SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sierras (Back to overview)

Sierra(Alfa,Bravo, ...)

aka: Destover

Actor(s): Lazarus Group

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2014-12-19US-CERTUS-CERT
@online{uscert:20141219:alert:b74115d, author = {US-CERT}, title = {{Alert (TA14-353A): Targeted Destructive Malware}}, date = {2014-12-19}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA14-353A}, language = {English}, urldate = {2020-03-19} } Alert (TA14-353A): Targeted Destructive Malware
Sierra(Alfa,Bravo, ...)
Yara Rules
[TLP:WHITE] win_sierras_auto (20220411 | Detects win.sierras.)
rule win_sierras_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.sierras."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c705????????07000000 8935???????? 8935???????? 8935???????? 8935???????? ff15???????? 3bc6 }
            // n = 7, score = 400
            //   c705????????07000000     |     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   ff15????????         |                     
            //   3bc6                 | cmp                 eax, esi

        $sequence_1 = { 5b 8be5 5d c3 53 8b45b4 }
            // n = 6, score = 200
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]

        $sequence_2 = { b90a000000 f7f9 83c9ff 8bc2 c1e006 }
            // n = 5, score = 200
            //   b90a000000           | mov                 ecx, 0xa
            //   f7f9                 | idiv                ecx
            //   83c9ff               | or                  ecx, 0xffffffff
            //   8bc2                 | mov                 eax, edx
            //   c1e006               | shl                 eax, 6

        $sequence_3 = { c3 56 8bf1 e8???????? 8b8610010000 5e c3 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   8b8610010000         | mov                 eax, dword ptr [esi + 0x110]
            //   5e                   | pop                 esi
            //   c3                   | ret                 

        $sequence_4 = { 57 ff15???????? 56 ff15???????? e8???????? 6a00 ff15???????? }
            // n = 7, score = 200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_5 = { 50 c705????????04000000 8935???????? 8935???????? ff15???????? 85c0 7506 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   c705????????04000000     |     
            //   8935????????         |                     
            //   8935????????         |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7506                 | jne                 8

        $sequence_6 = { 751a 8b4c2410 56 8d542420 51 }
            // n = 5, score = 200
            //   751a                 | jne                 0x1c
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   56                   | push                esi
            //   8d542420             | lea                 edx, dword ptr [esp + 0x20]
            //   51                   | push                ecx

        $sequence_7 = { 837d0803 0f8fb0000000 397d10 897df0 0f86a4000000 }
            // n = 5, score = 200
            //   837d0803             | cmp                 dword ptr [ebp + 8], 3
            //   0f8fb0000000         | jg                  0xb6
            //   397d10               | cmp                 dword ptr [ebp + 0x10], edi
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   0f86a4000000         | jbe                 0xaa

        $sequence_8 = { c706???????? e8???????? 8b7608 85f6 }
            // n = 4, score = 200
            //   c706????????         |                     
            //   e8????????           |                     
            //   8b7608               | mov                 esi, dword ptr [esi + 8]
            //   85f6                 | test                esi, esi

        $sequence_9 = { 83e103 f3a4 8d8c2424050000 8d942430080000 51 52 53 }
            // n = 7, score = 200
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8d8c2424050000       | lea                 ecx, dword ptr [esp + 0x524]
            //   8d942430080000       | lea                 edx, dword ptr [esp + 0x830]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   53                   | push                ebx

        $sequence_10 = { 50 8d45e0 50 e8???????? eb0f 8b4dec }
            // n = 6, score = 200
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   50                   | push                eax
            //   e8????????           |                     
            //   eb0f                 | jmp                 0x11
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]

        $sequence_11 = { eb0d c7401880dd4000 c7061b000000 8b4d0c 6a01 c1e903 2bd9 }
            // n = 7, score = 200
            //   eb0d                 | jmp                 0xf
            //   c7401880dd4000       | mov                 dword ptr [eax + 0x18], 0x40dd80
            //   c7061b000000         | mov                 dword ptr [esi], 0x1b
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   6a01                 | push                1
            //   c1e903               | shr                 ecx, 3
            //   2bd9                 | sub                 ebx, ecx

        $sequence_12 = { 8944241c 57 89442424 b910000000 8d7c2430 }
            // n = 5, score = 200
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   57                   | push                edi
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   b910000000           | mov                 ecx, 0x10
            //   8d7c2430             | lea                 edi, dword ptr [esp + 0x30]

        $sequence_13 = { 7202 8bc3 837d0800 50 }
            // n = 4, score = 200
            //   7202                 | jb                  4
            //   8bc3                 | mov                 eax, ebx
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   50                   | push                eax

        $sequence_14 = { 52 ff15???????? 8bf0 83feff 745b }
            // n = 5, score = 200
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   745b                 | je                  0x5d

    condition:
        7 of them and filesize < 131072
}
[TLP:WHITE] win_sierras_w0   (20170517 | No description)
import "pe"

rule win_sierras_w0 {
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		info = "charlie component"
        hash = "f4750e1d82b08318bdc1eb6d3399dee52750250f7959a5e4f83245449f399698"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/SierraCharlie.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
	/*
		8B 0D 50 A7 56 00  mov     ecx, DnsFree
		81 F6 8C 3F 7C 5E  xor     esi, 5E7C3F8Ch
		6A 01              push    1               ; _DWORD
		50                 push    eax             ; _DWORD
		85 C9              test    ecx, ecx
		74 3A              jz      short loc_40580B
		FF D1              call    ecx ; DnsFree
	*/

	$dnsResolve = {
			8B 0D 50 A7 56 00 
			81 F6 8C 3F 7C 5E 
			6A 01 
			50 
			85 C9 
			74 3A 
			FF D1 
		}
		
	$file1 = "wmplog21t.sqm"
	$file2 = "wmplog15r.sqm"
	$file3 = "wmplog09c.sqm"
		

	condition:
		$dnsResolve in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
		or 2 of ($file*)
}
Download all Yara Rules