SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nestegg (Back to overview)

NESTEGG

Actor(s): Lazarus Group


NESTEGG is a memory-only backdoor that can proxy commands to other
infected systems using a custom routing scheme. It accepts commands to
upload and download files, list and delete files, list and terminate processes, and
start processes. NESTEGG also creates Windows Firewall rules that allows the
backdoor to bind to a specified port number to allow for inbound traffic.

References
2018-10-08Youtube VideoSaher Naumaan
@online{naumaan:20181008:bsides:26586e2, author = {Saher Naumaan}, title = {{BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks}}, date = {2018-10-08}, organization = {Youtube Video}, url = {https://youtu.be/_kzFNQySEMw?t=789}, language = {English}, urldate = {2019-10-15} } BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG
2018-10-01Youtube (FireEye Inc.)Christopher DiGiamo, Nalani Fraser, Jacqueline O’Leary
@online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } CDS 2018 | Unmasking APT X
NESTEGG
2018-06-08United States District Court (California)Nathan P. Shields, Rozella A. Oliver
@online{shields:20180608:complaint:8b4b2dc, author = {Nathan P. Shields and Rozella A. Oliver}, title = {{Complaint against Jin Hyok Park}}, date = {2018-06-08}, organization = {United States District Court (California)}, url = {https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html}, language = {English}, urldate = {2020-01-08} } Complaint against Jin Hyok Park
NESTEGG
2018-03Kaspersky LabsKaspersky Lab Global Research, Analysis Team
@techreport{research:201803:lazarus:9dd4571, author = {Kaspersky Lab Global Research and Analysis Team}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf}, language = {English}, urldate = {2019-11-28} } Lazarus under the Hood
NESTEGG
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2017-04-03Kaspersky LabsGReAT
@online{great:20170403:lazarus:033fcf7, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-under-the-hood/77908/}, language = {English}, urldate = {2023-08-14} } Lazarus under the Hood
Alreay DYEPACK HOTWAX NESTEGG RatankbaPOS REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_nestegg_auto (20230715 | Detects win.nestegg.)
rule win_nestegg_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.nestegg."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 52 895c2428 895c2424 aa ff15???????? b909000000 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   52                   | push                edx
            //   895c2428             | mov                 dword ptr [esp + 0x28], ebx
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   aa                   | stosb               byte ptr es:[edi], al
            //   ff15????????         |                     
            //   b909000000           | mov                 ecx, 9

        $sequence_1 = { e8???????? 6840040000 c68424c000000003 e8???????? 83c404 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   6840040000           | push                0x440
            //   c68424c000000003     | mov                 byte ptr [esp + 0xc0], 3
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_2 = { 8d942498010000 52 ff15???????? 83c40c 8d442438 8d4c2448 }
            // n = 6, score = 200
            //   8d942498010000       | lea                 edx, [esp + 0x198]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   8d442438             | lea                 eax, [esp + 0x38]
            //   8d4c2448             | lea                 ecx, [esp + 0x48]

        $sequence_3 = { ff15???????? 83c410 8d442430 8d8c247c010000 53 50 51 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   83c410               | add                 esp, 0x10
            //   8d442430             | lea                 eax, [esp + 0x30]
            //   8d8c247c010000       | lea                 ecx, [esp + 0x17c]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_4 = { 66894104 a1???????? 85c0 7464 8d542408 8d4c240c }
            // n = 6, score = 200
            //   66894104             | mov                 word ptr [ecx + 4], ax
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   7464                 | je                  0x66
            //   8d542408             | lea                 edx, [esp + 8]
            //   8d4c240c             | lea                 ecx, [esp + 0xc]

        $sequence_5 = { 8d442410 8d4c2428 50 57 57 51 53 }
            // n = 7, score = 200
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   8d4c2428             | lea                 ecx, [esp + 0x28]
            //   50                   | push                eax
            //   57                   | push                edi
            //   57                   | push                edi
            //   51                   | push                ecx
            //   53                   | push                ebx

        $sequence_6 = { 50 e8???????? 83c40c 8bd8 8b442410 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8bd8                 | mov                 ebx, eax
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]

        $sequence_7 = { 896c2434 ffd0 85c0 747e 8b442414 33ff 3bc5 }
            // n = 7, score = 200
            //   896c2434             | mov                 dword ptr [esp + 0x34], ebp
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   747e                 | je                  0x80
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   33ff                 | xor                 edi, edi
            //   3bc5                 | cmp                 eax, ebp

        $sequence_8 = { 8d442410 6aff 6a01 50 6a02 ff15???????? }
            // n = 6, score = 200
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   6aff                 | push                -1
            //   6a01                 | push                1
            //   50                   | push                eax
            //   6a02                 | push                2
            //   ff15????????         |                     

        $sequence_9 = { 8d4c2444 50 51 8b0d???????? e8???????? e9???????? 83f80d }
            // n = 7, score = 200
            //   8d4c2444             | lea                 ecx, [esp + 0x44]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8b0d????????         |                     
            //   e8????????           |                     
            //   e9????????           |                     
            //   83f80d               | cmp                 eax, 0xd

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules