SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sierras (Back to overview)

Sierra(Alfa,Bravo, ...)

aka: Destover

Actor(s): Lazarus Group


There is no description at this point.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2022-08-15} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2014-12-19US-CERTUS-CERT
@online{uscert:20141219:alert:b74115d, author = {US-CERT}, title = {{Alert (TA14-353A): Targeted Destructive Malware}}, date = {2014-12-19}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA14-353A}, language = {English}, urldate = {2020-03-19} } Alert (TA14-353A): Targeted Destructive Malware
Sierra(Alfa,Bravo, ...)
Yara Rules
[TLP:WHITE] win_sierras_auto (20221125 | Detects win.sierras.)
rule win_sierras_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.sierras."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c705????????07000000 8935???????? 8935???????? 8935???????? 8935???????? ff15???????? 3bc6 }
            // n = 7, score = 400
            //   c705????????07000000     |     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   ff15????????         |                     
            //   3bc6                 | cmp                 eax, esi

        $sequence_1 = { e8???????? 6a00 56 ff7514 8d4de0 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8d4de0               | lea                 ecx, [ebp - 0x20]

        $sequence_2 = { 33049dc09d4000 8bd9 c1eb18 33049dc0954000 23ce 33db 836d1020 }
            // n = 7, score = 200
            //   33049dc09d4000       | xor                 eax, dword ptr [ebx*4 + 0x409dc0]
            //   8bd9                 | mov                 ebx, ecx
            //   c1eb18               | shr                 ebx, 0x18
            //   33049dc0954000       | xor                 eax, dword ptr [ebx*4 + 0x4095c0]
            //   23ce                 | and                 ecx, esi
            //   33db                 | xor                 ebx, ebx
            //   836d1020             | sub                 dword ptr [ebp + 0x10], 0x20

        $sequence_3 = { c706???????? 50 ff15???????? 8d4e04 e8???????? 5e }
            // n = 6, score = 200
            //   c706????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d4e04               | lea                 ecx, [esi + 4]
            //   e8????????           |                     
            //   5e                   | pop                 esi

        $sequence_4 = { 83c408 3bf5 7414 56 57 e8???????? 83c604 }
            // n = 7, score = 200
            //   83c408               | add                 esp, 8
            //   3bf5                 | cmp                 esi, ebp
            //   7414                 | je                  0x16
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c604               | add                 esi, 4

        $sequence_5 = { 50 6802020000 668935???????? e8???????? 85c0 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   668935????????       |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { 33c0 85c0 7e15 8bf0 8bcf e8???????? }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   85c0                 | test                eax, eax
            //   7e15                 | jle                 0x17
            //   8bf0                 | mov                 esi, eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_7 = { 837d0801 7e58 837d0803 0f8fb0000000 397d10 897df0 0f86a4000000 }
            // n = 7, score = 200
            //   837d0801             | cmp                 dword ptr [ebp + 8], 1
            //   7e58                 | jle                 0x5a
            //   837d0803             | cmp                 dword ptr [ebp + 8], 3
            //   0f8fb0000000         | jg                  0xb6
            //   397d10               | cmp                 dword ptr [ebp + 0x10], edi
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   0f86a4000000         | jbe                 0xaa

        $sequence_8 = { c3 56 8bf1 e8???????? 8b8698010000 5e c3 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   8b8698010000         | mov                 eax, dword ptr [esi + 0x198]
            //   5e                   | pop                 esi
            //   c3                   | ret                 

        $sequence_9 = { e8???????? 83c430 683f000f00 6a00 6a00 ff15???????? 8bf0 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30
            //   683f000f00           | push                0xf003f
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_10 = { 56 8bf1 57 8d7e08 57 ff15???????? 83f8ff }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   8d7e08               | lea                 edi, [esi + 8]
            //   57                   | push                edi
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1

        $sequence_11 = { 85ff 0f84da030000 85db 0f84d2030000 8b2d???????? 83c9ff }
            // n = 6, score = 200
            //   85ff                 | test                edi, edi
            //   0f84da030000         | je                  0x3e0
            //   85db                 | test                ebx, ebx
            //   0f84d2030000         | je                  0x3d8
            //   8b2d????????         |                     
            //   83c9ff               | or                  ecx, 0xffffffff

        $sequence_12 = { 7422 8d50a0 85c0 7411 }
            // n = 4, score = 200
            //   7422                 | je                  0x24
            //   8d50a0               | lea                 edx, [eax - 0x60]
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13

        $sequence_13 = { 894c2420 c744242400000000 e8???????? 33c9 56 }
            // n = 5, score = 200
            //   894c2420             | mov                 dword ptr [esp + 0x20], ecx
            //   c744242400000000     | mov                 dword ptr [esp + 0x24], 0
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   56                   | push                esi

        $sequence_14 = { 8910 83c004 3bc1 75f3 eb43 50 50 }
            // n = 7, score = 200
            //   8910                 | mov                 dword ptr [eax], edx
            //   83c004               | add                 eax, 4
            //   3bc1                 | cmp                 eax, ecx
            //   75f3                 | jne                 0xfffffff5
            //   eb43                 | jmp                 0x45
            //   50                   | push                eax
            //   50                   | push                eax

    condition:
        7 of them and filesize < 131072
}
[TLP:WHITE] win_sierras_w0   (20170517 | No description)
import "pe"

rule win_sierras_w0 {
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		info = "charlie component"
        hash = "f4750e1d82b08318bdc1eb6d3399dee52750250f7959a5e4f83245449f399698"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/SierraCharlie.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
	/*
		8B 0D 50 A7 56 00  mov     ecx, DnsFree
		81 F6 8C 3F 7C 5E  xor     esi, 5E7C3F8Ch
		6A 01              push    1               ; _DWORD
		50                 push    eax             ; _DWORD
		85 C9              test    ecx, ecx
		74 3A              jz      short loc_40580B
		FF D1              call    ecx ; DnsFree
	*/

	$dnsResolve = {
			8B 0D 50 A7 56 00 
			81 F6 8C 3F 7C 5E 
			6A 01 
			50 
			85 C9 
			74 3A 
			FF D1 
		}
		
	$file1 = "wmplog21t.sqm"
	$file2 = "wmplog15r.sqm"
	$file3 = "wmplog09c.sqm"
		

	condition:
		$dnsResolve in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
		or 2 of ($file*)
}
Download all Yara Rules