SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambload (Back to overview)

LambLoad

aka: OfficeCertTea

Actor(s): Lazarus Group

VTCollection    

According to Microsoft, this is a downloader used in a supply chain attack involving a malicious variant of an application developed by CyberLink. It is centered around a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.

References
2023-11-22MicrosoftMicrosoft Threat Intelligence
Diamond Sleet supply chain compromise distributes a modified CyberLink installer
LambLoad
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-04-12Kaspersky LabsSeongsu Park
Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN ForestTiger LambLoad LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2022-09-30ESET ResearchPeter Kálnai
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE
Yara Rules
[TLP:WHITE] win_lambload_auto (20230808 | Detects win.lambload.)
rule win_lambload_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.lambload."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambload"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffb5e4f7ffff e8???????? 0fb74624 57 57 6a03 }
            // n = 6, score = 100
            //   ffb5e4f7ffff         | push                dword ptr [ebp - 0x81c]
            //   e8????????           |                     
            //   0fb74624             | movzx               eax, word ptr [esi + 0x24]
            //   57                   | push                edi
            //   57                   | push                edi
            //   6a03                 | push                3

        $sequence_1 = { ff15???????? 47 83ff02 7caa 83c8ff 5f 5e }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   47                   | inc                 edi
            //   83ff02               | cmp                 edi, 2
            //   7caa                 | jl                  0xffffffac
            //   83c8ff               | or                  eax, 0xffffffff
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_2 = { 74c5 57 57 57 ff7608 ff15???????? 85c0 }
            // n = 7, score = 100
            //   74c5                 | je                  0xffffffc7
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   ff7608               | push                dword ptr [esi + 8]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { 8b6c2424 83c408 3be8 7e02 8be8 }
            // n = 5, score = 100
            //   8b6c2424             | mov                 ebp, dword ptr [esp + 0x24]
            //   83c408               | add                 esp, 8
            //   3be8                 | cmp                 ebp, eax
            //   7e02                 | jle                 4
            //   8be8                 | mov                 ebp, eax

        $sequence_4 = { 897dfc 897dd8 83ff40 0f8d3b010000 8b34bd00490710 85f6 }
            // n = 6, score = 100
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi
            //   83ff40               | cmp                 edi, 0x40
            //   0f8d3b010000         | jge                 0x141
            //   8b34bd00490710       | mov                 esi, dword ptr [edi*4 + 0x10074900]
            //   85f6                 | test                esi, esi

        $sequence_5 = { 83c420 837e1804 750d b800308000 }
            // n = 4, score = 100
            //   83c420               | add                 esp, 0x20
            //   837e1804             | cmp                 dword ptr [esi + 0x18], 4
            //   750d                 | jne                 0xf
            //   b800308000           | mov                 eax, 0x803000

        $sequence_6 = { f7f9 8955fc e8???????? 99 b9ffff0000 f7f9 }
            // n = 6, score = 100
            //   f7f9                 | idiv                ecx
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b9ffff0000           | mov                 ecx, 0xffff
            //   f7f9                 | idiv                ecx

        $sequence_7 = { be???????? 50 a5 e8???????? 83c40c }
            // n = 5, score = 100
            //   be????????           |                     
            //   50                   | push                eax
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_8 = { 0fb78c05ecfbffff 66898c05f4fdffff 83c002 663bce 75e8 53 8d85ecfbffff }
            // n = 7, score = 100
            //   0fb78c05ecfbffff     | movzx               ecx, word ptr [ebp + eax - 0x414]
            //   66898c05f4fdffff     | mov                 word ptr [ebp + eax - 0x20c], cx
            //   83c002               | add                 eax, 2
            //   663bce               | cmp                 cx, si
            //   75e8                 | jne                 0xffffffea
            //   53                   | push                ebx
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]

        $sequence_9 = { 33c0 8a540430 8a8be8330710 32ca 888be8330710 43 3bdd }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8a540430             | mov                 dl, byte ptr [esp + eax + 0x30]
            //   8a8be8330710         | mov                 cl, byte ptr [ebx + 0x100733e8]
            //   32ca                 | xor                 cl, dl
            //   888be8330710         | mov                 byte ptr [ebx + 0x100733e8], cl
            //   43                   | inc                 ebx
            //   3bdd                 | cmp                 ebx, ebp

    condition:
        7 of them and filesize < 1039360
}
Download all Yara Rules