capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

[Rule Idea] - Lazarus Decode Method

Open re-fox opened this issue 4 years ago • 0 comments

Prerequisites

  • [x] Put an X between the brackets on this line if you have done all of the following:
    • Checked that your rule idea isn't already filed: search

Summary

Lazarus uses a custom string decoding algo. The algorithm uses base64 and then a custom routine with arithmetic operations. Highlighted in the blog post here -> https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/

Examples

Features

  • & 0x7f8
  • << 0x14
  • 0xFFFFFF80
  • << 0x11
  • nxzor with counts
  • characteristic loop

Additional context

image

Rule details

Namespace

Could fit in either

  • data-manipulation/encoding
  • anti-analysis/obfuscation/string

References

  • https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
  • https://github.com/hackOtack/Malware/blob/main/lazerous_string_decoder.cpp

Other rule meta information

re-fox avatar Apr 20 '21 14:04 re-fox