SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sierras (Back to overview)

Sierra(Alfa,Bravo, ...)

aka: Destover

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2014-12-19US-CERTUS-CERT
@online{uscert:20141219:alert:b74115d, author = {US-CERT}, title = {{Alert (TA14-353A): Targeted Destructive Malware}}, date = {2014-12-19}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA14-353A}, language = {English}, urldate = {2020-03-19} } Alert (TA14-353A): Targeted Destructive Malware
Sierra(Alfa,Bravo, ...)
Yara Rules
[TLP:WHITE] win_sierras_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_sierras_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c705????????07000000 8935???????? 8935???????? 8935???????? 8935???????? ff15???????? 3bc6 }
            // n = 7, score = 400
            //   c705????????07000000     |     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   ff15????????         |                     
            //   3bc6                 | cmp                 eax, esi

        $sequence_1 = { 57 57 8d8c2448020000 57 51 c744247000000000 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   57                   | push                edi
            //   8d8c2448020000       | lea                 ecx, [esp + 0x248]
            //   57                   | push                edi
            //   51                   | push                ecx
            //   c744247000000000     | mov                 dword ptr [esp + 0x70], 0

        $sequence_2 = { 8b45f0 3b4510 72c3 eb62 837d1000 }
            // n = 5, score = 200
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   3b4510               | cmp                 eax, dword ptr [ebp + 0x10]
            //   72c3                 | jb                  0xffffffc5
            //   eb62                 | jmp                 0x64
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0

        $sequence_3 = { 53 53 8d442428 53 50 ffd7 85c0 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax

        $sequence_4 = { 7d0d 6a13 50 57 ff15???????? 83c40c }
            // n = 6, score = 200
            //   7d0d                 | jge                 0xf
            //   6a13                 | push                0x13
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_5 = { f3ab 8bce aa e8???????? }
            // n = 4, score = 200
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8bce                 | mov                 ecx, esi
            //   aa                   | stosb               byte ptr es:[edi], al
            //   e8????????           |                     

        $sequence_6 = { e8???????? 8b8608010000 5e c3 56 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   8b8608010000         | mov                 eax, dword ptr [esi + 0x108]
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_7 = { 8bf1 e8???????? 8b8698010000 5e }
            // n = 4, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   8b8698010000         | mov                 eax, dword ptr [esi + 0x198]
            //   5e                   | pop                 esi

        $sequence_8 = { 8bf1 57 68???????? 8d4604 50 ff15???????? 8bf8 }
            // n = 7, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   68????????           |                     
            //   8d4604               | lea                 eax, [esi + 4]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_9 = { 8bf1 33db 6a01 6a78 }
            // n = 4, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   33db                 | xor                 ebx, ebx
            //   6a01                 | push                1
            //   6a78                 | push                0x78

        $sequence_10 = { be0a000000 3bc6 7c10 6a64 ff15???????? }
            // n = 5, score = 200
            //   be0a000000           | mov                 esi, 0xa
            //   3bc6                 | cmp                 eax, esi
            //   7c10                 | jl                  0x12
            //   6a64                 | push                0x64
            //   ff15????????         |                     

        $sequence_11 = { 7520 f6c140 0f85bc010000 6a01 5a d3e2 0fb74df2 }
            // n = 7, score = 200
            //   7520                 | jne                 0x22
            //   f6c140               | test                cl, 0x40
            //   0f85bc010000         | jne                 0x1c2
            //   6a01                 | push                1
            //   5a                   | pop                 edx
            //   d3e2                 | shl                 edx, cl
            //   0fb74df2             | movzx               ecx, word ptr [ebp - 0xe]

        $sequence_12 = { 895db4 6a38 f3ab 8d45b4 }
            // n = 4, score = 200
            //   895db4               | mov                 dword ptr [ebp - 0x4c], ebx
            //   6a38                 | push                0x38
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8d45b4               | lea                 eax, [ebp - 0x4c]

        $sequence_13 = { 837df800 0f84ce020000 8b45fc 8bcf }
            // n = 4, score = 200
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   0f84ce020000         | je                  0x2d4
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8bcf                 | mov                 ecx, edi

        $sequence_14 = { 750b c70617000000 e9???????? a820 0f850af9ffff }
            // n = 5, score = 200
            //   750b                 | jne                 0xd
            //   c70617000000         | mov                 dword ptr [esi], 0x17
            //   e9????????           |                     
            //   a820                 | test                al, 0x20
            //   0f850af9ffff         | jne                 0xfffff910

    condition:
        7 of them and filesize < 131072
}
[TLP:WHITE] win_sierras_w0   (20170517 | No description)
import "pe"

rule win_sierras_w0 {
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		info = "charlie component"
        hash = "f4750e1d82b08318bdc1eb6d3399dee52750250f7959a5e4f83245449f399698.bin"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/SierraCharlie.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
	/*
		8B 0D 50 A7 56 00  mov     ecx, DnsFree
		81 F6 8C 3F 7C 5E  xor     esi, 5E7C3F8Ch
		6A 01              push    1               ; _DWORD
		50                 push    eax             ; _DWORD
		85 C9              test    ecx, ecx
		74 3A              jz      short loc_40580B
		FF D1              call    ecx ; DnsFree
	*/

	$dnsResolve = {
			8B 0D 50 A7 56 00 
			81 F6 8C 3F 7C 5E 
			6A 01 
			50 
			85 C9 
			74 3A 
			FF D1 
		}
		
	$file1 = "wmplog21t.sqm"
	$file2 = "wmplog15r.sqm"
	$file3 = "wmplog09c.sqm"
		

	condition:
		$dnsResolve in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
		or 2 of ($file*)
}
Download all Yara Rules