SYMBOLCOMMON_NAMEaka. SYNONYMS
win.reaver (Back to overview)

Reaver


Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the "Five Poisons" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.

References
2019-05-14CylanceCylance Research, Intelligence Team
@online{research:20190514:reaver:1c6651d, author = {Cylance Research and Intelligence Team}, title = {{Reaver: Mapping Connections Between Disparate Chinese APT Groups}}, date = {2019-05-14}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html}, language = {English}, urldate = {2019-12-24} } Reaver: Mapping Connections Between Disparate Chinese APT Groups
Reaver Sparkle
2017-11-10Palo Alto Networks Unit 42Josh Grunzweig, Jen Miller-Osborn
@online{grunzweig:20171110:new:12fdedb, author = {Josh Grunzweig and Jen Miller-Osborn}, title = {{New Malware with Ties to SunOrcal Discovered}}, date = {2017-11-10}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/}, language = {English}, urldate = {2019-12-20} } New Malware with Ties to SunOrcal Discovered
Reaver SunOrcal
Yara Rules
[TLP:WHITE] win_reaver_auto (20220808 | Detects win.reaver.)
rule win_reaver_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.reaver."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7504 33c0 c9 c3 ff75fc ff15???????? 6a01 }
            // n = 7, score = 900
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   c9                   | leave               
            //   c3                   | ret                 
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   6a01                 | push                1

        $sequence_1 = { 3d14050000 7504 33c0 c9 c3 }
            // n = 5, score = 900
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_2 = { 85c0 7440 8b45f4 6a00 }
            // n = 4, score = 900
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0

        $sequence_3 = { ff15???????? 3d14050000 7504 33c0 c9 c3 ff75fc }
            // n = 7, score = 900
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   c9                   | leave               
            //   c3                   | ret                 
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_4 = { 740d ff15???????? 3d14050000 7504 33c0 c9 }
            // n = 6, score = 900
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   c9                   | leave               

        $sequence_5 = { 740d ff15???????? 3d14050000 7504 }
            // n = 4, score = 900
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6

        $sequence_6 = { 8bec 83ec1c 8d45fc 50 68ff010f00 }
            // n = 5, score = 900
            //   8bec                 | mov                 ebp, esp
            //   83ec1c               | sub                 esp, 0x1c
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   68ff010f00           | push                0xf01ff

        $sequence_7 = { ff15???????? 85c0 7440 8b45f4 6a00 }
            // n = 5, score = 900
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0

        $sequence_8 = { ff15???????? 50 ff15???????? 85c0 7453 8d45f4 }
            // n = 6, score = 900
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7453                 | je                  0x55
            //   8d45f4               | lea                 eax, [ebp - 0xc]

        $sequence_9 = { 85c0 740d ff15???????? 3d14050000 }
            // n = 4, score = 900
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules