SYMBOLCOMMON_NAMEaka. SYNONYMS
win.naikon (Back to overview)

Naikon

aka: Sacto

Actor(s): Naikon

VTCollection    

There is no description at this point.

References
2015-05-14Kaspersky LabsKurt Baumgartner, Maxim Golovkin
The Naikon APT
Naikon SslMM Sys10 WinMM xsPlus APT30 Naikon
2015-04-01FireEyeFireEye
APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
2015-02-06CrowdStrikeCrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
Yara Rules
[TLP:WHITE] win_naikon_auto (20241030 | Detects win.naikon.)
rule win_naikon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.naikon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc6 8088e130011008 40 3dff000000 }
            // n = 4, score = 200
            //   8bc6                 | mov                 eax, esi
            //   8088e130011008       | or                  byte ptr [eax + 0x100130e1], 8
            //   40                   | inc                 eax
            //   3dff000000           | cmp                 eax, 0xff

        $sequence_1 = { 3bc3 7c03 53 eb01 50 8b4dfc 8d043e }
            // n = 7, score = 200
            //   3bc3                 | cmp                 eax, ebx
            //   7c03                 | jl                  5
            //   53                   | push                ebx
            //   eb01                 | jmp                 3
            //   50                   | push                eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8d043e               | lea                 eax, [esi + edi]

        $sequence_2 = { 8d450c 6a03 50 8bce e8???????? 8b06 }
            // n = 6, score = 200
            //   8d450c               | lea                 eax, [ebp + 0xc]
            //   6a03                 | push                3
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_3 = { 8bf1 ff742410 e8???????? 85c0 753f 8d4e7c 8d4670 }
            // n = 7, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   753f                 | jne                 0x41
            //   8d4e7c               | lea                 ecx, [esi + 0x7c]
            //   8d4670               | lea                 eax, [esi + 0x70]

        $sequence_4 = { a1???????? 682c010000 b9???????? 50 8d9500f0ffff }
            // n = 5, score = 200
            //   a1????????           |                     
            //   682c010000           | push                0x12c
            //   b9????????           |                     
            //   50                   | push                eax
            //   8d9500f0ffff         | lea                 edx, [ebp - 0x1000]

        $sequence_5 = { 50 8d85f8feffff 50 ffd7 894508 8b85a8fcffff }
            // n = 6, score = 200
            //   50                   | push                eax
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   8b85a8fcffff         | mov                 eax, dword ptr [ebp - 0x358]

        $sequence_6 = { 8bce e8???????? 8b06 8b4e08 57 0fb60c01 }
            // n = 6, score = 200
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   57                   | push                edi
            //   0fb60c01             | movzx               ecx, byte ptr [ecx + eax]

        $sequence_7 = { 8bd8 ffd7 5f 8bc3 }
            // n = 4, score = 200
            //   8bd8                 | mov                 ebx, eax
            //   ffd7                 | call                edi
            //   5f                   | pop                 edi
            //   8bc3                 | mov                 eax, ebx

        $sequence_8 = { 0fbec3 8a80e8d10010 83e00f eb02 33c0 0fbe84c108d20010 }
            // n = 6, score = 200
            //   0fbec3               | movsx               eax, bl
            //   8a80e8d10010         | mov                 al, byte ptr [eax + 0x1000d1e8]
            //   83e00f               | and                 eax, 0xf
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   0fbe84c108d20010     | movsx               eax, byte ptr [ecx + eax*8 + 0x1000d208]

        $sequence_9 = { 8b85a8fcffff 83e010 3c10 7503 6a01 5e }
            // n = 6, score = 200
            //   8b85a8fcffff         | mov                 eax, dword ptr [ebp - 0x358]
            //   83e010               | and                 eax, 0x10
            //   3c10                 | cmp                 al, 0x10
            //   7503                 | jne                 5
            //   6a01                 | push                1
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 188416
}
[TLP:WHITE] win_naikon_w0   (20170618 | Naikon code features)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_naikon_w0 {
    meta:
        description = "Naikon code features"
        author = "Seth Hardy"
        last_modified = "2014-06-25"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon"
        malpedia_version = "20170618"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        // decryption
        $ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
        $ = { 35 5A 01 00 00} // xor eax, 15ah
        $ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
    
    condition:
        all of them
}
[TLP:WHITE] win_naikon_w1   (20170618 | Naikon Identifying Strings)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_naikon_w1 {
    meta:
        description = "Naikon Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-25"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon"
        malpedia_version = "20170618"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        $ = "NOKIAN95/WEB"
        $ = "/tag=info&id=15"
        $ = "skg(3)=&3.2d_u1"
        $ = "\\Temp\\iExplorer.exe"
        $ = "\\Temp\\\"TSG\""
        
    condition:
       any of them
}
[TLP:WHITE] win_naikon_w2   (20170618 | Detects backdoors related to the Naikon APT)
rule win_naikon_w2 {
    meta:
        description = "Detects backdoors related to the Naikon APT"
        author = "Florian Roth"
        reference = "https://goo.gl/7vHyvh"
        date = "2015-05-14"
        hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba"
        hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon"
        malpedia_version = "20170618"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
        $x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
        $x2 = "greensky27.vicp.net" fullword ascii
        $x3 = "\\tempvxd.vxd.dll" fullword wide
        $x4 = "otna.vicp.net" fullword ascii
        $x5 = "smithking19.gicp.net" fullword ascii

        $s1 = "User-Agent: webclient" fullword ascii
        $s2 = "\\User.ini" fullword ascii
        $s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii
        $s4 = "\\UserProfile.dll" fullword wide
        $s5 = "Connection:Keep-Alive: %d" fullword ascii
        $s6 = "Referer: http://%s:%d/" fullword ascii
        $s7 = "%s %s %s %d %d %d " fullword ascii
        $s8 = "%s--%s" fullword wide
        $s9 = "Run File Success!" fullword wide
        $s10 = "DRIVE_REMOTE" fullword wide
        $s11 = "ProxyEnable" fullword wide
        $s12 = "\\cmd.exe" fullword wide

    condition:
        uint16(0) == 0x5a4d and filesize < 1000KB and (1 of ($x*) or 7 of ($s*))
}
Download all Yara Rules