Backdoor_Naikon_APT_Sample1

YARA-2015-0248 High general Active

Detects backdoors related to the Naikon APT

Backdoor_Naikon_APT_Sample1.yar Valid Syntax


rule Backdoor_Naikon_APT_Sample1 {
	meta:
		description = "Detects backdoors related to the Naikon APT"
		author = "Florian Roth"
		reference = "https://goo.gl/7vHyvh"
		date = "2015-05-14"
		hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba"
		hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96"
	strings:
		$x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
		$x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
		$x2 = "greensky27.vicp.net" fullword ascii
		$x3 = "\\tempvxd.vxd.dll" fullword wide
		$x4 = "otna.vicp.net" fullword ascii
		$x5 = "smithking19.gicp.net" fullword ascii
		
		$s1 = "User-Agent: webclient" fullword ascii
		$s2 = "\\User.ini" fullword ascii
		$s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii
		$s4 = "\\UserProfile.dll" fullword wide
		$s5 = "Connection:Keep-Alive: %d" fullword ascii
		$s6 = "Referer: http://%s:%d/" fullword ascii
		$s7 = "%s %s %s %d %d %d " fullword ascii
		$s8 = "%s--%s" fullword wide
		$s9 = "Run File Success!" fullword wide
		$s10 = "DRIVE_REMOTE" fullword wide
		$s11 = "ProxyEnable" fullword wide
		$s12 = "\\cmd.exe" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 1000KB and
		(
			1 of ($x*) or 7 of ($s*)
		)
}

Rule Metadata

description

Detects backdoors related to the Naikon APT

author

Florian Roth

reference

https://goo.gl/7vHyvh

date

2015-05-14

hash

f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96

String Definitions

{"name":"$x0","value":"\"GET http:\/\/%s:%d\/aspxabcdef.asp?%s HTTP\/1.1\" fullword ascii"}

{"name":"$x1","value":"\"POST http:\/\/%s:%d\/aspxabcdefg.asp?%s HTTP\/1.1\" fullword ascii"}

{"name":"$x2","value":"\"greensky27.vicp.net\" fullword ascii"}

{"name":"$x3","value":"\"\\\\tempvxd.vxd.dll\" fullword wide"}

{"name":"$x4","value":"\"otna.vicp.net\" fullword ascii"}

{"name":"$x5","value":"\"smithking19.gicp.net\" fullword ascii"}

{"name":"$s1","value":"\"User-Agent: webclient\" fullword ascii"}

{"name":"$s2","value":"\"\\\\User.ini\" fullword ascii"}

{"name":"$s3","value":"\"User-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko\/200\" ascii"}

{"name":"$s4","value":"\"\\\\UserProfile.dll\" fullword wide"}

{"name":"$s5","value":"\"Connection:Keep-Alive: %d\" fullword ascii"}

{"name":"$s6","value":"\"Referer: http:\/\/%s:%d\/\" fullword ascii"}

{"name":"$s7","value":"\"%s %s %s %d %d %d \" fullword ascii"}

{"name":"$s8","value":"\"%s--%s\" fullword wide"}

{"name":"$s9","value":"\"Run File Success!\" fullword wide"}

{"name":"$s10","value":"\"DRIVE_REMOTE\" fullword wide"}

{"name":"$s11","value":"\"ProxyEnable\" fullword wide"}

{"name":"$s12","value":"\"\\\\cmd.exe\" fullword wide"}

Threat Analysis

This YARA rule is designed to detect general threats.

Severity Level: High

The rule uses pattern matching to identify specific byte sequences, strings, or behavioral patterns associated with malicious activity.

Detection Capabilities

File-based detection for executables and documents
Memory scanning for running processes
Network traffic analysis support

Command Line Usage

# Scan a single file
yara Backdoor_Naikon_APT_Sample1.yar /path/to/suspicious/file

# Scan a directory recursively
yara -r Backdoor_Naikon_APT_Sample1.yar /path/to/directory/

# Scan with metadata output
yara -m Backdoor_Naikon_APT_Sample1.yar target_file

# Scan process memory (Linux)
yara Backdoor_Naikon_APT_Sample1.yar /proc/[pid]/exe

Integration Examples

Python (yara-python)

import yara
rules = yara.compile(filepath='Backdoor_Naikon_APT_Sample1.yar')
matches = rules.match('/path/to/file')

ClamAV Integration

clamscan --yara-rules=Backdoor_Naikon_APT_Sample1.yar /path/to/scan

Rule Information

YARA ID

YARA-2015-0248

Author

Florian Roth

Repository

mikesxrs_Open-Source-YARA-rules

Created

August 19, 2025

Last Updated

August 19, 2025

Last Imported

Never

Threat Intelligence

Risk Level High

Category general

Detection Confidence Analysis Pending

False Positive Rate Not Available

Last Seen in Wild No Data

Related Rules

apt_actor_tran_duy_linh

Apolmy_Privesc_Trojan

YARA-2015-0069

Medium

Emissary_APT_Malware_1

YARA-2016-0154

Medium

Export Options

Similar Rules in general

YARA-2023-0001 CRI

Detect_Mimic_Ransomware

YARA-2023-0002 MED

SystemBC_malware

Detect_SystemBC

YARA-2023-0003 MED

detect_catB

detect_CatB_ransomware

YARA-2022-0001 MED

detect_Typhon_Stealer

YARA-2023-0004 MED

Nosu_stealer

Detect_Nosu_stealer

YARA-2022-0002 MED

detect_Lumma_stealer

YARA-2022-0003 MED

detect_StrelaStealer

YARA-2022-0004 MED

Backdoor_Naikon_APT_Sample1

Rule Metadata

String Definitions

Threat Analysis

Detection Capabilities

Command Line Usage

Integration Examples

Python (yara-python)

ClamAV Integration

Rule Information

Threat Intelligence

Related Rules

Export Options

Similar Rules in general

Detect_Mimic_Ransomware

SystemBC_malware

detect_catB

detect_Typhon_Stealer

Nosu_stealer

detect_Lumma_stealer

detect_StrelaStealer

detect_silence_Downloader