Naikon (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.naikon (Back to overview)

Naikon

aka: Sacto

Actor(s): Naikon

VTCollection

There is no description at this point.

References

2015-05-14 ⋅ Kaspersky Labs ⋅ Kurt Baumgartner, Maxim Golovkin
The Naikon APT
Naikon SslMM Sys10 WinMM xsPlus APT30 Naikon

2015-04-01 ⋅ FireEye ⋅ FireEye
APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

Yara Rules

[TLP:WHITE] win_naikon_auto (20241030 \| Detects win.naikon.) rule win_naikon_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2024-10-31" version = "1" description = "Detects win.naikon." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon" malpedia_rule_date = "20241030" malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4" malpedia_version = "20241030" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 8bc6 8088e130011008 40 3dff000000 } // n = 4, score = 200 // 8bc6 \| mov eax, esi // 8088e130011008 \| or byte ptr [eax + 0x100130e1], 8 // 40 \| inc eax // 3dff000000 \| cmp eax, 0xff $sequence_1 = { 3bc3 7c03 53 eb01 50 8b4dfc 8d043e } // n = 7, score = 200 // 3bc3 \| cmp eax, ebx // 7c03 \| jl 5 // 53 \| push ebx // eb01 \| jmp 3 // 50 \| push eax // 8b4dfc \| mov ecx, dword ptr [ebp - 4] // 8d043e \| lea eax, [esi + edi] $sequence_2 = { 8d450c 6a03 50 8bce e8???????? 8b06 } // n = 6, score = 200 // 8d450c \| lea eax, [ebp + 0xc] // 6a03 \| push 3 // 50 \| push eax // 8bce \| mov ecx, esi // e8???????? \| // 8b06 \| mov eax, dword ptr [esi] $sequence_3 = { 8bf1 ff742410 e8???????? 85c0 753f 8d4e7c 8d4670 } // n = 7, score = 200 // 8bf1 \| mov esi, ecx // ff742410 \| push dword ptr [esp + 0x10] // e8???????? \| // 85c0 \| test eax, eax // 753f \| jne 0x41 // 8d4e7c \| lea ecx, [esi + 0x7c] // 8d4670 \| lea eax, [esi + 0x70] $sequence_4 = { a1???????? 682c010000 b9???????? 50 8d9500f0ffff } // n = 5, score = 200 // a1???????? \| // 682c010000 \| push 0x12c // b9???????? \| // 50 \| push eax // 8d9500f0ffff \| lea edx, [ebp - 0x1000] $sequence_5 = { 50 8d85f8feffff 50 ffd7 894508 8b85a8fcffff } // n = 6, score = 200 // 50 \| push eax // 8d85f8feffff \| lea eax, [ebp - 0x108] // 50 \| push eax // ffd7 \| call edi // 894508 \| mov dword ptr [ebp + 8], eax // 8b85a8fcffff \| mov eax, dword ptr [ebp - 0x358] $sequence_6 = { 8bce e8???????? 8b06 8b4e08 57 0fb60c01 } // n = 6, score = 200 // 8bce \| mov ecx, esi // e8???????? \| // 8b06 \| mov eax, dword ptr [esi] // 8b4e08 \| mov ecx, dword ptr [esi + 8] // 57 \| push edi // 0fb60c01 \| movzx ecx, byte ptr [ecx + eax] $sequence_7 = { 8bd8 ffd7 5f 8bc3 } // n = 4, score = 200 // 8bd8 \| mov ebx, eax // ffd7 \| call edi // 5f \| pop edi // 8bc3 \| mov eax, ebx $sequence_8 = { 0fbec3 8a80e8d10010 83e00f eb02 33c0 0fbe84c108d20010 } // n = 6, score = 200 // 0fbec3 \| movsx eax, bl // 8a80e8d10010 \| mov al, byte ptr [eax + 0x1000d1e8] // 83e00f \| and eax, 0xf // eb02 \| jmp 4 // 33c0 \| xor eax, eax // 0fbe84c108d20010 \| movsx eax, byte ptr [ecx + eax8 + 0x1000d208] $sequence_9 = { 8b85a8fcffff 83e010 3c10 7503 6a01 5e } // n = 6, score = 200 // 8b85a8fcffff \| mov eax, dword ptr [ebp - 0x358] // 83e010 \| and eax, 0x10 // 3c10 \| cmp al, 0x10 // 7503 \| jne 5 // 6a01 \| push 1 // 5e \| pop esi condition: 7 of them and filesize < 188416 }
[TLP:WHITE] win_naikon_w0 (20170618 \| Naikon code features) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_naikon_w0 { meta: description = "Naikon code features" author = "Seth Hardy" last_modified = "2014-06-25" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon" malpedia_version = "20170618" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: // decryption $ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh $ = { 35 5A 01 00 00} // xor eax, 15ah $ = { 81 C2 7F 14 06 00 } // add edx, 6147fh condition: all of them }
[TLP:WHITE] win_naikon_w1 (20170618 \| Naikon Identifying Strings) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_naikon_w1 { meta: description = "Naikon Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon" malpedia_version = "20170618" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $ = "NOKIAN95/WEB" $ = "/tag=info&id=15" $ = "skg(3)=&3.2d_u1" $ = "\\Temp\\iExplorer.exe" $ = "\\Temp\\\"TSG\"" condition: any of them }
[TLP:WHITE] win_naikon_w2 (20170618 \| Detects backdoors related to the Naikon APT) rule win_naikon_w2 { meta: description = "Detects backdoors related to the Naikon APT" author = "Florian Roth" reference = "https://goo.gl/7vHyvh" date = "2015-05-14" hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba" hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon" malpedia_version = "20170618" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii $x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii $x2 = "greensky27.vicp.net" fullword ascii $x3 = "\\tempvxd.vxd.dll" fullword wide $x4 = "otna.vicp.net" fullword ascii $x5 = "smithking19.gicp.net" fullword ascii $s1 = "User-Agent: webclient" fullword ascii $s2 = "\\User.ini" fullword ascii $s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii $s4 = "\\UserProfile.dll" fullword wide $s5 = "Connection:Keep-Alive: %d" fullword ascii $s6 = "Referer: http://%s:%d/" fullword ascii $s7 = "%s %s %s %d %d %d " fullword ascii $s8 = "%s--%s" fullword wide $s9 = "Run File Success!" fullword wide $s10 = "DRIVE_REMOTE" fullword wide $s11 = "ProxyEnable" fullword wide $s12 = "\\cmd.exe" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1000KB and (1 of ($x) or 7 of ($s)) }

Download all Yara Rules