SYMBOLCOMMON_NAMEaka. SYNONYMS
win.karius (Back to overview)

Karius


According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.

It comes with an injector that loads an intermediate "proxy" component, which in turn loads the actual banker component.

Communication with the c2 are in json format and encrypted with RC4 with a hardcoded key.

In the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.

References
2022-08-18IBMCharlotte Hammond, Ole Villadsen
@online{hammond:20220818:from:501e8ac, author = {Charlotte Hammond and Ole Villadsen}, title = {{From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers}}, date = {2022-08-18}, organization = {IBM}, url = {https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest}, language = {English}, urldate = {2022-08-28} } From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak
2018-06-06Check PointCheck Point Research
@online{research:20180606:banking:97835c7, author = {Check Point Research}, title = {{Banking Trojans Under Development}}, date = {2018-06-06}, organization = {Check Point}, url = {https://research.checkpoint.com/banking-trojans-development/}, language = {English}, urldate = {2019-11-21} } Banking Trojans Under Development
Karius
2018-03-28Malwrologist
@online{malwrologist:20180328:multistage:0fade2d, author = {Malwrologist}, title = {{Multi-stage Powershell script (Brownies)}}, date = {2018-03-28}, url = {https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/}, language = {English}, urldate = {2020-01-08} } Multi-stage Powershell script (Brownies)
Karius
Yara Rules
[TLP:WHITE] win_karius_auto (20220808 | Detects win.karius.)
rule win_karius_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.karius."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b442430 ffc8 89442430 833c2400 741b 488b442420 }
            // n = 6, score = 400
            //   8b442430             | inc                 eax
            //   ffc8                 | dec                 eax
            //   89442430             | mov                 dword ptr [esp + 0x20], eax
            //   833c2400             | cmp                 dword ptr [esp + 0x30], 0
            //   741b                 | jne                 9
            //   488b442420           | jmp                 0x34

        $sequence_1 = { 8bb424b0000000 418b10 8bcd 4903d6 0fb602 0f1f440000 c1c90d }
            // n = 7, score = 400
            //   8bb424b0000000       | dec                 eax
            //   418b10               | mov                 eax, dword ptr [esp + 0x20]
            //   8bcd                 | dec                 eax
            //   4903d6               | inc                 eax
            //   0fb602               | dec                 eax
            //   0f1f440000           | mov                 dword ptr [esp + 0x20], eax
            //   c1c90d               | dec                 eax

        $sequence_2 = { 85db 0f849d000000 41837b1400 0f8492000000 458b4320 }
            // n = 5, score = 400
            //   85db                 | mov                 eax, dword ptr [esp + 0x20]
            //   0f849d000000         | movzx               ecx, byte ptr [esp + 0x28]
            //   41837b1400           | cmp                 dword ptr [esp + 0x30], 0
            //   0f8492000000         | jne                 4
            //   458b4320             | jmp                 0x36

        $sequence_3 = { c3 85c0 7505 e8???????? b801000000 }
            // n = 5, score = 400
            //   c3                   | dec                 eax
            //   85c0                 | mov                 eax, dword ptr [esp + 0x20]
            //   7505                 | dec                 eax
            //   e8????????           |                     
            //   b801000000           | inc                 eax

        $sequence_4 = { 488b442420 48ffc0 4889442420 ebce }
            // n = 4, score = 400
            //   488b442420           | mov                 eax, dword ptr [esp + 0x30]
            //   48ffc0               | mov                 dword ptr [esp], eax
            //   4889442420           | mov                 eax, dword ptr [esp + 0x30]
            //   ebce                 | dec                 eax

        $sequence_5 = { 448bcd 85db 0f8477000000 8bb424b0000000 418b10 8bcd }
            // n = 6, score = 400
            //   448bcd               | mov                 eax, dword ptr [esp + 0x30]
            //   85db                 | mov                 dword ptr [esp], eax
            //   0f8477000000         | mov                 eax, dword ptr [esp + 0x30]
            //   8bb424b0000000       | dec                 eax
            //   418b10               | movzx               ecx, byte ptr [esp + 0x28]
            //   8bcd                 | mov                 byte ptr [eax], cl

        $sequence_6 = { eb32 8b442430 890424 8b442430 }
            // n = 4, score = 400
            //   eb32                 | mov                 eax, dword ptr [esp + 0x20]
            //   8b442430             | movzx               ecx, byte ptr [esp + 0x28]
            //   890424               | mov                 byte ptr [eax], cl
            //   8b442430             | jmp                 0x34

        $sequence_7 = { 498bce ffd3 4183bf8c00000000 0f84b3000000 458b9f88000000 }
            // n = 5, score = 400
            //   498bce               | mov                 dword ptr [esp], eax
            //   ffd3                 | mov                 eax, dword ptr [esp + 0x30]
            //   4183bf8c00000000     | cmp                 dword ptr [esp], 0
            //   0f84b3000000         | je                  0x1d
            //   458b9f88000000       | dec                 eax

        $sequence_8 = { 837c243000 7502 eb32 8b442430 }
            // n = 4, score = 400
            //   837c243000           | dec                 eax
            //   7502                 | inc                 eax
            //   eb32                 | je                  0x1d
            //   8b442430             | dec                 eax

        $sequence_9 = { 833c2400 741b 488b442420 0fb64c2428 8808 488b442420 }
            // n = 6, score = 400
            //   833c2400             | cmp                 dword ptr [esp], 0
            //   741b                 | je                  0x1d
            //   488b442420           | dec                 eax
            //   0fb64c2428           | mov                 eax, dword ptr [esp + 0x20]
            //   8808                 | movzx               ecx, byte ptr [esp + 0x28]
            //   488b442420           | mov                 byte ptr [eax], cl

        $sequence_10 = { 33ed 4d03c6 4d03d6 448bcd 85db 0f8477000000 }
            // n = 6, score = 400
            //   33ed                 | mov                 eax, dword ptr [esp + 0x20]
            //   4d03c6               | movzx               ecx, byte ptr [esp + 0x28]
            //   4d03d6               | mov                 byte ptr [eax], cl
            //   448bcd               | dec                 eax
            //   85db                 | mov                 eax, dword ptr [esp + 0x20]
            //   0f8477000000         | dec                 eax

        $sequence_11 = { 8bc7 ffc8 7416 ffc8 7522 }
            // n = 5, score = 300
            //   8bc7                 | cmp                 dword ptr [esp], 0
            //   ffc8                 | je                  0x21
            //   7416                 | dec                 eax
            //   ffc8                 | mov                 eax, dword ptr [esp + 0x20]
            //   7522                 | movzx               ecx, byte ptr [esp + 0x28]

        $sequence_12 = { 8b45f4 81e2ff030000 c1e20a 25ff030000 0bd0 81c200000100 }
            // n = 6, score = 300
            //   8b45f4               | mov                 eax, dword ptr [esp + 0x30]
            //   81e2ff030000         | mov                 dword ptr [esp], eax
            //   c1e20a               | jne                 4
            //   25ff030000           | jmp                 0x34
            //   0bd0                 | mov                 eax, dword ptr [esp + 0x30]
            //   81c200000100         | mov                 dword ptr [esp], eax

        $sequence_13 = { 6683f809 7505 8d7b02 eb09 }
            // n = 4, score = 300
            //   6683f809             | mov                 byte ptr [eax], cl
            //   7505                 | je                  9
            //   8d7b02               | cmp                 dword ptr [esp + 0x30], 0
            //   eb09                 | jne                 9

        $sequence_14 = { 7405 f60001 7502 33c0 }
            // n = 4, score = 300
            //   7405                 | jmp                 0x34
            //   f60001               | mov                 eax, dword ptr [esp + 0x30]
            //   7502                 | mov                 dword ptr [esp], eax
            //   33c0                 | mov                 eax, dword ptr [esp + 0x30]

        $sequence_15 = { 8b4d08 47 8b55f4 41 }
            // n = 4, score = 300
            //   8b4d08               | je                  9
            //   47                   | cmp                 dword ptr [esp + 0x30], 0
            //   8b55f4               | jne                 0xb
            //   41                   | jmp                 0x3d

        $sequence_16 = { 89411c 894120 894124 890f 897904 }
            // n = 5, score = 300
            //   89411c               | mov                 eax, dword ptr [esp + 0x30]
            //   894120               | dec                 eax
            //   894124               | mov                 dword ptr [esp + 0x30], eax
            //   890f                 | mov                 dword ptr [esp + 0x30], eax
            //   897904               | cmp                 dword ptr [esp], 0

        $sequence_17 = { 803f2e 752c 8a4701 3c30 7c25 }
            // n = 5, score = 300
            //   803f2e               | dec                 eax
            //   752c                 | mov                 dword ptr [esp + 0x30], eax
            //   8a4701               | cmp                 dword ptr [esp], 0
            //   3c30                 | dec                 eax
            //   7c25                 | cmp                 dword ptr [esp + 0x20], 0

        $sequence_18 = { 48895c2420 4d8bcc 4d8bc7 488bd0 488bce ff15???????? 85c0 }
            // n = 7, score = 300
            //   48895c2420           | jmp                 0x3b
            //   4d8bcc               | mov                 eax, dword ptr [esp + 0x30]
            //   4d8bc7               | mov                 dword ptr [esp], eax
            //   488bd0               | cmp                 dword ptr [esp], 0
            //   488bce               | je                  0x1d
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_19 = { eb03 0fb6c9 2bc1 8b4d0c }
            // n = 4, score = 300
            //   eb03                 | dec                 eax
            //   0fb6c9               | mov                 eax, dword ptr [esp + 0x20]
            //   2bc1                 | dec                 eax
            //   8b4d0c               | inc                 eax

        $sequence_20 = { 50 57 e8???????? 50 e8???????? 8bf0 83c410 }
            // n = 7, score = 300
            //   50                   | mov                 eax, dword ptr [esp + 0x30]
            //   57                   | dec                 eax
            //   e8????????           |                     
            //   50                   | mov                 eax, dword ptr [esp + 0x20]
            //   e8????????           |                     
            //   8bf0                 | movzx               ecx, byte ptr [esp + 0x28]
            //   83c410               | mov                 byte ptr [eax], cl

        $sequence_21 = { c3 8d4101 57 50 }
            // n = 4, score = 300
            //   c3                   | dec                 eax
            //   8d4101               | cmp                 dword ptr [esp + 0x20], 0
            //   57                   | je                  0xf
            //   50                   | cmp                 dword ptr [esp + 0x30], 0

        $sequence_22 = { 8b4d0c 8908 5e 5f 33c0 }
            // n = 5, score = 300
            //   8b4d0c               | dec                 eax
            //   8908                 | mov                 dword ptr [esp + 0x20], eax
            //   5e                   | jmp                 0xffffffe4
            //   5f                   | dec                 eax
            //   33c0                 | sub                 esp, 0x18

    condition:
        7 of them and filesize < 434176
}
Download all Yara Rules