SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rifdoor (Back to overview)

Rifdoor

Actor(s): Lazarus Group


There is no description at this point.

References
2020-04-16VMWare Carbon BlackScott Knight
@online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2018-06-23AhnLabAhnLab
@techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
Yara Rules
[TLP:WHITE] win_rifdoor_auto (20230125 | Detects win.rifdoor.)
rule win_rifdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.rifdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b1495605d4100 59 c1e006 59 8a4dff 80c901 }
            // n = 6, score = 200
            //   8b1495605d4100       | mov                 edx, dword ptr [edx*4 + 0x415d60]
            //   59                   | pop                 ecx
            //   c1e006               | shl                 eax, 6
            //   59                   | pop                 ecx
            //   8a4dff               | mov                 cl, byte ptr [ebp - 1]
            //   80c901               | or                  cl, 1

        $sequence_1 = { 50 b814000000 b9???????? e8???????? 8b4c2414 8be8 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   b814000000           | mov                 eax, 0x14
            //   b9????????           |                     
            //   e8????????           |                     
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8be8                 | mov                 ebp, eax

        $sequence_2 = { ffd6 32c0 5e 5b 8b8c2474010000 }
            // n = 5, score = 200
            //   ffd6                 | call                esi
            //   32c0                 | xor                 al, al
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8b8c2474010000       | mov                 ecx, dword ptr [esp + 0x174]

        $sequence_3 = { 33c0 5b c3 8d5601 c6040200 8b4c2414 }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8d5601               | lea                 edx, [esi + 1]
            //   c6040200             | mov                 byte ptr [edx + eax], 0
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]

        $sequence_4 = { c744245044000000 c744247c01010000 ff15???????? 85c0 754b a1???????? }
            // n = 6, score = 200
            //   c744245044000000     | mov                 dword ptr [esp + 0x50], 0x44
            //   c744247c01010000     | mov                 dword ptr [esp + 0x7c], 0x101
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   754b                 | jne                 0x4d
            //   a1????????           |                     

        $sequence_5 = { 7560 66833e08 755a 8844242c 8944242d 89442431 89442435 }
            // n = 7, score = 200
            //   7560                 | jne                 0x62
            //   66833e08             | cmp                 word ptr [esi], 8
            //   755a                 | jne                 0x5c
            //   8844242c             | mov                 byte ptr [esp + 0x2c], al
            //   8944242d             | mov                 dword ptr [esp + 0x2d], eax
            //   89442431             | mov                 dword ptr [esp + 0x31], eax
            //   89442435             | mov                 dword ptr [esp + 0x35], eax

        $sequence_6 = { 83c404 33c0 c644240703 c644240602 }
            // n = 4, score = 200
            //   83c404               | add                 esp, 4
            //   33c0                 | xor                 eax, eax
            //   c644240703           | mov                 byte ptr [esp + 7], 3
            //   c644240602           | mov                 byte ptr [esp + 6], 2

        $sequence_7 = { e8???????? 84c0 75c9 8b15???????? 52 ffd6 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   75c9                 | jne                 0xffffffcb
            //   8b15????????         |                     
            //   52                   | push                edx
            //   ffd6                 | call                esi

        $sequence_8 = { 56 8b35???????? 57 3b35???????? }
            // n = 4, score = 100
            //   56                   | push                esi
            //   8b35????????         |                     
            //   57                   | push                edi
            //   3b35????????         |                     

        $sequence_9 = { 56 89858cfdffff ff15???????? 56 ff15???????? }
            // n = 5, score = 100
            //   56                   | push                esi
            //   89858cfdffff         | mov                 dword ptr [ebp - 0x274], eax
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_10 = { 51 52 ff15???????? 85c0 7503 8d5801 8b4594 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7503                 | jne                 5
            //   8d5801               | lea                 ebx, [eax + 1]
            //   8b4594               | mov                 eax, dword ptr [ebp - 0x6c]

        $sequence_11 = { ffd6 68???????? 8d95e8fbffff 52 ffd3 8d85e8fbffff 50 }
            // n = 7, score = 100
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8d95e8fbffff         | lea                 edx, [ebp - 0x418]
            //   52                   | push                edx
            //   ffd3                 | call                ebx
            //   8d85e8fbffff         | lea                 eax, [ebp - 0x418]
            //   50                   | push                eax

        $sequence_12 = { 8d85f9fbffff 53 50 899df0f7ffff 889df8fbffff }
            // n = 5, score = 100
            //   8d85f9fbffff         | lea                 eax, [ebp - 0x407]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   899df0f7ffff         | mov                 dword ptr [ebp - 0x810], ebx
            //   889df8fbffff         | mov                 byte ptr [ebp - 0x408], bl

        $sequence_13 = { 8d9530bdffff 52 8d8558bdffff 50 8d8d54bdffff 51 c78530bdffff0c000000 }
            // n = 7, score = 100
            //   8d9530bdffff         | lea                 edx, [ebp - 0x42d0]
            //   52                   | push                edx
            //   8d8558bdffff         | lea                 eax, [ebp - 0x42a8]
            //   50                   | push                eax
            //   8d8d54bdffff         | lea                 ecx, [ebp - 0x42ac]
            //   51                   | push                ecx
            //   c78530bdffff0c000000     | mov    dword ptr [ebp - 0x42d0], 0xc

        $sequence_14 = { 75f6 57 ff15???????? 8b5594 }
            // n = 4, score = 100
            //   75f6                 | jne                 0xfffffff8
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b5594               | mov                 edx, dword ptr [ebp - 0x6c]

        $sequence_15 = { a3???????? eb2c 8b14b7 83c203 803a00 }
            // n = 5, score = 100
            //   a3????????           |                     
            //   eb2c                 | jmp                 0x2e
            //   8b14b7               | mov                 edx, dword ptr [edi + esi*4]
            //   83c203               | add                 edx, 3
            //   803a00               | cmp                 byte ptr [edx], 0

    condition:
        7 of them and filesize < 212992
}
[TLP:WHITE] win_rifdoor_w0   (20230118 | detect_rifdoor)
rule win_rifdoor_w0 {
	meta:
	    description = "detect_rifdoor"
	    author = "@malgamy12"
	    date = "2022/11/11"
	    license = "DRL 1.1"
        hash1 = "19b2144927bd071e30df9fce5f3d49f1"
        hash2 = "d8ba4b4bfc5e0877fa8e8c1b26876ea6"
        hash3 = "d94d6f773c0ed5514d3e571e4b3681ba"
        hash4 = "5aca1e4ec64ba417d1b0ebea88bdd06e"
        hash5 = "45f8d44cba70520ca2ea97427ddaab3e"
        hash6 = "d3b2956904bed8c8146b8bb556b8911a"
        hash7 = "e4c4c9abdd8613afa17f58d721039a46"
        hash8 = "cf847663a7a9d6ddbe3a1f0d5e5236b6"
        hash9 = "01a0b932d82ed3b78ccfb2bb5826c32f"
        hash10 = "c6687e1fab97b2d7433a5e51fcf2aa30"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $pdb = "rifle.pdb" ascii

        $s1 = "MUTEX394039_4830023" ascii
        $s2 = "CMD:%s %s %d/%d/%d %d:%d:%d" ascii
	$s3 = "/c del /q \"%s\" >> NUL" ascii

        $chunk_1 = {80 32 ?? 41 80 39 ?? 8B D1 75} // xor operation

        
    condition:
        uint16(0) == 0x5A4D  and ($pdb  or  (2 of ($s*) and $chunk_1 ))

}
Download all Yara Rules