SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rifdoor (Back to overview)

Rifdoor

Actor(s): Lazarus Group


There is no description at this point.

References
2020-04-16VMWare Carbon BlackScott Knight
@online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2018-06-23AhnLabAhnLab
@techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
Yara Rules
[TLP:WHITE] win_rifdoor_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_rifdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d542404 52 894808 ff15???????? 6804010000 }
            // n = 5, score = 200
            //   8d542404             | lea                 edx, [esp + 4]
            //   52                   | push                edx
            //   894808               | mov                 dword ptr [eax + 8], ecx
            //   ff15????????         |                     
            //   6804010000           | push                0x104

        $sequence_1 = { 02c9 880c30 eb26 8bd1 }
            // n = 4, score = 200
            //   02c9                 | add                 cl, cl
            //   880c30               | mov                 byte ptr [eax + esi], cl
            //   eb26                 | jmp                 0x28
            //   8bd1                 | mov                 edx, ecx

        $sequence_2 = { 8b442414 50 57 e8???????? 83c40c }
            // n = 5, score = 200
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_3 = { a3???????? 391d???????? 745c 391d???????? 7454 }
            // n = 5, score = 200
            //   a3????????           |                     
            //   391d????????         |                     
            //   745c                 | je                  0x5e
            //   391d????????         |                     
            //   7454                 | je                  0x56

        $sequence_4 = { 8bf0 51 56 e8???????? 83c40c 56 ff15???????? }
            // n = 7, score = 200
            //   8bf0                 | mov                 esi, eax
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_5 = { 55 8bf8 8b06 8b5050 53 56 ffd2 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bf8                 | mov                 edi, eax
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b5050               | mov                 edx, dword ptr [eax + 0x50]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   ffd2                 | call                edx

        $sequence_6 = { 8b04bd605d4100 0500080000 3bf0 0f8397000000 f6460401 755c 837e0800 }
            // n = 7, score = 200
            //   8b04bd605d4100       | mov                 eax, dword ptr [edi*4 + 0x415d60]
            //   0500080000           | add                 eax, 0x800
            //   3bf0                 | cmp                 esi, eax
            //   0f8397000000         | jae                 0x9d
            //   f6460401             | test                byte ptr [esi + 4], 1
            //   755c                 | jne                 0x5e
            //   837e0800             | cmp                 dword ptr [esi + 8], 0

        $sequence_7 = { 32db 3bc1 7d0e 885c301c }
            // n = 4, score = 200
            //   32db                 | xor                 bl, bl
            //   3bc1                 | cmp                 eax, ecx
            //   7d0e                 | jge                 0x10
            //   885c301c             | mov                 byte ptr [eax + esi + 0x1c], bl

        $sequence_8 = { 897dfc 897dd8 83ff40 0f8d3c010000 8b34bd605d4100 85f6 0f84ba000000 }
            // n = 7, score = 200
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi
            //   83ff40               | cmp                 edi, 0x40
            //   0f8d3c010000         | jge                 0x142
            //   8b34bd605d4100       | mov                 esi, dword ptr [edi*4 + 0x415d60]
            //   85f6                 | test                esi, esi
            //   0f84ba000000         | je                  0xc0

        $sequence_9 = { 8bff 56 57 33f6 bf???????? 833cf55440410001 751e }
            // n = 7, score = 200
            //   8bff                 | mov                 edi, edi
            //   56                   | push                esi
            //   57                   | push                edi
            //   33f6                 | xor                 esi, esi
            //   bf????????           |                     
            //   833cf55440410001     | cmp                 dword ptr [esi*8 + 0x414054], 1
            //   751e                 | jne                 0x20

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules