SYMBOLCOMMON_NAMEaka. SYNONYMS
win.reaver (Back to overview)

Reaver


Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the "Five Poisons" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.

References
2019-05-14CylanceCylance Research, Intelligence Team
@online{research:20190514:reaver:1c6651d, author = {Cylance Research and Intelligence Team}, title = {{Reaver: Mapping Connections Between Disparate Chinese APT Groups}}, date = {2019-05-14}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html}, language = {English}, urldate = {2019-12-24} } Reaver: Mapping Connections Between Disparate Chinese APT Groups
Reaver Sparkle
2017-11-10Palo Alto Networks Unit 42Josh Grunzweig, Jen Miller-Osborn
@online{grunzweig:20171110:new:12fdedb, author = {Josh Grunzweig and Jen Miller-Osborn}, title = {{New Malware with Ties to SunOrcal Discovered}}, date = {2017-11-10}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/}, language = {English}, urldate = {2019-12-20} } New Malware with Ties to SunOrcal Discovered
Reaver SunOrcal
Yara Rules
[TLP:WHITE] win_reaver_auto (20211008 | Detects win.reaver.)
rule win_reaver_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.reaver."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 740d ff15???????? 3d14050000 7504 }
            // n = 4, score = 900
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6

        $sequence_1 = { 7453 8d45f4 50 ff7508 6a00 }
            // n = 5, score = 900
            //   7453                 | je                  0x55
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0

        $sequence_2 = { 50 ff7508 6a00 ff15???????? 85c0 7440 }
            // n = 6, score = 900
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42

        $sequence_3 = { 6a00 ff15???????? 85c0 7440 8b45f4 6a00 }
            // n = 6, score = 900
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0

        $sequence_4 = { 8d45f4 50 ff7508 6a00 ff15???????? 85c0 7440 }
            // n = 7, score = 900
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42

        $sequence_5 = { 85c0 7440 8b45f4 6a00 8945e8 }
            // n = 5, score = 900
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_6 = { 85c0 7440 8b45f4 6a00 }
            // n = 4, score = 900
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0

        $sequence_7 = { ff15???????? 85c0 740d ff15???????? 3d14050000 7504 }
            // n = 6, score = 900
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6

        $sequence_8 = { ff15???????? 3d14050000 7504 33c0 c9 c3 ff75fc }
            // n = 7, score = 900
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   c9                   | leave               
            //   c3                   | ret                 
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_9 = { 85c0 7440 8b45f4 6a00 8945e8 8b45f8 8945ec }
            // n = 7, score = 900
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules