SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rifdoor (Back to overview)

Rifdoor

Actor(s): Lazarus Group


There is no description at this point.

References
2020-04-16VMWare Carbon BlackScott Knight
@online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2018-06-23AhnLabAhnLab
@techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
Yara Rules
[TLP:WHITE] win_rifdoor_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_rifdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d89244b4100 5a 668b31 41 }
            // n = 4, score = 200
            //   8d89244b4100         | lea                 ecx, [ecx + 0x414b24]
            //   5a                   | pop                 edx
            //   668b31               | mov                 si, word ptr [ecx]
            //   41                   | inc                 ecx

        $sequence_1 = { 75b4 8b37 8b4704 8b4f08 }
            // n = 4, score = 200
            //   75b4                 | jne                 0xffffffb6
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   8b4f08               | mov                 ecx, dword ptr [edi + 8]

        $sequence_2 = { bf???????? 833cf55440410001 751e 8d04f550404100 }
            // n = 4, score = 200
            //   bf????????           |                     
            //   833cf55440410001     | cmp                 dword ptr [esi*8 + 0x414054], 1
            //   751e                 | jne                 0x20
            //   8d04f550404100       | lea                 eax, [esi*8 + 0x414050]

        $sequence_3 = { b9???????? e8???????? 8b4c2414 8be8 }
            // n = 4, score = 200
            //   b9????????           |                     
            //   e8????????           |                     
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8be8                 | mov                 ebp, eax

        $sequence_4 = { ffd7 53 8be8 ffd7 8b5c2410 }
            // n = 5, score = 200
            //   ffd7                 | call                edi
            //   53                   | push                ebx
            //   8be8                 | mov                 ebp, eax
            //   ffd7                 | call                edi
            //   8b5c2410             | mov                 ebx, dword ptr [esp + 0x10]

        $sequence_5 = { 881e 8ad8 32d9 22da 8ad0 }
            // n = 5, score = 200
            //   881e                 | mov                 byte ptr [esi], bl
            //   8ad8                 | mov                 bl, al
            //   32d9                 | xor                 bl, cl
            //   22da                 | and                 bl, dl
            //   8ad0                 | mov                 dl, al

        $sequence_6 = { 56 89742414 ff15???????? 33c0 a3???????? }
            // n = 5, score = 200
            //   56                   | push                esi
            //   89742414             | mov                 dword ptr [esp + 0x14], esi
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   a3????????           |                     

        $sequence_7 = { 8bf8 52 57 e8???????? 83c40c 57 ff15???????? }
            // n = 7, score = 200
            //   8bf8                 | mov                 edi, eax
            //   52                   | push                edx
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_8 = { 897c2474 897c2478 e8???????? 83c404 397c2474 7513 }
            // n = 6, score = 200
            //   897c2474             | mov                 dword ptr [esp + 0x74], edi
            //   897c2478             | mov                 dword ptr [esp + 0x78], edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   397c2474             | cmp                 dword ptr [esp + 0x74], edi
            //   7513                 | jne                 0x15

        $sequence_9 = { 8d442438 b932000000 33d2 50 }
            // n = 4, score = 200
            //   8d442438             | lea                 eax, [esp + 0x38]
            //   b932000000           | mov                 ecx, 0x32
            //   33d2                 | xor                 edx, edx
            //   50                   | push                eax

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules