Sneed-Reactivity/yara-Neo23x0/apt_lnx_kobalos.yar

76 lines
3.3 KiB
Text
Raw Permalink Normal View History

// For feedback or questions contact us at: github@eset.com
// https://github.com/eset/malware-ioc/
//
// These YARA rules are provided to the community under the two-clause BSD
// license as follows:
//
// Copyright (c) 2020, ESET
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this
// list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
rule APT_MAL_LNX_Kobalos {
meta:
description = "Kobalos malware"
author = "Marc-Etienne M.Leveille"
date = "2020-11-02"
reference = "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
id = "dfa47e30-c093-57f6-af01-72a2534cc6f4"
strings:
$encrypted_strings_sizes = {
05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00
08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00
01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00
05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00
}
$password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C }
$rsa_512_mod_header = { 10 11 02 00 09 02 00 }
$strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE }
condition:
uint16(0) == 0x457f and /* modification by Florian Roth to avoid false posirives */
any of them
}
rule APT_MAL_LNX_Kobalos_SSH_Credential_Stealer {
meta:
description = "Kobalos SSH credential stealer seen in OpenSSH client"
author = "Marc-Etienne M.Leveille"
date = "2020-11-02"
reference = "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
id = "0f923f92-c5d8-500d-9a2e-634ca7945c5c"
strings:
$ = "user: %.128s host: %.128s port %05d user: %.128s password: %.128s"
condition:
uint16(0) == 0x457f and /* modification by Florian Roth to avoid false posirives */
any of them
}