SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rifdoor (Back to overview)

Rifdoor

Actor(s): Lazarus Group

There is no description at this point.

References
2020-04-16VMWare Carbon BlackScott Knight
@online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2018-06-23AhnLabAhnLab
@techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
Yara Rules
[TLP:WHITE] win_rifdoor_auto (20210616 | Detects win.rifdoor.)
rule win_rifdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.rifdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 57 ffd6 a3???????? 391d???????? 7474 391d???????? }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   a3????????           |                     
            //   391d????????         |                     
            //   7474                 | je                  0x76
            //   391d????????         |                     

        $sequence_1 = { 33d1 33d6 d1c2 83eb01 896818 89501c 75b4 }
            // n = 7, score = 200
            //   33d1                 | xor                 edx, ecx
            //   33d6                 | xor                 edx, esi
            //   d1c2                 | rol                 edx, 1
            //   83eb01               | sub                 ebx, 1
            //   896818               | mov                 dword ptr [eax + 0x18], ebp
            //   89501c               | mov                 dword ptr [eax + 0x1c], edx
            //   75b4                 | jne                 0xffffffb6

        $sequence_2 = { 8d442410 50 b810000000 b9???????? 895c2414 e8???????? 8b4c2414 }
            // n = 7, score = 200
            //   8d442410             | lea                 eax, dword ptr [esp + 0x10]
            //   50                   | push                eax
            //   b810000000           | mov                 eax, 0x10
            //   b9????????           |                     
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   e8????????           |                     
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]

        $sequence_3 = { 53 8b5c2418 56 6a04 6800100000 53 6a00 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   8b5c2418             | mov                 ebx, dword ptr [esp + 0x18]
            //   56                   | push                esi
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   53                   | push                ebx
            //   6a00                 | push                0

        $sequence_4 = { 5e 5d 33c0 5b 83c41c c3 ff25???????? }
            // n = 7, score = 200
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   83c41c               | add                 esp, 0x1c
            //   c3                   | ret                 
            //   ff25????????         |                     

        $sequence_5 = { 33c4 89442434 8b442444 53 55 8b6c2448 56 }
            // n = 7, score = 200
            //   33c4                 | xor                 eax, esp
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   8b442444             | mov                 eax, dword ptr [esp + 0x44]
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   8b6c2448             | mov                 ebp, dword ptr [esp + 0x48]
            //   56                   | push                esi

        $sequence_6 = { 7518 8b8c2414910000 5f 5e 33cc 33c0 e8???????? }
            // n = 7, score = 200
            //   7518                 | jne                 0x1a
            //   8b8c2414910000       | mov                 ecx, dword ptr [esp + 0x9114]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33cc                 | xor                 ecx, esp
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     

        $sequence_7 = { ffd6 8d4c2410 a3???????? 51 b818000000 b9???????? }
            // n = 6, score = 200
            //   ffd6                 | call                esi
            //   8d4c2410             | lea                 ecx, dword ptr [esp + 0x10]
            //   a3????????           |                     
            //   51                   | push                ecx
            //   b818000000           | mov                 eax, 0x18
            //   b9????????           |                     

        $sequence_8 = { ba51000000 b957000000 57 8b3d???????? 6689542426 8944241c 66894c2424 }
            // n = 7, score = 200
            //   ba51000000           | mov                 edx, 0x51
            //   b957000000           | mov                 ecx, 0x57
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   6689542426           | mov                 word ptr [esp + 0x26], dx
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   66894c2424           | mov                 word ptr [esp + 0x24], cx

        $sequence_9 = { 8944241c 66894c2424 8d542424 b84c000000 33c9 52 c744241c00000000 }
            // n = 7, score = 200
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   66894c2424           | mov                 word ptr [esp + 0x24], cx
            //   8d542424             | lea                 edx, dword ptr [esp + 0x24]
            //   b84c000000           | mov                 eax, 0x4c
            //   33c9                 | xor                 ecx, ecx
            //   52                   | push                edx
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules