SYMBOLCOMMON_NAMEaka. SYNONYMS
win.torisma (Back to overview)

Torisma

Actor(s): Lazarus Group

VTCollection    

Torisma is a complex HTTP(S) downloader, that can serve as an orchestrator handling the execution of additional payloads from the C&C server.

It uses VEST-32 for encryption and decryption of network traffic between the client and the server.

Typically, it uses these parameter names for its HTTP POST requests: ACTION, CODE, CACHE, REQUEST, RES. It sends the victim's MAC address in the initial request.

The response of the server informing the client about a successful authentication is "Your request has been accepted. ClientID: {f9102bc8a7d81ef01ba}". The client then requests additional data from the server, that decrypts to shellcode and its data parameters, and is executed. The client also creates a named pipe, \\.\pipe\fb4d1181bb09b484d058768598b, that allows inter-process communication with the executed shellcode.

Torisma was usually downloaded by NedDnLoader, and deployed in the Operation DreamJob campaigns starting around Q4 2019.

References
2021-04-15AhnLabAhnLab ASEC Analysis Team
Operation Dream Job Targeting Job Seekers in South Korea
LCPDot Torisma
2021-01-29NSFOCUSFuying Laboratory
认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析
ComeBacker DRATzarus Torisma
2021-01-26JPCERT/CCShusei Tomonaga
Operation Dream Job by Lazarus
LCPDot Torisma Lazarus Group
2020-11-05McAfeeChristiaan Beek, Ryan Sherstobitoff
Operation North Star: Behind The Scenes
NedDnLoader Torisma
2019-11-05TelsyTelsy Research Team
The Lazarus’ gaze to the world: What is behind the first stone?
NedDnLoader Torisma
Yara Rules
[TLP:WHITE] win_torisma_auto (20230808 | Detects win.torisma.)
rule win_torisma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.torisma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 3d83490000 7507 b883490000 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   3d83490000           | cmp                 eax, 0x4983
            //   7507                 | jne                 9
            //   b883490000           | mov                 eax, 0x4983

        $sequence_1 = { 7402 eb05 e9???????? b833280000 }
            // n = 4, score = 200
            //   7402                 | je                  4
            //   eb05                 | jmp                 7
            //   e9????????           |                     
            //   b833280000           | mov                 eax, 0x2833

        $sequence_2 = { e8???????? 3d514b0000 7504 33c0 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   3d514b0000           | cmp                 eax, 0x4b51
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 488b4c2470 e8???????? 89442458 817c245870100000 }
            // n = 4, score = 100
            //   488b4c2470           | dec                 eax
            //   e8????????           |                     
            //   89442458             | mov                 ecx, dword ptr [esp + 0x70]
            //   817c245870100000     | mov                 dword ptr [esp + 0x58], eax

        $sequence_4 = { 030cb540ef0110 eb02 8bca f641247f 759b }
            // n = 5, score = 100
            //   030cb540ef0110       | pop                 edi
            //   eb02                 | pop                 esi
            //   8bca                 | mov                 esp, ebp
            //   f641247f             | pop                 ebp
            //   759b                 | add                 ecx, dword ptr [esi*4 + 0x1001ef40]

        $sequence_5 = { b833280000 5f 5e 8be5 5d }
            // n = 5, score = 100
            //   b833280000           | mov                 edx, 3
            //   5f                   | sub                 ecx, 4
            //   5e                   | jb                  0xe
            //   8be5                 | and                 eax, 3
            //   5d                   | mov                 eax, 0x2833

        $sequence_6 = { 8b55fc 833a00 740c 8b45fc 8b08 51 }
            // n = 6, score = 100
            //   8b55fc               | jne                 9
            //   833a00               | mov                 dword ptr [ebp - 0xc], 0x2833
            //   740c                 | jmp                 9
            //   8b45fc               | mov                 dword ptr [ebp - 0xc], 0x2833
            //   8b08                 | mov                 edx, dword ptr [ebp - 4]
            //   51                   | cmp                 dword ptr [edx], 0

        $sequence_7 = { 488d442440 488bf8 33c0 b928000000 }
            // n = 4, score = 100
            //   488d442440           | mov                 dword ptr [edx + ecx*4], eax
            //   488bf8               | jmp                 0xffffffba
            //   33c0                 | dec                 eax
            //   b928000000           | lea                 eax, [esp + 0x40]

        $sequence_8 = { 8b4c2430 488b542450 89048a ebb5 }
            // n = 4, score = 100
            //   8b4c2430             | cmp                 dword ptr [esp + 0x58], 0x1070
            //   488b542450           | mov                 ecx, dword ptr [esp + 0x30]
            //   89048a               | dec                 eax
            //   ebb5                 | mov                 edx, dword ptr [esp + 0x50]

        $sequence_9 = { 817dd833280000 7507 c745f433280000 eb07 c745f433280000 }
            // n = 5, score = 100
            //   817dd833280000       | mov                 eax, 0x2833
            //   7507                 | cmp                 eax, 0x4983
            //   c745f433280000       | jne                 9
            //   eb07                 | mov                 eax, 0x4983
            //   c745f433280000       | cmp                 dword ptr [ebp - 0x28], 0x2833

        $sequence_10 = { c68424e1000000e9 c68424e2000000c3 c68424e3000000a5 c68424e400000090 }
            // n = 4, score = 100
            //   c68424e1000000e9     | mov                 byte ptr [esp + 0xe1], 0xe9
            //   c68424e2000000c3     | mov                 byte ptr [esp + 0xe2], 0xc3
            //   c68424e3000000a5     | mov                 byte ptr [esp + 0xe3], 0xa5
            //   c68424e400000090     | mov                 byte ptr [esp + 0xe4], 0x90

        $sequence_11 = { ff2495c0d50010 8bc7 ba03000000 83e904 720c 83e003 }
            // n = 6, score = 100
            //   ff2495c0d50010       | je                  0x11
            //   8bc7                 | mov                 eax, dword ptr [ebp - 4]
            //   ba03000000           | mov                 ecx, dword ptr [eax]
            //   83e904               | push                ecx
            //   720c                 | jmp                 dword ptr [edx*4 + 0x1000d5c0]
            //   83e003               | mov                 eax, edi

        $sequence_12 = { c1e006 0b442414 88442410 8b442440 }
            // n = 4, score = 100
            //   c1e006               | dec                 eax
            //   0b442414             | mov                 edi, eax
            //   88442410             | xor                 eax, eax
            //   8b442440             | mov                 ecx, 0x28

    condition:
        7 of them and filesize < 322560
}
Download all Yara Rules