{ "id": "0f8a3380-194f-4ff7-ba53-89794c37e868", "created_at": "2026-04-06T00:15:26.688338Z", "updated_at": "2026-04-10T03:35:21.354964Z", "deleted_at": null, "sha1_hash": "4e5d653137e8c8e4e0dfcc7267519ed4200aaef8", "title": "securitykitten.github.io/_posts/2014-11-25-curious-korlia.md at master · malware-kitten/securitykitten.github.io", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 114683, "plain_text": "securitykitten.github.io/_posts/2014-11-25-curious-korlia.md at master ·\r\nmalware-kitten/securitykitten.github.io\r\nBy Nick Hoffman\r\nArchived: 2026-04-05 23:39:20 UTC\r\nlayout category-post\r\ntitle Curious Korlia\r\nexcerpt aka, the bisonal backdoor\r\ndate 2014-11-25 18:43:44 -0500\r\nIntroduction\r\nReverse engineers organize discrete of pieces of malware into families. While digging through my malware collection I\r\nstumbled across this hash (B8FDFEE08DEEE5CCC1794BAF9ED553CE).\r\nIt turns out that this is a sample of the backdoor family known as Korlia. After doing some more digging, it turns out that\r\nKorlia doesn't seem to be that well documented or widely known. There is a little bit more written about it here.\r\nKorlia shares a lot of features with common remote access tools. Such as:\r\nDownloading and executing files\r\nListing and controlling processes\r\nCreating and deleting files\r\nCreating a remote shell\r\nGiven the little amount of public information on Korlia, this made it a good candidate for further research. There isn't an\r\nobvious C2 address called out in strings, although there are some bizarre strings. Depending on luck, those might be actual\r\nstrings, or code that is being misinterpreted as a string.\r\nDiving in deeper on our first string:\r\nThere exists a cross reference to an address. For this case, that is a great sign! This particular piece of data is being\r\nreferenced somewhere in the code. Let's follow.\r\nIn this case we can see that the data is being referenced as global data, and it's mov'd into an EDI. Shortly after, the value\r\n0x1f is loaded into BL. As a general side note, when you see static values being pushed into the lower bytes of a general\r\npurpose register this usually means that some loop is going to follow and byte by byte modify a string or array.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md\r\nPage 1 of 4\n\nThis can be roughly written in Ruby with the following code.\r\n{% highlight ruby %} {% raw %} \"{ql{ql.1O~ll^l1jl\".each_byte {|x| print \"#{(x^0x1f).chr}\"} {% endraw %} {%\r\nendhighlight %}\r\nThis will return the following information:\r\ndnsdns1.PassAs.us\r\nAfter a little bit of hunting on VirusTotal, I was able to find the following samples. Which also have the following\r\nconfigurations.\r\nMD5|Config Offset|C2|C2|URL --- | --- | --- | --- | --- | ---\r\n172d68e10715b915ab3268db2174192b|11280|kfsinfo.ByInter.net|61.90.202.197|http://fund.cmc.or.kr/UploadFile/fame/x/mh/o.asp\r\n211c25cdf120f5da8a2258b5d65cc263|14364|0906.toh.info|wew.myMom.info|http://fund.cmc.or.kr/UploadFile/fame/x/o0.asp\r\n37513c17acfb0b122ffdc3e51501ecc3|11792|since.qpoe.com|69.197.149.98|http://fund.cmc.or.kr/UploadFile/fame/x/o0.asp\r\n3f7b8f90acc4a01b3377942c409031dc|11808|mycount.MrsLove.com|mycount.MrsLove.com|http://fund.cmc.or.kr/UploadFile/fame/x/o\r\n5217a2fc910479d36947d8fe6791d734|12816|mycount.MrsLove.com|mycount.MrsLove.com|http://fund.cmc.or.kr/UploadFile/fame/x/\r\n7807036a74b811c28f1fbb167ef545e3|15900|kazama.myfw.us||http://fund.cmc.or.kr/UploadFile/fame/x/o0.asp\r\n7865b3c7e7f40ead123e97aae5dc0a57|17948|shinkhek.myfw.us||http://61.90.202.198/jp/log2.asp\r\n932875565fc6a1356800aa9d3af01670|11792|usababa.myfw.us|indbaba.myfw.us|http://indbabababa.dns94.com/o.asp\r\nb57a30d94872e47186c7ef2e08e6e905|17440|mycount.MrsLove.com|mycount.MrsLove.com|http://fund.cmc.or.kr/UploadFile/fame/x/o\r\nb7981c7d028cbfd2f0fe2089de02b391|11792|jennifer998.lookin.at|196.44.49.154|http://fund.cmc.or.kr/UploadFile/fame/x/o0.asp\r\nb8fdfee08deee5ccc1794baf9ed553ce|11280|dnsdns1.PassAs.us|dnsdns1.PassAs.us|http://fund.cmc.or.kr/UploadFile/fame/x/o0.asp\r\nc96a92565553c7dc67267c78bc2809bb|14352|since.qpoe.com|applejp.myfw.us|http://fund.cmc.or.kr/UploadFile/fame/x/o0.asp\r\ncb0e358b534bdce8e2587ef3745b1723|11808|v3net.rr.nu|faceto.UglyAs.com|http://fund.cmc.or.kr/UploadFile/fame/x/mh/o.asp\r\ne47f4ca37db57a9f22d85e021dc891a6|12816|mycount.MrsLove.com|mycount.MrsLove.com|http://fund.cmc.or.kr/UploadFile/fame/x/o\r\nefe7598c675c1c71f0ad44cc686de587|17948|61.90.202.198|10.0.0.102|http://61.90.202.198/jp/log.asp\r\nThe next step in this process is to write a Yara rule looking for this sort of behavior. Writing Yara rules based on strings\r\nalone is often problematic as strings are very easy to change and modify. In this case, since we understand how the decoder\r\nworks, writing a Yara rule for the loop is probably a better bet. While hunting I did find slight variations of the loop\r\n(highlighted in the Yara rule below). Those are accounted for in the final rule. The following rules will catch several variants\r\nof Korlia.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md\r\nPage 2 of 4\n\nrule korlia\r\n{\r\nmeta:\r\nauthor = \"Nick Hoffman \"\r\ncompany = \"CBTS - ACS\"\r\ninformation = \"korlia malware found in apt dump\"\r\n//case a\r\n//b2 1f mov dl, 0x1f ; mov key (wildcard)\r\n// -----------------\r\n//8A 86 98 40 00 71 mov al, byte ptr url[esi]\r\n//BF 98 40 00 71 mov edi, offset url\r\n//32 C2 xor al, dl\r\n//83 C9 FF or ecx, 0FFFFFFFFh\r\n//88 86 98 40 00 71 mov byte ptr url[esi], al\r\n//33 C0 xor eax, eax\r\n//46 inc esi\r\n//F2 AE repne scasb\r\n//F7 D1 not ecx\r\n//49 dec ecx\r\n//3B F1 cmp esi, ecx\r\n//72 DE jb short loc_71001DE0\r\n//case b (variant of loop a)\r\n//8A 8A 28 50 40 00 mov cl, byte_405028[edx]\r\n//BF 28 50 40 00 mov edi, offset byte_405028\r\n//32 CB xor cl, bl\r\n//33 C0 xor eax, eax\r\n//88 8A 28 50 40 00 mov byte_405028[edx], cl\r\n//83 C9 FF or ecx, 0FFFFFFFFh\r\n//42 inc edx\r\n//F2 AE repne scasb\r\n//F7 D1 not ecx\r\n//49 dec ecx\r\n//3B D1 cmp edx, ecx\r\n//72 DE jb short loc_4047F2\r\n//case c (not a variant of the above loop)\r\n//8A 0C 28 mov cl, [eax+ebp]\r\n//80 F1 28 xor cl, 28h\r\n//88 0C 28 mov [eax+ebp], cl\r\n//8B 4C 24 14 mov ecx, [esp+0D78h+var_D64]\r\n//40 inc eax\r\n//3B C1 cmp eax, ecx\r\n//7C EE jl short loc_404F1C\r\nstrings:\r\n$a = {b2 ?? 8A 86 98 40 00 71 BF 98 40 00 71 32 c2 83 C9 FF 88 86 98 40 00 71 33 C0 46 F2 AE F7 D1 49 3B F1}\r\n$b = {B3 ?? ?? ?? 8A 8A 28 50 40 00 BF 28 50 40 00 32 CB 33 C0 88 8A 28 50 40 00 83 C9 FF 42 F2 AE F7 D1 49 3B\r\n$c = {8A 0C 28 80 F1 ?? 88 0C 28 8B 4C 24 14 40 3B C1}\r\n$d = {00 62 69 73 6F 6E 61 6C 00} //config marker \"\\x00bisonal\\x00\"\r\ncondition:\r\nany of them\r\n}\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md\r\nPage 3 of 4\n\nSource: https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md" ], "report_names": [ "2014-11-25-curious-korlia.md" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e5d653137e8c8e4e0dfcc7267519ed4200aaef8.pdf", "text": "https://archive.orkl.eu/4e5d653137e8c8e4e0dfcc7267519ed4200aaef8.txt", "img": "https://archive.orkl.eu/4e5d653137e8c8e4e0dfcc7267519ed4200aaef8.jpg" } }