SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nestegg (Back to overview)

NESTEGG

Actor(s): Lazarus Group


NESTEGG is a memory-only backdoor that can proxy commands to other
infected systems using a custom routing scheme. It accepts commands to
upload and download files, list and delete files, list and terminate processes, and
start processes. NESTEGG also creates Windows Firewall rules that allows the
backdoor to bind to a specified port number to allow for inbound traffic.

References
2018-10-08Youtube VideoSaher Naumaan
@online{naumaan:20181008:bsides:26586e2, author = {Saher Naumaan}, title = {{BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks}}, date = {2018-10-08}, organization = {Youtube Video}, url = {https://youtu.be/_kzFNQySEMw?t=789}, language = {English}, urldate = {2019-10-15} } BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG
2018-10-01Youtube (FireEye Inc.)Christopher DiGiamo, Nalani Fraser, Jacqueline O’Leary
@online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } CDS 2018 | Unmasking APT X
NESTEGG
2018-06-08United States District Court (California)Nathan P. Shields, Rozella A. Oliver
@online{shields:20180608:complaint:8b4b2dc, author = {Nathan P. Shields and Rozella A. Oliver}, title = {{Complaint against Jin Hyok Park}}, date = {2018-06-08}, organization = {United States District Court (California)}, url = {https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html}, language = {English}, urldate = {2020-01-08} } Complaint against Jin Hyok Park
NESTEGG
2018-03Kaspersky LabsKaspersky Lab Global Research, Analysis Team
@techreport{research:201803:lazarus:9dd4571, author = {Kaspersky Lab Global Research and Analysis Team}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf}, language = {English}, urldate = {2019-11-28} } Lazarus under the Hood
NESTEGG
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_nestegg_auto (20221125 | Detects win.nestegg.)
rule win_nestegg_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.nestegg."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8b442414 8d542434 52 50 ff15???????? }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   8d542434             | lea                 edx, [esp + 0x34]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_1 = { c744244844000000 6a02 f3ab 89442440 8d4c2420 }
            // n = 5, score = 200
            //   c744244844000000     | mov                 dword ptr [esp + 0x48], 0x44
            //   6a02                 | push                2
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   8d4c2420             | lea                 ecx, [esp + 0x20]

        $sequence_2 = { 0f8dd2000000 53 53 53 55 ff15???????? 8a443410 }
            // n = 7, score = 200
            //   0f8dd2000000         | jge                 0xd8
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   ff15????????         |                     
            //   8a443410             | mov                 al, byte ptr [esp + esi + 0x10]

        $sequence_3 = { 25ffff0000 8bce 50 8d4718 50 e8???????? e9???????? }
            // n = 7, score = 200
            //   25ffff0000           | and                 eax, 0xffff
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax
            //   8d4718               | lea                 eax, [edi + 0x18]
            //   50                   | push                eax
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_4 = { 8bce e8???????? eb55 c1e808 25ffff0000 8bce }
            // n = 6, score = 200
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   eb55                 | jmp                 0x57
            //   c1e808               | shr                 eax, 8
            //   25ffff0000           | and                 eax, 0xffff
            //   8bce                 | mov                 ecx, esi

        $sequence_5 = { 50 ff15???????? 89442410 8bb42434020000 8d4c2410 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   8bb42434020000       | mov                 esi, dword ptr [esp + 0x234]
            //   8d4c2410             | lea                 ecx, [esp + 0x10]

        $sequence_6 = { 8bc6 5e 81c418020000 c3 56 ff15???????? }
            // n = 6, score = 200
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   81c418020000         | add                 esp, 0x218
            //   c3                   | ret                 
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_7 = { ffd5 eb50 8b861c030000 85c0 7409 68b80b0000 ffd5 }
            // n = 7, score = 200
            //   ffd5                 | call                ebp
            //   eb50                 | jmp                 0x52
            //   8b861c030000         | mov                 eax, dword ptr [esi + 0x31c]
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   68b80b0000           | push                0xbb8
            //   ffd5                 | call                ebp

        $sequence_8 = { ff15???????? 66837c241000 0f85b1000000 8b44241c 85c0 0f84a5000000 8d8c244c010000 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   66837c241000         | cmp                 word ptr [esp + 0x10], 0
            //   0f85b1000000         | jne                 0xb7
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   85c0                 | test                eax, eax
            //   0f84a5000000         | je                  0xab
            //   8d8c244c010000       | lea                 ecx, [esp + 0x14c]

        $sequence_9 = { 750c c781d000000000000000 eb0a c781d000000001000000 57 8b7c240c }
            // n = 6, score = 200
            //   750c                 | jne                 0xe
            //   c781d000000000000000     | mov    dword ptr [ecx + 0xd0], 0
            //   eb0a                 | jmp                 0xc
            //   c781d000000001000000     | mov    dword ptr [ecx + 0xd0], 1
            //   57                   | push                edi
            //   8b7c240c             | mov                 edi, dword ptr [esp + 0xc]

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules