
            //   7416                 | cmp                 dword ptr [esp], 0
            //   ffc8                 | je                  0x21

        $sequence_18 = { 488bc8 ff15???????? 4c8be8 498bce ff15???????? }
            // n = 5, score = 300
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   4c8be8               | inc                 eax
            //   498bce               | dec                 eax
            //   ff15????????         |                     

        $sequence_19 = { 7408 80f920 7703 40 75f2 68???????? 50 }
            // n = 7, score = 300
            //   7408                 | inc                 ecx
            //   80f920               | mov                 ebx, dword ptr [ebx + 0x18]
            //   7703                 | test                ebx, ebx
            //   40                   | je                  0xb3
            //   75f2                 | inc                 ecx
            //   68????????           |                     
            //   50                   | cmp                 dword ptr [ebx + 0x14], 0

        $sequence_20 = { 7407 3c20 7703 46 75f3 ff7510 56 }
            // n = 7, score = 300
            //   7407                 | cmp                 dword ptr [edi + 0x8c], 0
            //   3c20                 | je                  0xb9
            //   7703                 | inc                 ebp
            //   46                   | mov                 ebx, dword ptr [edi + 0x88]
            //   75f3                 | dec                 ebp
            //   ff7510               | add                 ebx, esi
            //   56                   | dec                 ebp

        $sequence_21 = { 7408 8806 46 e9???????? 8a17 41 0fbec2 }
            // n = 7, score = 300
            //   7408                 | mov                 edx, dword ptr [eax]
            //   8806                 | mov                 ecx, ebp
            //   46                   | dec                 ebp
            //   e9????????           |                     
            //   8a17                 | add                 edx, esi
            //   41                   | inc                 esp
            //   0fbec2               | mov                 ecx, ebp

    condition:
        7 of them and filesize < 434176
}
Download all Yara Rules