SYMBOLCOMMON_NAMEaka. SYNONYMS
win.postnaptea (Back to overview)

PostNapTea

aka: SIGNBT

Actor(s): Lazarus Group

VTCollection    

PostNapTea aka SIGNBT is an HTTP(S) RAT that is written as a complex object-oriented project.

In 2022-2023, it was deployed against targets like a newspaper organization, agriculture-related entity or a software vendor. The initial access was usually achieved by exploiting vulnerabilities in widely-used software in South Korea.

It collects various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status, and malware configuration.

PostNapTea uses AES for encryption and decryption ot network traffic. There is a constant prefix SIGNBT occuring in its HTTP POST requests. The prefix is concatenated with 2 characters that identify the communication stage:
• LG: logging into the C&C server
• KE: acknowledging the succesful login to the C&C
• FI: sending the status of a failed operation
• SR: sending the status of a successful operation
• GC: getting the next command

There are five classes that represent command groups:
• CCButton: for file manipulation and screen capturing
• CCBitmap: for network commands, implementing functionality of Windows commands often abused by attackers, like sc, reg, arp, net, ver, wmic, ping, whoami, netstat, tracert, lookup, ipconfig,
systeminfo, and netsh advfirewall.
• CCComboBox: for file system management
• CCList: for process management
• CCBrush: for control of the malware itself

It stores its configuration in JSON format. It resolves the Windows APIs it requires during runtime, via the Fowler–Noll–Vo (FNV) hash function.

Its internal name in the version-information resource is usually ppcsnap.dll or pconsnap.dll, which loosely inspired its code name.

References
2023-10-27KasperskySeongsu Park
A cascade of compromise: unveiling Lazarus’ new campaign
LPEClient PostNapTea
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
Yara Rules
[TLP:WHITE] win_postnaptea_auto (20230808 | Detects win.postnaptea.)
rule win_postnaptea_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.postnaptea."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.postnaptea"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744247418f561f5 c744247867f50000 4863c2 488d4c2450 488d0c41 0fb7c2 662bc3 }
            // n = 7, score = 100
            //   c744247418f561f5     | dec                 eax
            //   c744247867f50000     | mov                 edx, dword ptr [ecx + eax*8]
            //   4863c2               | dec                 ecx
            //   488d4c2450           | mov                 ecx, esi
            //   488d0c41             | dec                 eax
            //   0fb7c2               | test                eax, eax
            //   662bc3               | jne                 0x1440

        $sequence_1 = { ffc2 83fa1a 72e3 6644896c2474 488d442440 488bd3 0f1f440000 }
            // n = 7, score = 100
            //   ffc2                 | dec                 eax
            //   83fa1a               | mov                 ecx, esi
            //   72e3                 | nop                 
            //   6644896c2474         | dec                 eax
            //   488d442440           | lea                 edx, [ebp + 0xf38]
            //   488bd3               | dec                 eax
            //   0f1f440000           | lea                 ecx, [ebp + 0xa70]

        $sequence_2 = { ffd7 85c0 0f842c010000 4c8d052d4b0600 ba04010000 498bce e8???????? }
            // n = 7, score = 100
            //   ffd7                 | dec                 eax
            //   85c0                 | inc                 ebx
            //   0f842c010000         | cmp                 word ptr [eax + ebx*2], 0
            //   4c8d052d4b0600       | jne                 0x27a
            //   ba04010000           | dec                 eax
            //   498bce               | mov                 dword ptr [esp + 0x60], 7
            //   e8????????           |                     

        $sequence_3 = { e9???????? 418b8520280000 4d8bce 48634c2440 4c8bc6 2bc1 48034c2460 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   418b8520280000       | dec                 ecx
            //   4d8bce               | lea                 ecx, [ebp + 0x2c18]
            //   48634c2440           | dec                 eax
            //   4c8bc6               | lea                 edx, [esp + 0x40]
            //   2bc1                 | dec                 eax
            //   48034c2460           | lea                 ecx, [esp + 0x78]

        $sequence_4 = { c745c000f50cf5 c745c407f528f5 c745c80cf508f5 c745cc02f53cf5 c745d006f50bf5 c745d419f50bf5 c745d81bf54ef5 }
            // n = 7, score = 100
            //   c745c000f50cf5       | jne                 0xd95
            //   c745c407f528f5       | cmp                 byte ptr [ebx + 8], 0
            //   c745c80cf508f5       | dec                 eax
            //   c745cc02f53cf5       | mov                 ecx, eax
            //   c745d006f50bf5       | cmp                 byte ptr [eax + 0x19], 0
            //   c745d419f50bf5       | je                  0xe43
            //   c745d81bf54ef5       | dec                 eax

        $sequence_5 = { ff15???????? 4533e4 4d85f6 0f8418100000 498bce e9???????? 448b85b0000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   4533e4               | cmp                 dword ptr [eax], ebp
            //   4d85f6               | jne                 0x1135
            //   0f8418100000         | mov                 dword ptr [ebp + 0x20], 0xf529f50e
            //   498bce               | mov                 dword ptr [ebp + 0x24], 0xf503f569
            //   e9????????           |                     
            //   448b85b0000000       | dec                 eax

        $sequence_6 = { c7851001000031f56df5 c785140100006df54ef5 c7851801000005f50ef5 c7851c0100000ff50000 418bd4 0f1f440000 4863c2 }
            // n = 7, score = 100
            //   c7851001000031f56df5     | test    eax, eax
            //   c785140100006df54ef5     | jne    0xa35
            //   c7851801000005f50ef5     | mov    dword ptr [ebp + 0x310], 0xf51ef502
            //   c7851c0100000ff50000     | mov    dword ptr [ebp + 0x314], 0xf52cf53e
            //   418bd4               | dec                 eax
            //   0f1f440000           | mov                 edx, edi
            //   4863c2               | dec                 eax

        $sequence_7 = { c78520020000a081b081 c78524020000a281ba81 c78528020000fa81b181 c7852c020000ba81bb81 33c0 66898530020000 418bd5 }
            // n = 7, score = 100
            //   c78520020000a081b081     | mov    dword ptr [esp + 0x68], eax
            //   c78524020000a281ba81     | dec    eax
            //   c78528020000fa81b181     | mov    edx, eax
            //   c7852c020000ba81bb81     | dec    eax
            //   33c0                 | lea                 ecx, [ebp - 0x58]
            //   66898530020000       | dec                 eax
            //   418bd5               | cmp                 dword ptr [ebp - 0x48], 0

        $sequence_8 = { 488b05???????? 4885c0 7515 488d55b0 b9bd59e821 e8???????? 488905???????? }
            // n = 7, score = 100
            //   488b05????????       |                     
            //   4885c0               | mov                 word ptr [ebp + 0x18], ax
            //   7515                 | inc                 ecx
            //   488d55b0             | mov                 edx, ebp
            //   b9bd59e821           | nop                 word ptr [eax + eax]
            //   e8????????           |                     
            //   488905????????       |                     

        $sequence_9 = { ffd7 c7856007000079f57af5 c785640700007bf515f5 c785680700000df528f5 c7856c0700006bf540f5 c7857007000020f506f5 c7857407000007f516f5 }
            // n = 7, score = 100
            //   ffd7                 | inc                 dx
            //   c7856007000079f57af5     | cmp    dword ptr [eax + eax*2], 0
            //   c785640700007bf515f5     | dec    eax
            //   c785680700000df528f5     | mov    dword ptr [ebp - 0x18], 7
            //   c7856c0700006bf540f5     | inc    sp
            //   c7857007000020f506f5     | mov    dword ptr [ebp - 0x30], esi
            //   c7857407000007f516f5     | inc    ecx

    condition:
        7 of them and filesize < 2457600
}
Download all Yara Rules