SYMBOLCOMMON_NAMEaka. SYNONYMS
win.reaver (Back to overview)

Reaver


Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the "Five Poisons" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.

References
2019-05-14CylanceCylance Research, Intelligence Team
@online{research:20190514:reaver:1c6651d, author = {Cylance Research and Intelligence Team}, title = {{Reaver: Mapping Connections Between Disparate Chinese APT Groups}}, date = {2019-05-14}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html}, language = {English}, urldate = {2019-12-24} } Reaver: Mapping Connections Between Disparate Chinese APT Groups
Reaver Sparkle
2017-11-10Palo Alto Networks Unit 42Josh Grunzweig, Jen Miller-Osborn
@online{grunzweig:20171110:new:12fdedb, author = {Josh Grunzweig and Jen Miller-Osborn}, title = {{New Malware with Ties to SunOrcal Discovered}}, date = {2017-11-10}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/}, language = {English}, urldate = {2019-12-20} } New Malware with Ties to SunOrcal Discovered
Reaver SunOrcal
Yara Rules
[TLP:WHITE] win_reaver_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_reaver_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 68ff010f00 ff15???????? 50 ff15???????? 85c0 7453 }
            // n = 7, score = 800
            //   50                   | push                eax
            //   68ff010f00           | push                0xf01ff
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7453                 | je                  0x55

        $sequence_1 = { ff7508 6a00 ff15???????? 85c0 7440 8b45f4 6a00 }
            // n = 7, score = 800
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0

        $sequence_2 = { ff15???????? 85c0 7440 8b45f4 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_3 = { ff15???????? 85c0 740d ff15???????? 3d14050000 }
            // n = 5, score = 800
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514

        $sequence_4 = { 83ec1c 8d45fc 50 68ff010f00 ff15???????? 50 ff15???????? }
            // n = 7, score = 800
            //   83ec1c               | sub                 esp, 0x1c
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   68ff010f00           | push                0xf01ff
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_5 = { 7440 8b45f4 6a00 8945e8 8b45f8 }
            // n = 5, score = 800
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_6 = { 6a00 8d45e4 6a10 50 6a00 ff75fc }
            // n = 6, score = 800
            //   6a00                 | push                0
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   6a10                 | push                0x10
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_7 = { 33c0 c9 c3 ff75fc ff15???????? 6a01 58 }
            // n = 7, score = 800
            //   33c0                 | xor                 eax, eax
            //   c9                   | leave               
            //   c3                   | ret                 
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   6a01                 | push                1
            //   58                   | pop                 eax

        $sequence_8 = { 740d ff15???????? 3d14050000 7504 33c0 }
            // n = 5, score = 800
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 8b45f8 8945ec 6a00 8d45e4 }
            // n = 4, score = 800
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   6a00                 | push                0
            //   8d45e4               | lea                 eax, [ebp - 0x1c]

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules