SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xpack (Back to overview)

xPack

aka: NERAPACK

Actor(s): Antlion, Pirate Panda


Symantec describes this as a decryptor/loader used by Chinese threat actor Antlion in campaigns targeting Taiwan.

References
2022-02-06The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220206:chinese:e5193ae, author = {Ravie Lakshmanan}, title = {{Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor}}, date = {2022-02-06}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/chinese-hackers-target-taiwanese.html}, language = {English}, urldate = {2022-02-09} } Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor
xPack
2022-02-03SymantecSymantec Threat Hunter Team
@online{team:20220203:antlion:f2f0600, author = {Symantec Threat Hunter Team}, title = {{Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan}}, date = {2022-02-03}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks}, language = {English}, urldate = {2022-02-04} } Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
MimiKatz xPack Antlion
2021-12-14Trend MicroNick Dai, Ted Lee, Vickie Su
@online{dai:20211214:collecting:3d6dd34, author = {Nick Dai and Ted Lee and Vickie Su}, title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}}, date = {2021-12-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html}, language = {English}, urldate = {2022-03-30} } Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack
Yara Rules
[TLP:WHITE] win_xpack_w0 (20220207 | No description)
rule win_xpack_w0 {
    meta:
        author = "Symantec, a division of Broadcom"
        source = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks"
        hash = "390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpack"
        malpedia_rule_date = "20220207"
        malpedia_hash = ""
        malpedia_version = "20220207"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "C:\\Windows\\inf\\wdnvsc.inf" wide fullword
        $s2 = "PackService" wide fullword
        $s3 = "xPackSvc" wide fullword
        $s4 = "eG#!&5h8V$" wide fullword
    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 
        and 3 of them
}
[TLP:WHITE] win_xpack_w1 (20220207 | No description)
rule win_xpack_w1 {
  meta:
    author = "Symantec, a division of Broadcom"
    source = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks"
    hash = "12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpack"
    malpedia_rule_date = "20220207"
    malpedia_hash = ""
    malpedia_version = "20220207"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
     $s1 = "Length or Hash destoryed" wide fullword
     $s2 = "tag unmatched" wide fullword
     $s3 = "File size mismatch" wide fullword
     $s4 = "DESFile" wide fullword
     $p1 = "fomsal.Properties.Resources.resources" wide fullword
     $p2 = "xPack.Properties.Resources.resources" wide fullword
     $p3 = "foslta.Properties.Resources.resources" wide fullword
  condition:
    uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 
    and (2 of ($s*) or any of ($p*))
}
Download all Yara Rules