SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nestegg (Back to overview)

NESTEGG

Actor(s): Lazarus Group


NESTEGG is a memory-only backdoor that can proxy commands to other
infected systems using a custom routing scheme. It accepts commands to
upload and download files, list and delete files, list and terminate processes, and
start processes. NESTEGG also creates Windows Firewall rules that allows the
backdoor to bind to a specified port number to allow for inbound traffic.

References
2018-10-08Youtube VideoSaher Naumaan
@online{naumaan:20181008:bsides:26586e2, author = {Saher Naumaan}, title = {{BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks}}, date = {2018-10-08}, organization = {Youtube Video}, url = {https://youtu.be/_kzFNQySEMw?t=789}, language = {English}, urldate = {2019-10-15} } BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG
2018-10-01Youtube (FireEye Inc.)Christopher DiGiamo, Nalani Fraser, Jacqueline O’Leary
@online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } CDS 2018 | Unmasking APT X
NESTEGG
2018-06-08United States District Court (California)Nathan P. Shields, Rozella A. Oliver
@online{shields:20180608:complaint:8b4b2dc, author = {Nathan P. Shields and Rozella A. Oliver}, title = {{Complaint against Jin Hyok Park}}, date = {2018-06-08}, organization = {United States District Court (California)}, url = {https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html}, language = {English}, urldate = {2020-01-08} } Complaint against Jin Hyok Park
NESTEGG
2018-03Kaspersky LabsKaspersky Lab Global Research, Analysis Team
@techreport{research:201803:lazarus:9dd4571, author = {Kaspersky Lab Global Research and Analysis Team}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf}, language = {English}, urldate = {2019-11-28} } Lazarus under the Hood
NESTEGG
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_nestegg_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_nestegg_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b949000000 33c0 8d7c2470 c744246c28010000 f3ab ff15???????? 8bb424d0040000 }
            // n = 7, score = 200
            //   b949000000           | mov                 ecx, 0x49
            //   33c0                 | xor                 eax, eax
            //   8d7c2470             | lea                 edi, [esp + 0x70]
            //   c744246c28010000     | mov                 dword ptr [esp + 0x6c], 0x128
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   ff15????????         |                     
            //   8bb424d0040000       | mov                 esi, dword ptr [esp + 0x4d0]

        $sequence_1 = { 52 ff5014 8b8e24030000 8b542414 52 8b01 ff5074 }
            // n = 7, score = 200
            //   52                   | push                edx
            //   ff5014               | call                dword ptr [eax + 0x14]
            //   8b8e24030000         | mov                 ecx, dword ptr [esi + 0x324]
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   52                   | push                edx
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5074               | call                dword ptr [eax + 0x74]

        $sequence_2 = { b06c b22e b164 899c24bc000000 c78718030000ffffffff 899f1c030000 c707???????? }
            // n = 7, score = 200
            //   b06c                 | mov                 al, 0x6c
            //   b22e                 | mov                 dl, 0x2e
            //   b164                 | mov                 cl, 0x64
            //   899c24bc000000       | mov                 dword ptr [esp + 0xbc], ebx
            //   c78718030000ffffffff     | mov    dword ptr [edi + 0x318], 0xffffffff
            //   899f1c030000         | mov                 dword ptr [edi + 0x31c], ebx
            //   c707????????         |                     

        $sequence_3 = { 40 89442414 8bf0 e9???????? 55 ff15???????? b940000000 }
            // n = 7, score = 200
            //   40                   | inc                 eax
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   8bf0                 | mov                 esi, eax
            //   e9????????           |                     
            //   55                   | push                ebp
            //   ff15????????         |                     
            //   b940000000           | mov                 ecx, 0x40

        $sequence_4 = { 53 6a08 51 6a01 8bce e8???????? 85c0 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   6a08                 | push                8
            //   51                   | push                ecx
            //   6a01                 | push                1
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_5 = { 57 8d8c2430010000 50 51 56 ff15???????? 3bc7 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   8d8c2430010000       | lea                 ecx, [esp + 0x130]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   3bc7                 | cmp                 eax, edi

        $sequence_6 = { 0f8e13010000 8b542438 68f4010000 52 ff15???????? 3d02010000 }
            // n = 6, score = 200
            //   0f8e13010000         | jle                 0x119
            //   8b542438             | mov                 edx, dword ptr [esp + 0x38]
            //   68f4010000           | push                0x1f4
            //   52                   | push                edx
            //   ff15????????         |                     
            //   3d02010000           | cmp                 eax, 0x102

        $sequence_7 = { ffd5 eb50 8b861c030000 85c0 7409 68b80b0000 ffd5 }
            // n = 7, score = 200
            //   ffd5                 | call                ebp
            //   eb50                 | jmp                 0x52
            //   8b861c030000         | mov                 eax, dword ptr [esi + 0x31c]
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   68b80b0000           | push                0xbb8
            //   ffd5                 | call                ebp

        $sequence_8 = { 884c2445 c644244676 c644244761 c644244870 c644244969 c644244a33 }
            // n = 6, score = 200
            //   884c2445             | mov                 byte ptr [esp + 0x45], cl
            //   c644244676           | mov                 byte ptr [esp + 0x46], 0x76
            //   c644244761           | mov                 byte ptr [esp + 0x47], 0x61
            //   c644244870           | mov                 byte ptr [esp + 0x48], 0x70
            //   c644244969           | mov                 byte ptr [esp + 0x49], 0x69
            //   c644244a33           | mov                 byte ptr [esp + 0x4a], 0x33

        $sequence_9 = { 8d842494000000 52 50 ff15???????? 8d8c248c000000 51 }
            // n = 6, score = 200
            //   8d842494000000       | lea                 eax, [esp + 0x94]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d8c248c000000       | lea                 ecx, [esp + 0x8c]
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules