SYMBOLCOMMON_NAMEaka. SYNONYMS
win.naikon (Back to overview)

Naikon

aka: Sacto

Actor(s): Naikon

VTCollection    

There is no description at this point.

References
2015-05-14Kaspersky LabsKurt Baumgartner, Maxim Golovkin
The Naikon APT
Naikon SslMM Sys10 WinMM xsPlus APT30 Naikon
2015-04-01FireEyeFireEye
APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30
2015-02-06CrowdStrikeCrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
Yara Rules
[TLP:WHITE] win_naikon_auto (20230808 | Detects win.naikon.)
rule win_naikon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.naikon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 881c08 8d4405c9 50 e8???????? 59 8b4d0c 8901 }
            // n = 7, score = 200
            //   881c08               | mov                 byte ptr [eax + ecx], bl
            //   8d4405c9             | lea                 eax, [ebp + eax - 0x37]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_1 = { 8d85f8feffff 68???????? 50 e8???????? 8b3d???????? 83c418 8d85a8fcffff }
            // n = 7, score = 200
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b3d????????         |                     
            //   83c418               | add                 esp, 0x18
            //   8d85a8fcffff         | lea                 eax, [ebp - 0x358]

        $sequence_2 = { ff750c c745f002000000 897dec c745e401000000 57 897de0 ff7508 }
            // n = 7, score = 200
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   c745f002000000       | mov                 dword ptr [ebp - 0x10], 2
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   57                   | push                edi
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_3 = { 53 50 8d85f4fffdff 56 50 ff35???????? }
            // n = 6, score = 200
            //   53                   | push                ebx
            //   50                   | push                eax
            //   8d85f4fffdff         | lea                 eax, [ebp - 0x2000c]
            //   56                   | push                esi
            //   50                   | push                eax
            //   ff35????????         |                     

        $sequence_4 = { 83c418 57 50 8d8528ffffff 50 ffb690000000 e8???????? }
            // n = 7, score = 200
            //   83c418               | add                 esp, 0x18
            //   57                   | push                edi
            //   50                   | push                eax
            //   8d8528ffffff         | lea                 eax, [ebp - 0xd8]
            //   50                   | push                eax
            //   ffb690000000         | push                dword ptr [esi + 0x90]
            //   e8????????           |                     

        $sequence_5 = { 6a10 57 681cc10000 897df4 ff750c c745f002000000 }
            // n = 6, score = 200
            //   6a10                 | push                0x10
            //   57                   | push                edi
            //   681cc10000           | push                0xc11c
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   c745f002000000       | mov                 dword ptr [ebp - 0x10], 2

        $sequence_6 = { 53 53 8b4010 8d4d0c }
            // n = 4, score = 200
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]
            //   8d4d0c               | lea                 ecx, [ebp + 0xc]

        $sequence_7 = { e8???????? 83c40c 837df400 7408 ff75f4 e8???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   7408                 | je                  0xa
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   e8????????           |                     

        $sequence_8 = { 83c41c 33c0 808405dcf9fffffb 40 }
            // n = 4, score = 200
            //   83c41c               | add                 esp, 0x1c
            //   33c0                 | xor                 eax, eax
            //   808405dcf9fffffb     | add                 byte ptr [ebp + eax - 0x624], 0xfb
            //   40                   | inc                 eax

        $sequence_9 = { 6a01 ff35???????? ff15???????? 8bd8 8b4508 46 6a00 }
            // n = 7, score = 200
            //   6a01                 | push                1
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   46                   | inc                 esi
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 188416
}
[TLP:WHITE] win_naikon_w0   (20170618 | Naikon code features)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_naikon_w0 {
    meta:
        description = "Naikon code features"
        author = "Seth Hardy"
        last_modified = "2014-06-25"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon"
        malpedia_version = "20170618"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        // decryption
        $ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
        $ = { 35 5A 01 00 00} // xor eax, 15ah
        $ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
    
    condition:
        all of them
}
[TLP:WHITE] win_naikon_w1   (20170618 | Naikon Identifying Strings)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_naikon_w1 {
    meta:
        description = "Naikon Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-25"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon"
        malpedia_version = "20170618"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        $ = "NOKIAN95/WEB"
        $ = "/tag=info&id=15"
        $ = "skg(3)=&3.2d_u1"
        $ = "\\Temp\\iExplorer.exe"
        $ = "\\Temp\\\"TSG\""
        
    condition:
       any of them
}
[TLP:WHITE] win_naikon_w2   (20170618 | Detects backdoors related to the Naikon APT)
rule win_naikon_w2 {
    meta:
        description = "Detects backdoors related to the Naikon APT"
        author = "Florian Roth"
        reference = "https://goo.gl/7vHyvh"
        date = "2015-05-14"
        hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba"
        hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon"
        malpedia_version = "20170618"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
        $x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
        $x2 = "greensky27.vicp.net" fullword ascii
        $x3 = "\\tempvxd.vxd.dll" fullword wide
        $x4 = "otna.vicp.net" fullword ascii
        $x5 = "smithking19.gicp.net" fullword ascii

        $s1 = "User-Agent: webclient" fullword ascii
        $s2 = "\\User.ini" fullword ascii
        $s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii
        $s4 = "\\UserProfile.dll" fullword wide
        $s5 = "Connection:Keep-Alive: %d" fullword ascii
        $s6 = "Referer: http://%s:%d/" fullword ascii
        $s7 = "%s %s %s %d %d %d " fullword ascii
        $s8 = "%s--%s" fullword wide
        $s9 = "Run File Success!" fullword wide
        $s10 = "DRIVE_REMOTE" fullword wide
        $s11 = "ProxyEnable" fullword wide
        $s12 = "\\cmd.exe" fullword wide

    condition:
        uint16(0) == 0x5a4d and filesize < 1000KB and (1 of ($x*) or 7 of ($s*))
}
Download all Yara Rules