SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nestegg (Back to overview)

NESTEGG

Actor(s): Lazarus Group


NESTEGG is a memory-only backdoor that can proxy commands to other
infected systems using a custom routing scheme. It accepts commands to
upload and download files, list and delete files, list and terminate processes, and
start processes. NESTEGG also creates Windows Firewall rules that allows the
backdoor to bind to a specified port number to allow for inbound traffic.

References
2018-10-08Youtube VideoSaher Naumaan
@online{naumaan:20181008:bsides:26586e2, author = {Saher Naumaan}, title = {{BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks}}, date = {2018-10-08}, organization = {Youtube Video}, url = {https://youtu.be/_kzFNQySEMw?t=789}, language = {English}, urldate = {2019-10-15} } BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG
2018-10-01Youtube (FireEye Inc.)Christopher DiGiamo, Nalani Fraser, Jacqueline O’Leary
@online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } CDS 2018 | Unmasking APT X
NESTEGG
2018-06-08United States District Court (California)Nathan P. Shields, Rozella A. Oliver
@online{shields:20180608:complaint:8b4b2dc, author = {Nathan P. Shields and Rozella A. Oliver}, title = {{Complaint against Jin Hyok Park}}, date = {2018-06-08}, organization = {United States District Court (California)}, url = {https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html}, language = {English}, urldate = {2020-01-08} } Complaint against Jin Hyok Park
NESTEGG
2018-03Kaspersky LabsKaspersky Lab Global Research, Analysis Team
@techreport{research:201803:lazarus:9dd4571, author = {Kaspersky Lab Global Research and Analysis Team}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf}, language = {English}, urldate = {2019-11-28} } Lazarus under the Hood
NESTEGG
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_nestegg_auto (20220516 | Detects win.nestegg.)
rule win_nestegg_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.nestegg."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5b c3 6a00 ffd3 8b4f20 83c404 }
            // n = 6, score = 200
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   6a00                 | push                0
            //   ffd3                 | call                ebx
            //   8b4f20               | mov                 ecx, dword ptr [edi + 0x20]
            //   83c404               | add                 esp, 4

        $sequence_1 = { 85c0 0f844f020000 817c241088020000 732a 8b8c24d4040000 53 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   0f844f020000         | je                  0x255
            //   817c241088020000     | cmp                 dword ptr [esp + 0x10], 0x288
            //   732a                 | jae                 0x2c
            //   8b8c24d4040000       | mov                 ecx, dword ptr [esp + 0x4d4]
            //   53                   | push                ebx

        $sequence_2 = { 8b4c2418 33ff 33f6 3bc3 7c63 }
            // n = 5, score = 200
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   33ff                 | xor                 edi, edi
            //   33f6                 | xor                 esi, esi
            //   3bc3                 | cmp                 eax, ebx
            //   7c63                 | jl                  0x65

        $sequence_3 = { 85c0 7522 8bb42498050000 8d442414 6a04 }
            // n = 5, score = 200
            //   85c0                 | test                eax, eax
            //   7522                 | jne                 0x24
            //   8bb42498050000       | mov                 esi, dword ptr [esp + 0x598]
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   6a04                 | push                4

        $sequence_4 = { c644242d65 c644242e72 c644242f6e c644243065 c644243233 884c2433 885c2434 }
            // n = 7, score = 200
            //   c644242d65           | mov                 byte ptr [esp + 0x2d], 0x65
            //   c644242e72           | mov                 byte ptr [esp + 0x2e], 0x72
            //   c644242f6e           | mov                 byte ptr [esp + 0x2f], 0x6e
            //   c644243065           | mov                 byte ptr [esp + 0x30], 0x65
            //   c644243233           | mov                 byte ptr [esp + 0x32], 0x33
            //   884c2433             | mov                 byte ptr [esp + 0x33], cl
            //   885c2434             | mov                 byte ptr [esp + 0x34], bl

        $sequence_5 = { 7f0a 3bcb 765d eb04 8b4c2418 2bcf 1bc6 }
            // n = 7, score = 200
            //   7f0a                 | jg                  0xc
            //   3bcb                 | cmp                 ecx, ebx
            //   765d                 | jbe                 0x5f
            //   eb04                 | jmp                 6
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   2bcf                 | sub                 ecx, edi
            //   1bc6                 | sbb                 eax, esi

        $sequence_6 = { 3bc3 740d 68???????? 50 ffd6 a3???????? 8b842498000000 }
            // n = 7, score = 200
            //   3bc3                 | cmp                 eax, ebx
            //   740d                 | je                  0xf
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   a3????????           |                     
            //   8b842498000000       | mov                 eax, dword ptr [esp + 0x98]

        $sequence_7 = { 39b01c030000 0f8509010000 897c2410 8b8024030000 8d4c2410 8b10 }
            // n = 6, score = 200
            //   39b01c030000         | cmp                 dword ptr [eax + 0x31c], esi
            //   0f8509010000         | jne                 0x10f
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   8b8024030000         | mov                 eax, dword ptr [eax + 0x324]
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   8b10                 | mov                 edx, dword ptr [eax]

        $sequence_8 = { 8a8610030000 84c0 757a 55 8b2d???????? 8b8e24030000 8b11 }
            // n = 7, score = 200
            //   8a8610030000         | mov                 al, byte ptr [esi + 0x310]
            //   84c0                 | test                al, al
            //   757a                 | jne                 0x7c
            //   55                   | push                ebp
            //   8b2d????????         |                     
            //   8b8e24030000         | mov                 ecx, dword ptr [esi + 0x324]
            //   8b11                 | mov                 edx, dword ptr [ecx]

        $sequence_9 = { 8b4c2434 8b542414 51 52 ff15???????? 8b442410 50 }
            // n = 7, score = 200
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules