Naikon (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.naikon (Back to overview)

Naikon

aka: Sacto

Actor(s): Naikon

VTCollection

There is no description at this point.

References

2015-05-14 ⋅ Kaspersky Labs ⋅ Kurt Baumgartner, Maxim Golovkin
The Naikon APT
Naikon SslMM Sys10 WinMM xsPlus APT30 Naikon

2015-04-01 ⋅ FireEye ⋅ FireEye
APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser MedusaHTTP Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

Yara Rules

[TLP:WHITE] win_naikon_auto (20260504 \| Detects win.naikon.) rule win_naikon_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.naikon." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff75e8 ff5040 8b436c ff750c ff5024 } // n = 5, score = 200 // ff75e8 \| push dword ptr [ebp - 0x18] // ff5040 \| call dword ptr [eax + 0x40] // 8b436c \| mov eax, dword ptr [ebx + 0x6c] // ff750c \| push dword ptr [ebp + 0xc] // ff5024 \| call dword ptr [eax + 0x24] $sequence_1 = { 8d459c 8945e8 53 8d45e0 53 50 } // n = 6, score = 200 // 8d459c \| lea eax, [ebp - 0x64] // 8945e8 \| mov dword ptr [ebp - 0x18], eax // 53 \| push ebx // 8d45e0 \| lea eax, [ebp - 0x20] // 53 \| push ebx // 50 \| push eax $sequence_2 = { 59 74bd 68???????? e8???????? 03d8 } // n = 5, score = 200 // 59 \| pop ecx // 74bd \| je 0xffffffbf // 68???????? \| // e8???????? \| // 03d8 \| add ebx, eax $sequence_3 = { e8???????? 83c424 8d45ac 897dac 50 8d45e0 } // n = 6, score = 200 // e8???????? \| // 83c424 \| add esp, 0x24 // 8d45ac \| lea eax, [ebp - 0x54] // 897dac \| mov dword ptr [ebp - 0x54], edi // 50 \| push eax // 8d45e0 \| lea eax, [ebp - 0x20] $sequence_4 = { 5f 5e c3 55 8bec 81ec340a0000 } // n = 6, score = 200 // 5f \| pop edi // 5e \| pop esi // c3 \| ret // 55 \| push ebp // 8bec \| mov ebp, esp // 81ec340a0000 \| sub esp, 0xa34 $sequence_5 = { 8bf8 83ffff 0f84bf000000 85ff 0f84b7000000 8d85d4efffff } // n = 6, score = 200 // 8bf8 \| mov edi, eax // 83ffff \| cmp edi, -1 // 0f84bf000000 \| je 0xc5 // 85ff \| test edi, edi // 0f84b7000000 \| je 0xbd // 8d85d4efffff \| lea eax, [ebp - 0x102c] $sequence_6 = { 50 68???????? 53 e8???????? 8d8570fdffff 6a3e } // n = 6, score = 200 // 50 \| push eax // 68???????? \| // 53 \| push ebx // e8???????? \| // 8d8570fdffff \| lea eax, [ebp - 0x290] // 6a3e \| push 0x3e $sequence_7 = { 50 ff75fc e8???????? 53 8945f4 ffd7 837df400 } // n = 7, score = 200 // 50 \| push eax // ff75fc \| push dword ptr [ebp - 4] // e8???????? \| // 53 \| push ebx // 8945f4 \| mov dword ptr [ebp - 0xc], eax // ffd7 \| call edi // 837df400 \| cmp dword ptr [ebp - 0xc], 0 $sequence_8 = { 55 8bec 81ec90010000 8d8570feffff 50 6a02 e8???????? } // n = 7, score = 200 // 55 \| push ebp // 8bec \| mov ebp, esp // 81ec90010000 \| sub esp, 0x190 // 8d8570feffff \| lea eax, [ebp - 0x190] // 50 \| push eax // 6a02 \| push 2 // e8???????? \| $sequence_9 = { ff7508 eb17 6a00 8bce e8???????? 8b06 8b4e08 } // n = 7, score = 200 // ff7508 \| push dword ptr [ebp + 8] // eb17 \| jmp 0x19 // 6a00 \| push 0 // 8bce \| mov ecx, esi // e8???????? \| // 8b06 \| mov eax, dword ptr [esi] // 8b4e08 \| mov ecx, dword ptr [esi + 8] condition: 7 of them and filesize < 188416 }
[TLP:WHITE] win_naikon_w0 (20170618 \| Naikon code features) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_naikon_w0 { meta: description = "Naikon code features" author = "Seth Hardy" last_modified = "2014-06-25" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon" malpedia_version = "20170618" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: // decryption $ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh $ = { 35 5A 01 00 00} // xor eax, 15ah $ = { 81 C2 7F 14 06 00 } // add edx, 6147fh condition: all of them }
[TLP:WHITE] win_naikon_w1 (20170618 \| Naikon Identifying Strings) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_naikon_w1 { meta: description = "Naikon Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon" malpedia_version = "20170618" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $ = "NOKIAN95/WEB" $ = "/tag=info&id=15" $ = "skg(3)=&3.2d_u1" $ = "\\Temp\\iExplorer.exe" $ = "\\Temp\\\"TSG\"" condition: any of them }
[TLP:WHITE] win_naikon_w2 (20170618 \| Detects backdoors related to the Naikon APT) rule win_naikon_w2 { meta: description = "Detects backdoors related to the Naikon APT" author = "Florian Roth" reference = "https://goo.gl/7vHyvh" date = "2015-05-14" hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba" hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon" malpedia_version = "20170618" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii $x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii $x2 = "greensky27.vicp.net" fullword ascii $x3 = "\\tempvxd.vxd.dll" fullword wide $x4 = "otna.vicp.net" fullword ascii $x5 = "smithking19.gicp.net" fullword ascii $s1 = "User-Agent: webclient" fullword ascii $s2 = "\\User.ini" fullword ascii $s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii $s4 = "\\UserProfile.dll" fullword wide $s5 = "Connection:Keep-Alive: %d" fullword ascii $s6 = "Referer: http://%s:%d/" fullword ascii $s7 = "%s %s %s %d %d %d " fullword ascii $s8 = "%s--%s" fullword wide $s9 = "Run File Success!" fullword wide $s10 = "DRIVE_REMOTE" fullword wide $s11 = "ProxyEnable" fullword wide $s12 = "\\cmd.exe" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1000KB and (1 of ($x) or 7 of ($s)) }

Download all Yara Rules