SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rifdoor (Back to overview)

Rifdoor

Actor(s): Lazarus Group, Silent Chollima

There is no description at this point.

References
2020-04-16VMWare Carbon BlackScott Knight
@online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2018-06-23AhnLabAhnLab
@techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
2017-05IssueMakersLabIssueMakersLab
@online{issuemakerslab:201705:operation:6dc3206, author = {IssueMakersLab}, title = {{Operation GoldenAxe}}, date = {2017-05}, organization = {IssueMakersLab}, url = {http://www.issuemakerslab.com/research3/}, language = {English}, urldate = {2023-08-28} } Operation GoldenAxe
Rifdoor
2017FSIKay Kwak (Kyoung-Ju Kwak)
@online{kwak:2017:campaign:b60b366, author = {Kay Kwak (Kyoung-Ju Kwak)}, title = {{Campaign Rifle: Andariel, The Maiden of Anguish}}, date = {2017}, organization = {FSI}, url = {https://mega.nz/file/lkh1gY5C#93FUlwTwl0y27cfM0jtm4SYnWbtk06d0qoDg1e4eQ6s}, language = {English}, urldate = {2023-08-28} } Campaign Rifle: Andariel, The Maiden of Anguish
Rifdoor
Yara Rules
[TLP:WHITE] win_rifdoor_auto (20230808 | Detects win.rifdoor.)
rule win_rifdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.rifdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8be5 5d c20400 6804010000 8d54240c }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   6804010000           | push                0x104
            //   8d54240c             | lea                 edx, [esp + 0xc]

        $sequence_1 = { 0f8484000000 391d???????? 747c 391d???????? 7474 391d???????? 746c }
            // n = 7, score = 200
            //   0f8484000000         | je                  0x8a
            //   391d????????         |                     
            //   747c                 | je                  0x7e
            //   391d????????         |                     
            //   7474                 | je                  0x76
            //   391d????????         |                     
            //   746c                 | je                  0x6e

        $sequence_2 = { ba4f000000 8bc2 668944243c b952000000 66894c2438 668954243a }
            // n = 6, score = 200
            //   ba4f000000           | mov                 edx, 0x4f
            //   8bc2                 | mov                 eax, edx
            //   668944243c           | mov                 word ptr [esp + 0x3c], ax
            //   b952000000           | mov                 ecx, 0x52
            //   66894c2438           | mov                 word ptr [esp + 0x38], cx
            //   668954243a           | mov                 word ptr [esp + 0x3a], dx

        $sequence_3 = { 83c408 85c0 7405 bf01000000 8d542410 52 ff15???????? }
            // n = 7, score = 200
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7
            //   bf01000000           | mov                 edi, 1
            //   8d542410             | lea                 edx, [esp + 0x10]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_4 = { 830eff 2b34bd605d4100 c1fe06 8bc7 c1e005 }
            // n = 5, score = 200
            //   830eff               | or                  dword ptr [esi], 0xffffffff
            //   2b34bd605d4100       | sub                 esi, dword ptr [edi*4 + 0x415d60]
            //   c1fe06               | sar                 esi, 6
            //   8bc7                 | mov                 eax, edi
            //   c1e005               | shl                 eax, 5

        $sequence_5 = { b001 5e 81c408010000 c3 5f 32c0 }
            // n = 6, score = 200
            //   b001                 | mov                 al, 1
            //   5e                   | pop                 esi
            //   81c408010000         | add                 esp, 0x108
            //   c3                   | ret                 
            //   5f                   | pop                 edi
            //   32c0                 | xor                 al, al

        $sequence_6 = { 8d4c2454 51 8b4c2410 8d54242c e8???????? 83c408 85c0 }
            // n = 7, score = 200
            //   8d4c2454             | lea                 ecx, [esp + 0x54]
            //   51                   | push                ecx
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8d54242c             | lea                 edx, [esp + 0x2c]
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax

        $sequence_7 = { 83c408 a3???????? e9???????? 3c01 }
            // n = 4, score = 200
            //   83c408               | add                 esp, 8
            //   a3????????           |                     
            //   e9????????           |                     
            //   3c01                 | cmp                 al, 1

        $sequence_8 = { 53 56 8b35???????? 57 3b35???????? 7d4a }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b35????????         |                     
            //   57                   | push                edi
            //   3b35????????         |                     
            //   7d4a                 | jge                 0x4c

        $sequence_9 = { 50 8b410c ffd0 8b95f0f7ffff }
            // n = 4, score = 100
            //   50                   | push                eax
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   ffd0                 | call                eax
            //   8b95f0f7ffff         | mov                 edx, dword ptr [ebp - 0x810]

        $sequence_10 = { e8???????? 8b1d???????? 33c0 83c40c 33d2 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8b1d????????         |                     
            //   33c0                 | xor                 eax, eax
            //   83c40c               | add                 esp, 0xc
            //   33d2                 | xor                 edx, edx

        $sequence_11 = { 68ff000000 8d9524faffff 52 ff15???????? }
            // n = 4, score = 100
            //   68ff000000           | push                0xff
            //   8d9524faffff         | lea                 edx, [ebp - 0x5dc]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_12 = { 75f9 8d8de8fbffff 2bc2 51 40 }
            // n = 5, score = 100
            //   75f9                 | jne                 0xfffffffb
            //   8d8de8fbffff         | lea                 ecx, [ebp - 0x418]
            //   2bc2                 | sub                 eax, edx
            //   51                   | push                ecx
            //   40                   | inc                 eax

        $sequence_13 = { c1ee08 0bd6 884101 03c2 8d1400 33d0 }
            // n = 6, score = 100
            //   c1ee08               | shr                 esi, 8
            //   0bd6                 | or                  edx, esi
            //   884101               | mov                 byte ptr [ecx + 1], al
            //   03c2                 | add                 eax, edx
            //   8d1400               | lea                 edx, [eax + eax]
            //   33d0                 | xor                 edx, eax

        $sequence_14 = { ff15???????? 68???????? 6a00 6801001f00 ff15???????? 5f 5e }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   68????????           |                     
            //   6a00                 | push                0
            //   6801001f00           | push                0x1f0001
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_15 = { 8d8424a8010000 50 53 ff15???????? 85c0 7507 53 }
            // n = 7, score = 100
            //   8d8424a8010000       | lea                 eax, [esp + 0x1a8]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 212992
}
[TLP:WHITE] win_rifdoor_w0   (20230118 | detect_rifdoor)
rule win_rifdoor_w0 {
	meta:
	    description = "detect_rifdoor"
	    author = "@malgamy12"
	    date = "2022/11/11"
	    license = "DRL 1.1"
        hash1 = "19b2144927bd071e30df9fce5f3d49f1"
        hash2 = "d8ba4b4bfc5e0877fa8e8c1b26876ea6"
        hash3 = "d94d6f773c0ed5514d3e571e4b3681ba"
        hash4 = "5aca1e4ec64ba417d1b0ebea88bdd06e"
        hash5 = "45f8d44cba70520ca2ea97427ddaab3e"
        hash6 = "d3b2956904bed8c8146b8bb556b8911a"
        hash7 = "e4c4c9abdd8613afa17f58d721039a46"
        hash8 = "cf847663a7a9d6ddbe3a1f0d5e5236b6"
        hash9 = "01a0b932d82ed3b78ccfb2bb5826c32f"
        hash10 = "c6687e1fab97b2d7433a5e51fcf2aa30"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $pdb = "rifle.pdb" ascii

        $s1 = "MUTEX394039_4830023" ascii
        $s2 = "CMD:%s %s %d/%d/%d %d:%d:%d" ascii
	$s3 = "/c del /q \"%s\" >> NUL" ascii

        $chunk_1 = {80 32 ?? 41 80 39 ?? 8B D1 75} // xor operation

        
    condition:
        uint16(0) == 0x5A4D  and ($pdb  or  (2 of ($s*) and $chunk_1 ))

}
Download all Yara Rules