SYMBOLCOMMON_NAMEaka. SYNONYMS
win.karius (Back to overview)

Karius


According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.

It comes with an injector that loads an intermediate "proxy" component, which in turn loads the actual banker component.

Communication with the c2 are in json format and encrypted with RC4 with a hardcoded key.

In the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.

References
2022-08-18IBMCharlotte Hammond, Ole Villadsen
@online{hammond:20220818:from:501e8ac, author = {Charlotte Hammond and Ole Villadsen}, title = {{From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers}}, date = {2022-08-18}, organization = {IBM}, url = {https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest}, language = {English}, urldate = {2022-08-28} } From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak
2018-06-06Check PointCheck Point Research
@online{research:20180606:banking:97835c7, author = {Check Point Research}, title = {{Banking Trojans Under Development}}, date = {2018-06-06}, organization = {Check Point}, url = {https://research.checkpoint.com/banking-trojans-development/}, language = {English}, urldate = {2019-11-21} } Banking Trojans Under Development
Karius
2018-03-28Malwrologist
@online{malwrologist:20180328:multistage:0fade2d, author = {Malwrologist}, title = {{Multi-stage Powershell script (Brownies)}}, date = {2018-03-28}, url = {https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/}, language = {English}, urldate = {2020-01-08} } Multi-stage Powershell script (Brownies)
Karius
Yara Rules
[TLP:WHITE] win_karius_auto (20230407 | Detects win.karius.)
rule win_karius_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.karius."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { bf01000000 8bd7 498bce ffd3 4183bf8c00000000 0f84b3000000 }
            // n = 6, score = 400
            //   bf01000000           | je                  0x7d
            //   8bd7                 | mov                 esi, dword ptr [esp + 0xb0]
            //   498bce               | inc                 ecx
            //   ffd3                 | mov                 edx, dword ptr [eax]
            //   4183bf8c00000000     | mov                 edi, 1
            //   0f84b3000000         | mov                 edx, edi

        $sequence_1 = { 85db 0f849d000000 41837b1400 0f8492000000 458b4320 }
            // n = 5, score = 400
            //   85db                 | inc                 ecx
            //   0f849d000000         | mov                 ebx, dword ptr [ebx + 0x18]
            //   41837b1400           | test                ebx, ebx
            //   0f8492000000         | je                  0x98
            //   458b4320             | inc                 ebp

        $sequence_2 = { 4d03c6 4d03d6 448bcd 85db 0f8477000000 8bb424b0000000 418b10 }
            // n = 7, score = 400
            //   4d03c6               | dec                 ebp
            //   4d03d6               | add                 eax, esi
            //   448bcd               | dec                 ebp
            //   85db                 | add                 edx, esi
            //   0f8477000000         | inc                 esp
            //   8bb424b0000000       | mov                 ecx, ebp
            //   418b10               | test                ebx, ebx

        $sequence_3 = { c3 85c0 7505 e8???????? b801000000 }
            // n = 5, score = 400
            //   c3                   | mov                 ecx, ebp
            //   85c0                 | dec                 ebp
            //   7505                 | add                 edx, esi
            //   e8????????           |                     
            //   b801000000           | inc                 esp

        $sequence_4 = { 488b05???????? 4885c0 7512 ff15???????? 488905???????? }
            // n = 5, score = 400
            //   488b05????????       |                     
            //   4885c0               | add                 edx, esi
            //   7512                 | movzx               eax, byte ptr [edx]
            //   ff15????????         |                     
            //   488905????????       |                     

        $sequence_5 = { 8bb424b0000000 418b10 8bcd 4903d6 0fb602 0f1f440000 }
            // n = 6, score = 400
            //   8bb424b0000000       | mov                 eax, dword ptr [ebx + 0x20]
            //   418b10               | mov                 edx, edi
            //   8bcd                 | dec                 ecx
            //   4903d6               | mov                 ecx, esi
            //   0fb602               | call                ebx
            //   0f1f440000           | inc                 ecx

        $sequence_6 = { 41b830000000 488bcf ff15???????? 4885c0 }
            // n = 4, score = 400
            //   41b830000000         | dec                 ebp
            //   488bcf               | add                 eax, esi
            //   ff15????????         |                     
            //   4885c0               | inc                 ecx

        $sequence_7 = { ffd3 4183bf8c00000000 0f84b3000000 458b9f88000000 4d03de 418b5b18 85db }
            // n = 7, score = 400
            //   ffd3                 | dec                 ecx
            //   4183bf8c00000000     | mov                 ecx, esi
            //   0f84b3000000         | call                ebx
            //   458b9f88000000       | inc                 ecx
            //   4d03de               | cmp                 dword ptr [edi + 0x8c], 0
            //   418b5b18             | je                  0xc3
            //   85db                 | call                ebx

        $sequence_8 = { 0f8492000000 458b4320 458b5324 33ed 4d03c6 4d03d6 448bcd }
            // n = 7, score = 400
            //   0f8492000000         | inc                 ecx
            //   458b4320             | cmp                 dword ptr [edi + 0x8c], 0
            //   458b5324             | je                  0xc3
            //   33ed                 | inc                 ebp
            //   4d03c6               | mov                 ebx, dword ptr [edi + 0x88]
            //   4d03d6               | dec                 ebp
            //   448bcd               | add                 ebx, esi

        $sequence_9 = { ff15???????? 488bf8 4885c0 7505 8d4701 }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   488bf8               | je                  0x98
            //   4885c0               | inc                 ebp
            //   7505                 | mov                 eax, dword ptr [ebx + 0x20]
            //   8d4701               | inc                 ebp

        $sequence_10 = { 8a0c17 8d5201 884aff 4e }
            // n = 4, score = 300
            //   8a0c17               | dec                 eax
            //   8d5201               | test                eax, eax
            //   884aff               | inc                 esp
            //   4e                   | mov                 ecx, ebp

        $sequence_11 = { 448bc0 33d2 488bce ff15???????? 4c8bf0 4885c0 }
            // n = 6, score = 300
            //   448bc0               | mov                 eax, dword ptr [ebx + 0x20]
            //   33d2                 | inc                 ecx
            //   488bce               | mov                 ebx, dword ptr [ebx + 0x18]
            //   ff15????????         |                     
            //   4c8bf0               | test                ebx, ebx
            //   4885c0               | je                  0xa5

        $sequence_12 = { 8d7b01 448bfb 448be3 4885c9 }
            // n = 4, score = 300
            //   8d7b01               | mov                 edx, dword ptr [ebx + 0x24]
            //   448bfb               | xor                 ebp, ebp
            //   448be3               | dec                 ebp
            //   4885c9               | add                 eax, esi

        $sequence_13 = { ff15???????? 4c8be8 498bce ff15???????? 4d85ed }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   4c8be8               | je                  0xc8
            //   498bce               | inc                 ebp
            //   ff15????????         |                     
            //   4d85ed               | mov                 ebx, dword ptr [edi + 0x88]

        $sequence_14 = { 5e 8bc3 5b 5d c3 8bc3 5b }
            // n = 7, score = 300
            //   5e                   | dec                 ecx
            //   8bc3                 | mov                 ecx, esi
            //   5b                   | call                ebx
            //   5d                   | inc                 ecx
            //   c3                   | cmp                 dword ptr [edi + 0x8c], 0
            //   8bc3                 | inc                 ecx
            //   5b                   | mov                 eax, 0x30

        $sequence_15 = { c60600 803f22 7501 47 5e 8bc7 }
            // n = 6, score = 300
            //   c60600               | inc                 ecx
            //   803f22               | mov                 edx, dword ptr [eax]
            //   7501                 | inc                 ebp
            //   47                   | mov                 edx, dword ptr [ebx + 0x24]
            //   5e                   | xor                 ebp, ebp
            //   8bc7                 | dec                 ebp

        $sequence_16 = { 4d8bcf 33d2 41b800001000 488bce ff15???????? }
            // n = 5, score = 300
            //   4d8bcf               | dec                 ebp
            //   33d2                 | add                 eax, esi
            //   41b800001000         | dec                 ebp
            //   488bce               | add                 edx, esi
            //   ff15????????         |                     

        $sequence_17 = { 7405 f60001 7502 33c0 }
            // n = 4, score = 300
            //   7405                 | mov                 ecx, ebp
            //   f60001               | test                ebx, ebx
            //   7502                 | je                  0x82
            //   33c0                 | mov                 esi, dword ptr [esp + 0xb0]

        $sequence_18 = { e9???????? c6060d e9???????? c60609 e9???????? 8d4701 50 }
            // n = 7, score = 300
            //   e9????????           |                     
            //   c6060d               | test                ebx, ebx
            //   e9????????           |                     
            //   c60609               | je                  0x7f
            //   e9????????           |                     
            //   8d4701               | mov                 esi, dword ptr [esp + 0xb0]
            //   50                   | mov                 edx, edi

        $sequence_19 = { 7f0a 0fbec0 83c0d0 03c1 5d }
            // n = 5, score = 300
            //   7f0a                 | test                ebx, ebx
            //   0fbec0               | je                  0x8a
            //   83c0d0               | dec                 eax
            //   03c1                 | test                eax, eax
            //   5d                   | jne                 0x14

        $sequence_20 = { e8???????? 83c404 50 53 e8???????? 50 e8???????? }
            // n = 7, score = 300
            //   e8????????           |                     
            //   83c404               | mov                 edx, dword ptr [eax]
            //   50                   | mov                 ecx, ebp
            //   53                   | dec                 ecx
            //   e8????????           |                     
            //   50                   | add                 edx, esi
            //   e8????????           |                     

        $sequence_21 = { 8955f8 b804000000 8945fc 81fa80000000 7307 b801000000 }
            // n = 6, score = 300
            //   8955f8               | je                  0xcd
            //   b804000000           | inc                 ebp
            //   8945fc               | mov                 ebx, dword ptr [edi + 0x88]
            //   81fa80000000         | je                  0x9e
            //   7307                 | mov                 esi, dword ptr [esp + 0xb0]
            //   b801000000           | inc                 ecx

        $sequence_22 = { 488d4b10 488d542450 41b804000000 c6430f68 }
            // n = 4, score = 300
            //   488d4b10             | inc                 ebp
            //   488d542450           | mov                 ebx, dword ptr [edi + 0x88]
            //   41b804000000         | dec                 ebp
            //   c6430f68             | add                 ebx, esi

        $sequence_23 = { 335df0 6a10 e8???????? 83c40c 8bf0 8d45f8 }
            // n = 6, score = 300
            //   335df0               | add                 eax, esi
            //   6a10                 | dec                 ebp
            //   e8????????           |                     
            //   83c40c               | add                 edx, esi
            //   8bf0                 | inc                 esp
            //   8d45f8               | mov                 ecx, ebp

        $sequence_24 = { 6683f809 7505 8d7b02 eb09 6685c0 }
            // n = 5, score = 300
            //   6683f809             | inc                 ecx
            //   7505                 | cmp                 dword ptr [ebx + 0x14], 0
            //   8d7b02               | mov                 edi, 1
            //   eb09                 | mov                 edx, edi
            //   6685c0               | dec                 ecx

        $sequence_25 = { 4d8bc7 488bd0 488bce ff15???????? 85c0 }
            // n = 5, score = 300
            //   4d8bc7               | call                ebx
            //   488bd0               | inc                 ecx
            //   488bce               | cmp                 dword ptr [edi + 0x8c], 0
            //   ff15????????         |                     
            //   85c0                 | je                  0xc3

    condition:
        7 of them and filesize < 434176
}
Download all Yara Rules