SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nestegg (Back to overview)

NESTEGG

Actor(s): Lazarus Group


NESTEGG is a memory-only backdoor that can proxy commands to other
infected systems using a custom routing scheme. It accepts commands to
upload and download files, list and delete files, list and terminate processes, and
start processes. NESTEGG also creates Windows Firewall rules that allows the
backdoor to bind to a specified port number to allow for inbound traffic.

References
2018-10-08Youtube VideoSaher Naumaan
@online{naumaan:20181008:bsides:26586e2, author = {Saher Naumaan}, title = {{BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks}}, date = {2018-10-08}, organization = {Youtube Video}, url = {https://youtu.be/_kzFNQySEMw?t=789}, language = {English}, urldate = {2019-10-15} } BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG
2018-10-01Youtube (FireEye Inc.)Christopher DiGiamo, Nalani Fraser, Jacqueline O’Leary
@online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } CDS 2018 | Unmasking APT X
NESTEGG
2018-06-08United States District Court (California)Nathan P. Shields, Rozella A. Oliver
@online{shields:20180608:complaint:8b4b2dc, author = {Nathan P. Shields and Rozella A. Oliver}, title = {{Complaint against Jin Hyok Park}}, date = {2018-06-08}, organization = {United States District Court (California)}, url = {https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html}, language = {English}, urldate = {2020-01-08} } Complaint against Jin Hyok Park
NESTEGG
2018-03Kaspersky LabsKaspersky Lab Global Research, Analysis Team
@techreport{research:201803:lazarus:9dd4571, author = {Kaspersky Lab Global Research and Analysis Team}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf}, language = {English}, urldate = {2019-11-28} } Lazarus under the Hood
NESTEGG
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_nestegg_auto (20211008 | Detects win.nestegg.)
rule win_nestegg_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.nestegg."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7411 68???????? 50 ff15???????? a3???????? 8b4c2448 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   a3????????           |                     
            //   8b4c2448             | mov                 ecx, dword ptr [esp + 0x48]

        $sequence_1 = { 8d54240c 52 8b01 ff5014 a1???????? 0520030000 50 }
            // n = 7, score = 200
            //   8d54240c             | lea                 edx, dword ptr [esp + 0xc]
            //   52                   | push                edx
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5014               | call                dword ptr [eax + 0x14]
            //   a1????????           |                     
            //   0520030000           | add                 eax, 0x320
            //   50                   | push                eax

        $sequence_2 = { 8d44240c 50 687f660440 56 }
            // n = 4, score = 200
            //   8d44240c             | lea                 eax, dword ptr [esp + 0xc]
            //   50                   | push                eax
            //   687f660440           | push                0x4004667f
            //   56                   | push                esi

        $sequence_3 = { 8d842488000000 50 ffd6 8d4c2434 }
            // n = 4, score = 200
            //   8d842488000000       | lea                 eax, dword ptr [esp + 0x88]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8d4c2434             | lea                 ecx, dword ptr [esp + 0x34]

        $sequence_4 = { 7405 be20040000 8b0d???????? 897c246c }
            // n = 4, score = 200
            //   7405                 | je                  7
            //   be20040000           | mov                 esi, 0x420
            //   8b0d????????         |                     
            //   897c246c             | mov                 dword ptr [esp + 0x6c], edi

        $sequence_5 = { 8d4c2438 e8???????? 8b0d???????? 50 55 e8???????? }
            // n = 6, score = 200
            //   8d4c2438             | lea                 ecx, dword ptr [esp + 0x38]
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   50                   | push                eax
            //   55                   | push                ebp
            //   e8????????           |                     

        $sequence_6 = { 33c0 5e 83c414 c3 33c9 50 }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   33c9                 | xor                 ecx, ecx
            //   50                   | push                eax

        $sequence_7 = { 8b842424020000 56 6a06 6a01 }
            // n = 4, score = 200
            //   8b842424020000       | mov                 eax, dword ptr [esp + 0x224]
            //   56                   | push                esi
            //   6a06                 | push                6
            //   6a01                 | push                1

        $sequence_8 = { 85c0 741e 8b442420 3bc3 7416 03f8 8b44241c }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   741e                 | je                  0x20
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   3bc3                 | cmp                 eax, ebx
            //   7416                 | je                  0x18
            //   03f8                 | add                 edi, eax
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]

        $sequence_9 = { 88442418 88442419 88442425 88442426 8d442428 }
            // n = 5, score = 200
            //   88442418             | mov                 byte ptr [esp + 0x18], al
            //   88442419             | mov                 byte ptr [esp + 0x19], al
            //   88442425             | mov                 byte ptr [esp + 0x25], al
            //   88442426             | mov                 byte ptr [esp + 0x26], al
            //   8d442428             | lea                 eax, dword ptr [esp + 0x28]

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules