SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xpack (Back to overview)

xPack

aka: NERAPACK

Actor(s): Antlion, Pirate Panda

Symantec describes this as a decryptor/loader used by Chinese threat actor Antlion in campaigns targeting Taiwan.

References
2022-02-06The Hacker NewsRavie Lakshmanan
Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor
xPack
2022-02-03SymantecSymantec Threat Hunter Team
Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
MimiKatz xPack Antlion
2021-12-14Trend MicroNick Dai, Ted Lee, Vickie Su
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack APT23
Yara Rules
[TLP:WHITE] win_xpack_w0 (20220207 | No description)
rule win_xpack_w0 {
    meta:
        author = "Symantec, a division of Broadcom"
        source = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks"
        hash = "390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpack"
        malpedia_rule_date = "20220207"
        malpedia_hash = ""
        malpedia_version = "20220207"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "C:\\Windows\\inf\\wdnvsc.inf" wide fullword
        $s2 = "PackService" wide fullword
        $s3 = "xPackSvc" wide fullword
        $s4 = "eG#!&5h8V$" wide fullword
    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 
        and 3 of them
}
[TLP:WHITE] win_xpack_w1 (20220207 | No description)
rule win_xpack_w1 {
  meta:
    author = "Symantec, a division of Broadcom"
    source = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks"
    hash = "12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpack"
    malpedia_rule_date = "20220207"
    malpedia_hash = ""
    malpedia_version = "20220207"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
     $s1 = "Length or Hash destoryed" wide fullword
     $s2 = "tag unmatched" wide fullword
     $s3 = "File size mismatch" wide fullword
     $s4 = "DESFile" wide fullword
     $p1 = "fomsal.Properties.Resources.resources" wide fullword
     $p2 = "xPack.Properties.Resources.resources" wide fullword
     $p3 = "foslta.Properties.Resources.resources" wide fullword
  condition:
    uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 
    and (2 of ($s*) or any of ($p*))
}
Download all Yara Rules