SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nestegg (Back to overview)

NESTEGG

Actor(s): Lazarus Group


NESTEGG is a memory-only backdoor that can proxy commands to other
infected systems using a custom routing scheme. It accepts commands to
upload and download files, list and delete files, list and terminate processes, and
start processes. NESTEGG also creates Windows Firewall rules that allows the
backdoor to bind to a specified port number to allow for inbound traffic.

References
2018-10-08Youtube VideoSaher Naumaan
@online{naumaan:20181008:bsides:26586e2, author = {Saher Naumaan}, title = {{BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks}}, date = {2018-10-08}, organization = {Youtube Video}, url = {https://youtu.be/_kzFNQySEMw?t=789}, language = {English}, urldate = {2019-10-15} } BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG
2018-10-01Youtube (FireEye Inc.)Christopher DiGiamo, Nalani Fraser, Jacqueline O’Leary
@online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } CDS 2018 | Unmasking APT X
NESTEGG
2018-06-08United States District Court (California)Nathan P. Shields, Rozella A. Oliver
@online{shields:20180608:complaint:8b4b2dc, author = {Nathan P. Shields and Rozella A. Oliver}, title = {{Complaint against Jin Hyok Park}}, date = {2018-06-08}, organization = {United States District Court (California)}, url = {https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html}, language = {English}, urldate = {2020-01-08} } Complaint against Jin Hyok Park
NESTEGG
2018-03Kaspersky LabsKaspersky Lab Global Research, Analysis Team
@techreport{research:201803:lazarus:9dd4571, author = {Kaspersky Lab Global Research and Analysis Team}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf}, language = {English}, urldate = {2019-11-28} } Lazarus under the Hood
NESTEGG
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_nestegg_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_nestegg_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8410020000 391d???????? 0f8404020000 391d???????? 0f84f8010000 391d???????? }
            // n = 6, score = 200
            //   0f8410020000         | je                  0x216
            //   391d????????         |                     
            //   0f8404020000         | je                  0x20a
            //   391d????????         |                     
            //   0f84f8010000         | je                  0x1fe
            //   391d????????         |                     

        $sequence_1 = { 83c41c c3 8b7c2434 33c0 8a460c 33c9 8a4e03 }
            // n = 7, score = 200
            //   83c41c               | add                 esp, 0x1c
            //   c3                   | ret                 
            //   8b7c2434             | mov                 edi, dword ptr [esp + 0x34]
            //   33c0                 | xor                 eax, eax
            //   8a460c               | mov                 al, byte ptr [esi + 0xc]
            //   33c9                 | xor                 ecx, ecx
            //   8a4e03               | mov                 cl, byte ptr [esi + 3]

        $sequence_2 = { e8???????? e9???????? 83f809 751b 8b0d???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   e9????????           |                     
            //   83f809               | cmp                 eax, 9
            //   751b                 | jne                 0x1d
            //   8b0d????????         |                     

        $sequence_3 = { 0f8482000000 3bc7 7471 8d542428 52 56 ff15???????? }
            // n = 7, score = 200
            //   0f8482000000         | je                  0x88
            //   3bc7                 | cmp                 eax, edi
            //   7471                 | je                  0x73
            //   8d542428             | lea                 edx, [esp + 0x28]
            //   52                   | push                edx
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_4 = { 5d 5b 81c4b8040000 c20c00 81ec20020000 55 }
            // n = 6, score = 200
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   81c4b8040000         | add                 esp, 0x4b8
            //   c20c00               | ret                 0xc
            //   81ec20020000         | sub                 esp, 0x220
            //   55                   | push                ebp

        $sequence_5 = { 8b742430 33d2 890e 8b07 85c0 7e27 53 }
            // n = 7, score = 200
            //   8b742430             | mov                 esi, dword ptr [esp + 0x30]
            //   33d2                 | xor                 edx, edx
            //   890e                 | mov                 dword ptr [esi], ecx
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   85c0                 | test                eax, eax
            //   7e27                 | jle                 0x29
            //   53                   | push                ebx

        $sequence_6 = { 8b1c95241e4100 33c3 8b1c8d242a4100 33c3 4d }
            // n = 5, score = 200
            //   8b1c95241e4100       | mov                 ebx, dword ptr [edx*4 + 0x411e24]
            //   33c3                 | xor                 eax, ebx
            //   8b1c8d242a4100       | mov                 ebx, dword ptr [ecx*4 + 0x412a24]
            //   33c3                 | xor                 eax, ebx
            //   4d                   | dec                 ebp

        $sequence_7 = { 8b8818030000 83f9ff 740c 51 ff15???????? }
            // n = 5, score = 200
            //   8b8818030000         | mov                 ecx, dword ptr [eax + 0x318]
            //   83f9ff               | cmp                 ecx, -1
            //   740c                 | je                  0xe
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_8 = { 8b7c2420 33ed 33db 83ffff 744a 8d442420 }
            // n = 6, score = 200
            //   8b7c2420             | mov                 edi, dword ptr [esp + 0x20]
            //   33ed                 | xor                 ebp, ebp
            //   33db                 | xor                 ebx, ebx
            //   83ffff               | cmp                 edi, -1
            //   744a                 | je                  0x4c
            //   8d442420             | lea                 eax, [esp + 0x20]

        $sequence_9 = { 8d8c2490000000 899f20030000 c68424bc00000002 e8???????? 8d8c2488000000 c68424bc00000001 e8???????? }
            // n = 7, score = 200
            //   8d8c2490000000       | lea                 ecx, [esp + 0x90]
            //   899f20030000         | mov                 dword ptr [edi + 0x320], ebx
            //   c68424bc00000002     | mov                 byte ptr [esp + 0xbc], 2
            //   e8????????           |                     
            //   8d8c2488000000       | lea                 ecx, [esp + 0x88]
            //   c68424bc00000001     | mov                 byte ptr [esp + 0xbc], 1
            //   e8????????           |                     

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules