SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nestegg (Back to overview)

NESTEGG

Actor(s): Lazarus Group

VTCollection    

NESTEGG is a memory-only backdoor that can proxy commands to other
infected systems using a custom routing scheme. It accepts commands to
upload and download files, list and delete files, list and terminate processes, and
start processes. NESTEGG also creates Windows Firewall rules that allows the
backdoor to bind to a specified port number to allow for inbound traffic.

References
2018-10-08Youtube VideoSaher Naumaan
BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG
2018-10-01Youtube (FireEye Inc.)Christopher DiGiamo, Jacqueline O’Leary, Nalani Fraser
CDS 2018 | Unmasking APT X
NESTEGG
2018-06-08United States District Court (California)Nathan P. Shields, Rozella A. Oliver
Complaint against Jin Hyok Park
NESTEGG
2018-03-01Kaspersky LabsAnalysis Team, Kaspersky Lab Global Research
Lazarus under the Hood
NESTEGG
2018-01-01FireEyeFireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2017-04-03Kaspersky LabsGReAT
Lazarus under the Hood
Alreay DYEPACK HOTWAX NESTEGG RatankbaPOS REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_nestegg_auto (20230808 | Detects win.nestegg.)
rule win_nestegg_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.nestegg."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8d5710 6a02 52 8bce e8???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8d5710               | lea                 edx, [edi + 0x10]
            //   6a02                 | push                2
            //   52                   | push                edx
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_1 = { 83c40c 83feff 7417 ffd7 }
            // n = 4, score = 200
            //   83c40c               | add                 esp, 0xc
            //   83feff               | cmp                 esi, -1
            //   7417                 | je                  0x19
            //   ffd7                 | call                edi

        $sequence_2 = { 8b0d???????? 81c120030000 51 ff15???????? 8b0d???????? 39991c030000 }
            // n = 6, score = 200
            //   8b0d????????         |                     
            //   81c120030000         | add                 ecx, 0x320
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b0d????????         |                     
            //   39991c030000         | cmp                 dword ptr [ecx + 0x31c], ebx

        $sequence_3 = { 83f80e 0f84d8000000 83f80f 7520 8d4c2430 56 }
            // n = 6, score = 200
            //   83f80e               | cmp                 eax, 0xe
            //   0f84d8000000         | je                  0xde
            //   83f80f               | cmp                 eax, 0xf
            //   7520                 | jne                 0x22
            //   8d4c2430             | lea                 ecx, [esp + 0x30]
            //   56                   | push                esi

        $sequence_4 = { 56 8bf1 89742404 c706???????? 8b8e24030000 c744241000000000 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   c706????????         |                     
            //   8b8e24030000         | mov                 ecx, dword ptr [esi + 0x324]
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0

        $sequence_5 = { 85c9 740c 8a09 83e107 8d14c1 89542410 }
            // n = 6, score = 200
            //   85c9                 | test                ecx, ecx
            //   740c                 | je                  0xe
            //   8a09                 | mov                 cl, byte ptr [ecx]
            //   83e107               | and                 ecx, 7
            //   8d14c1               | lea                 edx, [ecx + eax*8]
            //   89542410             | mov                 dword ptr [esp + 0x10], edx

        $sequence_6 = { 8b10 6a10 51 8bc8 885c2458 ff5214 }
            // n = 6, score = 200
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   6a10                 | push                0x10
            //   51                   | push                ecx
            //   8bc8                 | mov                 ecx, eax
            //   885c2458             | mov                 byte ptr [esp + 0x58], bl
            //   ff5214               | call                dword ptr [edx + 0x14]

        $sequence_7 = { c644242f6e c644243065 c644243233 884c2433 885c2434 88542435 }
            // n = 6, score = 200
            //   c644242f6e           | mov                 byte ptr [esp + 0x2f], 0x6e
            //   c644243065           | mov                 byte ptr [esp + 0x30], 0x65
            //   c644243233           | mov                 byte ptr [esp + 0x32], 0x33
            //   884c2433             | mov                 byte ptr [esp + 0x33], cl
            //   885c2434             | mov                 byte ptr [esp + 0x34], bl
            //   88542435             | mov                 byte ptr [esp + 0x35], dl

        $sequence_8 = { c644240d73 884c240e c644240f5f c644241033 }
            // n = 4, score = 200
            //   c644240d73           | mov                 byte ptr [esp + 0xd], 0x73
            //   884c240e             | mov                 byte ptr [esp + 0xe], cl
            //   c644240f5f           | mov                 byte ptr [esp + 0xf], 0x5f
            //   c644241033           | mov                 byte ptr [esp + 0x10], 0x33

        $sequence_9 = { e8???????? 8d4c2410 6a04 51 8bce c7442418ff020001 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   6a04                 | push                4
            //   51                   | push                ecx
            //   8bce                 | mov                 ecx, esi
            //   c7442418ff020001     | mov                 dword ptr [esp + 0x18], 0x10002ff
            //   e8????????           |                     

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules