SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rifdoor (Back to overview)

Rifdoor

Actor(s): Lazarus Group, Silent Chollima

VTCollection    

There is no description at this point.

References
2020-04-16VMWare Carbon BlackScott Knight
The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2018-06-23AhnLabAhnLab
Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
2017-05-01IssueMakersLabIssueMakersLab
Operation GoldenAxe
Rifdoor
2017-01-01FSIKay Kwak (Kyoung-Ju Kwak)
Campaign Rifle: Andariel, The Maiden of Anguish
Rifdoor
Yara Rules
[TLP:WHITE] win_rifdoor_auto (20260504 | Detects win.rifdoor.)
rule win_rifdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.rifdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 ffd6 8d4c2410 a3???????? 51 b810000000 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   a3????????           |                     
            //   51                   | push                ecx
            //   b810000000           | mov                 eax, 0x10

        $sequence_1 = { ff15???????? 5f b001 5e 81c408010000 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   b001                 | mov                 al, 1
            //   5e                   | pop                 esi
            //   81c408010000         | add                 esp, 0x108

        $sequence_2 = { e8???????? 8b4de4 83c40c 6bc930 8975e0 8db1304b4100 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   83c40c               | add                 esp, 0xc
            //   6bc930               | imul                ecx, ecx, 0x30
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8db1304b4100         | lea                 esi, [ecx + 0x414b30]

        $sequence_3 = { 02c9 02c9 880c30 eb26 }
            // n = 4, score = 200
            //   02c9                 | add                 cl, cl
            //   02c9                 | add                 cl, cl
            //   880c30               | mov                 byte ptr [eax + esi], cl
            //   eb26                 | jmp                 0x28

        $sequence_4 = { 85d2 7e6d 83f93d 7468 83f920 }
            // n = 5, score = 200
            //   85d2                 | test                edx, edx
            //   7e6d                 | jle                 0x6f
            //   83f93d               | cmp                 ecx, 0x3d
            //   7468                 | je                  0x6a
            //   83f920               | cmp                 ecx, 0x20

        $sequence_5 = { 52 b808000000 b9???????? 895c2414 e8???????? 8be8 }
            // n = 6, score = 200
            //   52                   | push                edx
            //   b808000000           | mov                 eax, 8
            //   b9????????           |                     
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax

        $sequence_6 = { e8???????? 83c410 6a00 8d84240c010000 50 ff15???????? 6a00 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   6a00                 | push                0
            //   8d84240c010000       | lea                 eax, [esp + 0x10c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_7 = { c3 397c240c 74e1 ba4f000000 8bc2 }
            // n = 5, score = 200
            //   c3                   | ret                 
            //   397c240c             | cmp                 dword ptr [esp + 0xc], edi
            //   74e1                 | je                  0xffffffe3
            //   ba4f000000           | mov                 edx, 0x4f
            //   8bc2                 | mov                 eax, edx

        $sequence_8 = { 52 8d45e8 50 8d8de8f7ffff }
            // n = 4, score = 100
            //   52                   | push                edx
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8d8de8f7ffff         | lea                 ecx, [ebp - 0x818]

        $sequence_9 = { b9843a0000 81fb843a0000 7702 8bcb 2bd9 be2c1a0000 33ff }
            // n = 7, score = 100
            //   b9843a0000           | mov                 ecx, 0x3a84
            //   81fb843a0000         | cmp                 ebx, 0x3a84
            //   7702                 | ja                  4
            //   8bcb                 | mov                 ecx, ebx
            //   2bd9                 | sub                 ebx, ecx
            //   be2c1a0000           | mov                 esi, 0x1a2c
            //   33ff                 | xor                 edi, edi

        $sequence_10 = { eb08 ff15???????? 33c9 b873b2e745 f72d???????? }
            // n = 5, score = 100
            //   eb08                 | jmp                 0xa
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   b873b2e745           | mov                 eax, 0x45e7b273
            //   f72d????????         |                     

        $sequence_11 = { 83c103 51 ffd3 a3???????? eb2c 8b14b7 83c203 }
            // n = 7, score = 100
            //   83c103               | add                 ecx, 3
            //   51                   | push                ecx
            //   ffd3                 | call                ebx
            //   a3????????           |                     
            //   eb2c                 | jmp                 0x2e
            //   8b14b7               | mov                 edx, dword ptr [edi + esi*4]
            //   83c203               | add                 edx, 3

        $sequence_12 = { 83c40c 8d8d68fcffff 51 8d9574fcffff 52 6a00 }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8d8d68fcffff         | lea                 ecx, [ebp - 0x398]
            //   51                   | push                ecx
            //   8d9574fcffff         | lea                 edx, [ebp - 0x38c]
            //   52                   | push                edx
            //   6a00                 | push                0

        $sequence_13 = { 68ff000000 e8???????? 59 59 8b7508 8d34f5000d4100 391e }
            // n = 7, score = 100
            //   68ff000000           | push                0xff
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8d34f5000d4100       | lea                 esi, [esi*8 + 0x410d00]
            //   391e                 | cmp                 dword ptr [esi], ebx

        $sequence_14 = { ff15???????? 8bf8 83ffff 0f84bb000000 53 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1
            //   0f84bb000000         | je                  0xc1
            //   53                   | push                ebx

        $sequence_15 = { c785e4bcffff44000000 899d1cbdffff c78510bdffff01010000 66898514bdffff 33f6 8d642400 8d8d40bdffff }
            // n = 7, score = 100
            //   c785e4bcffff44000000     | mov    dword ptr [ebp - 0x431c], 0x44
            //   899d1cbdffff         | mov                 dword ptr [ebp - 0x42e4], ebx
            //   c78510bdffff01010000     | mov    dword ptr [ebp - 0x42f0], 0x101
            //   66898514bdffff       | mov                 word ptr [ebp - 0x42ec], ax
            //   33f6                 | xor                 esi, esi
            //   8d642400             | lea                 esp, [esp]
            //   8d8d40bdffff         | lea                 ecx, [ebp - 0x42c0]

    condition:
        7 of them and filesize < 212992
}
[TLP:WHITE] win_rifdoor_w0   (20230118 | detect_rifdoor)
rule win_rifdoor_w0 {
	meta:
	    description = "detect_rifdoor"
	    author = "@malgamy12"
	    date = "2022/11/11"
	    license = "DRL 1.1"
        hash1 = "19b2144927bd071e30df9fce5f3d49f1"
        hash2 = "d8ba4b4bfc5e0877fa8e8c1b26876ea6"
        hash3 = "d94d6f773c0ed5514d3e571e4b3681ba"
        hash4 = "5aca1e4ec64ba417d1b0ebea88bdd06e"
        hash5 = "45f8d44cba70520ca2ea97427ddaab3e"
        hash6 = "d3b2956904bed8c8146b8bb556b8911a"
        hash7 = "e4c4c9abdd8613afa17f58d721039a46"
        hash8 = "cf847663a7a9d6ddbe3a1f0d5e5236b6"
        hash9 = "01a0b932d82ed3b78ccfb2bb5826c32f"
        hash10 = "c6687e1fab97b2d7433a5e51fcf2aa30"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $pdb = "rifle.pdb" ascii

        $s1 = "MUTEX394039_4830023" ascii
        $s2 = "CMD:%s %s %d/%d/%d %d:%d:%d" ascii
	$s3 = "/c del /q \"%s\" >> NUL" ascii

        $chunk_1 = {80 32 ?? 41 80 39 ?? 8B D1 75} // xor operation

        
    condition:
        uint16(0) == 0x5A4D  and ($pdb  or  (2 of ($s*) and $chunk_1 ))

}
Download all Yara Rules