216.73.217.64

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:43 · Modified 21/12/2025 03:58

Essential information

Value / Name
M_APT_Backdoor_NICECURL_1
Confidence
100/100
Revoked
Yes
Valid from
03/05/2024 12:24
Valid until
06/08/2025 12:24
Pattern type
yara
Published
20/12/2025 19:43
Modified
21/12/2025 03:58
Author / Source
AlienVault

Description

M_APT_Backdoor_NICECURL_1

Pattern

rule M_APT_Backdoor_NICECURL_1 {
	meta:
		author = "Mandiant"
		md5 = "c23663ebdfbc340457201dbec7469386"
		date_created = "2024-01-18"
	    date_modified = "2024-01-18"
	    rev = "1"
	strings:
		$ = "a = \"llehS.tpircsW\"" ascii wide
		$ = "b = StrReverse(a)" ascii wide
		$ = "Set objShell = wscript.CreateObject(b)"
		$ = "WHFilePath = Temp & \"/\" & ProgName" ascii wide
		$ = "Do While not FileExists(WHFilePath)" ascii wide
		$ = "cmd /C start /MIN curl --ssl-no-revoke -s -d \"\"\"" ascii wide
		$ = "nicecmdPath = Temp & \"/\" & ProgName" ascii wide
		$ = "Function RunCom(Com, Url, nicecmdPath)" ascii wide
		$ = "ComDecode = Base64Decode(Com)" ascii wide
		$ = "InStr(ComDecode, \"kill\")" ascii wide
		$ = "InStr(ComDecode, \"SetNewConfig\")" ascii wide
		$ = "InStr(ComDecode, \"Module\")" ascii wide
		$ = "Sub DeleteFile(filespec)" ascii wide
		$ = "Sub CopyFile(Src, Dst)" ascii wide
		$ = "Function SendData(sUrl, sRequest, nicecmdPath)" ascii wide
		$ = "Function WriteToFile(FilePath, data)" ascii wide
		$ = "Function GetSystemCaption()" ascii wide
		$ = "Function GetPlainSess()" ascii wide
	condition:
	4 of them
}

Labels / Tags

Labels: apt cve-2021-44228 cyber espionage iran nicecurl tamecat

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.