SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rifdoor (Back to overview)

Rifdoor

Actor(s): Lazarus Group


There is no description at this point.

References
2020-04-16VMWare Carbon BlackScott Knight
@online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2018-06-23AhnLabAhnLab
@techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
Yara Rules
[TLP:WHITE] win_rifdoor_auto (20220411 | Detects win.rifdoor.)
rule win_rifdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.rifdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 32d9 22da 8ad0 22d1 32da }
            // n = 5, score = 200
            //   32d9                 | xor                 bl, cl
            //   22da                 | and                 bl, dl
            //   8ad0                 | mov                 dl, al
            //   22d1                 | and                 dl, cl
            //   32da                 | xor                 bl, dl

        $sequence_1 = { 8b420c 51 ffd0 85c0 0f85d7010000 8b4c2408 50 }
            // n = 7, score = 200
            //   8b420c               | mov                 eax, dword ptr [edx + 0xc]
            //   51                   | push                ecx
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   0f85d7010000         | jne                 0x1dd
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   50                   | push                eax

        $sequence_2 = { 8d442410 50 895c2414 b814000000 b9???????? e8???????? }
            // n = 6, score = 200
            // 
            //   50                   | push                eax
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   b814000000           | mov                 eax, 0x14
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_3 = { 8bce c1f905 8b0c8d605d4100 83e61f c1e606 89040e 8bc3 }
            // n = 7, score = 200
            //   8bce                 | mov                 ecx, esi
            //   c1f905               | sar                 ecx, 5
            //   8b0c8d605d4100       | mov                 ecx, dword ptr [ecx*4 + 0x415d60]
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   89040e               | mov                 dword ptr [esi + ecx], eax
            //   8bc3                 | mov                 eax, ebx

        $sequence_4 = { 83e61f c1e606 033485605d4100 8b45e4 }
            // n = 4, score = 200
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   033485605d4100       | add                 esi, dword ptr [eax*4 + 0x415d60]
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_5 = { 7508 c744242401000000 8d4c2410 51 b810000000 }
            // n = 5, score = 200
            //   7508                 | jne                 0xa
            //   c744242401000000     | mov                 dword ptr [esp + 0x24], 1
            //   8d4c2410             | lea                 ecx, dword ptr [esp + 0x10]
            //   51                   | push                ecx
            //   b810000000           | mov                 eax, 0x10

        $sequence_6 = { 7517 395c2424 7511 3bc3 }
            // n = 4, score = 200
            //   7517                 | jne                 0x19
            //   395c2424             | cmp                 dword ptr [esp + 0x24], ebx
            //   7511                 | jne                 0x13
            //   3bc3                 | cmp                 eax, ebx

        $sequence_7 = { 6689442404 8d9b00000000 8a88645b4100 884c0408 40 84c9 75f1 }
            // n = 7, score = 200
            //   6689442404           | mov                 word ptr [esp + 4], ax
            //   8d9b00000000         | lea                 ebx, dword ptr [ebx]
            //   8a88645b4100         | mov                 cl, byte ptr [eax + 0x415b64]
            //   884c0408             | mov                 byte ptr [esp + eax + 8], cl
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f1                 | jne                 0xfffffff3

        $sequence_8 = { 803900 8bc1 75f5 33f6 }
            // n = 4, score = 100
            //   803900               | cmp                 byte ptr [ecx], 0
            //   8bc1                 | mov                 eax, ecx
            //   75f5                 | jne                 0xfffffff7
            //   33f6                 | xor                 esi, esi

        $sequence_9 = { 51 ffd3 a3???????? eb2c }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   ffd3                 | call                ebx
            //   a3????????           |                     
            //   eb2c                 | jmp                 0x2e

        $sequence_10 = { 53 ff15???????? 83c664 ff8d70fcffff 7587 }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   83c664               | add                 esi, 0x64
            //   ff8d70fcffff         | dec                 dword ptr [ebp - 0x390]
            //   7587                 | jne                 0xffffff89

        $sequence_11 = { b85b4c0000 85c9 0f8eb2000000 8b8d60c5ffff 8d9574c5ffff 2bca }
            // n = 6, score = 100
            //   b85b4c0000           | mov                 eax, 0x4c5b
            //   85c9                 | test                ecx, ecx
            //   0f8eb2000000         | jle                 0xb8
            //   8b8d60c5ffff         | mov                 ecx, dword ptr [ebp - 0x3aa0]
            //   8d9574c5ffff         | lea                 edx, dword ptr [ebp - 0x3a8c]
            //   2bca                 | sub                 ecx, edx

        $sequence_12 = { 8d9b00000000 8b85f4f7ffff 8b08 8d95f0f7ffff 52 }
            // n = 5, score = 100
            //   8d9b00000000         | lea                 ebx, dword ptr [ebx]
            //   8b85f4f7ffff         | mov                 eax, dword ptr [ebp - 0x80c]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8d95f0f7ffff         | lea                 edx, dword ptr [ebp - 0x810]
            //   52                   | push                edx

        $sequence_13 = { 85ff 744a 81ffb7000000 7442 83ff03 756b }
            // n = 6, score = 100
            //   85ff                 | test                edi, edi
            //   744a                 | je                  0x4c
            //   81ffb7000000         | cmp                 edi, 0xb7
            //   7442                 | je                  0x44
            //   83ff03               | cmp                 edi, 3
            //   756b                 | jne                 0x6d

        $sequence_14 = { 8b8d50bdffff 3bcb 7436 3bc3 7432 8b4508 }
            // n = 6, score = 100
            //   8b8d50bdffff         | mov                 ecx, dword ptr [ebp - 0x42b0]
            //   3bcb                 | cmp                 ecx, ebx
            //   7436                 | je                  0x38
            //   3bc3                 | cmp                 eax, ebx
            //   7432                 | je                  0x34
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_15 = { 8d45e8 eb0f 8d7801 e8???????? 85c0 8d45e8 7543 }
            // n = 7, score = 100
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   eb0f                 | jmp                 0x11
            //   8d7801               | lea                 edi, dword ptr [eax + 1]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   7543                 | jne                 0x45

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules