SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sierras (Back to overview)

Sierra(Alfa,Bravo, ...)

aka: Destover

Actor(s): Lazarus Group

There is no description at this point.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-27AnomaliAaron Shelmire
@online{shelmire:20160527:evidence:963d016, author = {Aaron Shelmire}, title = {{Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks}}, date = {2016-05-27}, organization = {Anomali}, url = {https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks}, language = {English}, urldate = {2023-08-21} } Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks
DYEPACK Sierra(Alfa,Bravo, ...)
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2023-08-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee DYEPACK Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-13BAE SystemsSergei Shevchenko, Adrian Nish
@online{shevchenko:20160513:cyber:321743e, author = {Sergei Shevchenko and Adrian Nish}, title = {{CYBER HEIST ATTRIBUTION}}, date = {2016-05-13}, organization = {BAE Systems}, url = {http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html}, language = {English}, urldate = {2023-08-15} } CYBER HEIST ATTRIBUTION
Sierra(Alfa,Bravo, ...)
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2014-12-19US-CERTUS-CERT
@online{uscert:20141219:alert:b74115d, author = {US-CERT}, title = {{Alert (TA14-353A): Targeted Destructive Malware}}, date = {2014-12-19}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA14-353A}, language = {English}, urldate = {2020-03-19} } Alert (TA14-353A): Targeted Destructive Malware
Sierra(Alfa,Bravo, ...)
Yara Rules
[TLP:WHITE] win_sierras_auto (20230715 | Detects win.sierras.)
rule win_sierras_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.sierras."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c705????????07000000 8935???????? 8935???????? 8935???????? 8935???????? ff15???????? 3bc6 }
            // n = 7, score = 400
            //   c705????????07000000     |     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   ff15????????         |                     
            //   3bc6                 | cmp                 eax, esi

        $sequence_1 = { 8d448304 a3???????? e9???????? 8bc8 2bce c1f902 83f901 }
            // n = 7, score = 200
            //   8d448304             | lea                 eax, [ebx + eax*4 + 4]
            //   a3????????           |                     
            //   e9????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   2bce                 | sub                 ecx, esi
            //   c1f902               | sar                 ecx, 2
            //   83f901               | cmp                 ecx, 1

        $sequence_2 = { 394644 760f 8b4508 c7401848dd4000 e9???????? c70616000000 }
            // n = 6, score = 200
            //   394644               | cmp                 dword ptr [esi + 0x44], eax
            //   760f                 | jbe                 0x11
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c7401848dd4000       | mov                 dword ptr [eax + 0x18], 0x40dd48
            //   e9????????           |                     
            //   c70616000000         | mov                 dword ptr [esi], 0x16

        $sequence_3 = { ff15???????? 83c604 68???????? 56 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   83c604               | add                 esi, 4
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_4 = { 6a13 50 57 ff15???????? 83c40c }
            // n = 5, score = 200
            //   6a13                 | push                0x13
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_5 = { 8b5df0 834dfcff 8d4de0 e8???????? 8b4df4 }
            // n = 5, score = 200
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_6 = { b918000000 8bf2 8bf8 f3a5 83c260 83c060 }
            // n = 6, score = 200
            //   b918000000           | mov                 ecx, 0x18
            //   8bf2                 | mov                 esi, edx
            //   8bf8                 | mov                 edi, eax
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   83c260               | add                 edx, 0x60
            //   83c060               | add                 eax, 0x60

        $sequence_7 = { 85f6 7510 57 ff15???????? 5f }
            // n = 5, score = 200
            //   85f6                 | test                esi, esi
            //   7510                 | jne                 0x12
            //   57                   | push                edi
            //   ff15????????         |                     
            //   5f                   | pop                 edi

        $sequence_8 = { 8d5ef8 7656 8b4514 894514 }
            // n = 4, score = 200
            //   8d5ef8               | lea                 ebx, [esi - 8]
            //   7656                 | jbe                 0x58
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   894514               | mov                 dword ptr [ebp + 0x14], eax

        $sequence_9 = { 8b3d???????? ffd7 8bf0 83feff 7509 5f 5e }
            // n = 7, score = 200
            //   8b3d????????         |                     
            //   ffd7                 | call                edi
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7509                 | jne                 0xb
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_10 = { 897dfc 0f8cc0000000 837d0801 7e58 }
            // n = 4, score = 200
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   0f8cc0000000         | jl                  0xc6
            //   837d0801             | cmp                 dword ptr [ebp + 8], 1
            //   7e58                 | jle                 0x5a

        $sequence_11 = { 897df0 0f86a4000000 8b7d14 8b450c 8b4df0 03c8 }
            // n = 6, score = 200
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   0f86a4000000         | jbe                 0xaa
            //   8b7d14               | mov                 edi, dword ptr [ebp + 0x14]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   03c8                 | add                 ecx, eax

        $sequence_12 = { 8d443410 52 50 57 e8???????? 85c0 }
            // n = 6, score = 200
            //   8d443410             | lea                 eax, [esp + esi + 0x10]
            //   52                   | push                edx
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_13 = { 68???????? 895c2418 895c2410 895c2414 ff15???????? }
            // n = 5, score = 200
            //   68????????           |                     
            //   895c2418             | mov                 dword ptr [esp + 0x18], ebx
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   ff15????????         |                     

        $sequence_14 = { 03c7 50 8d45e0 50 e8???????? }
            // n = 5, score = 200
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 131072
}
[TLP:WHITE] win_sierras_w0   (20170517 | No description)
import "pe"

rule win_sierras_w0 {
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		info = "charlie component"
        hash = "f4750e1d82b08318bdc1eb6d3399dee52750250f7959a5e4f83245449f399698"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/SierraCharlie.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
	/*
		8B 0D 50 A7 56 00  mov     ecx, DnsFree
		81 F6 8C 3F 7C 5E  xor     esi, 5E7C3F8Ch
		6A 01              push    1               ; _DWORD
		50                 push    eax             ; _DWORD
		85 C9              test    ecx, ecx
		74 3A              jz      short loc_40580B
		FF D1              call    ecx ; DnsFree
	*/

	$dnsResolve = {
			8B 0D 50 A7 56 00 
			81 F6 8C 3F 7C 5E 
			6A 01 
			50 
			85 C9 
			74 3A 
			FF D1 
		}
		
	$file1 = "wmplog21t.sqm"
	$file2 = "wmplog15r.sqm"
	$file3 = "wmplog09c.sqm"
		

	condition:
		$dnsResolve in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
		or 2 of ($file*)
}
Download all Yara Rules