76 lines
3.3 KiB
Text
76 lines
3.3 KiB
Text
|
// For feedback or questions contact us at: github@eset.com
|
||
|
// https://github.com/eset/malware-ioc/
|
||
|
//
|
||
|
// These YARA rules are provided to the community under the two-clause BSD
|
||
|
// license as follows:
|
||
|
//
|
||
|
// Copyright (c) 2020, ESET
|
||
|
// All rights reserved.
|
||
|
//
|
||
|
// Redistribution and use in source and binary forms, with or without
|
||
|
// modification, are permitted provided that the following conditions are met:
|
||
|
//
|
||
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
||
|
// list of conditions and the following disclaimer.
|
||
|
//
|
||
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
||
|
// this list of conditions and the following disclaimer in the documentation
|
||
|
// and/or other materials provided with the distribution.
|
||
|
//
|
||
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
||
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||
|
//
|
||
|
|
||
|
rule APT_MAL_LNX_Kobalos {
|
||
|
meta:
|
||
|
description = "Kobalos malware"
|
||
|
author = "Marc-Etienne M.Leveille"
|
||
|
date = "2020-11-02"
|
||
|
reference = "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
id = "dfa47e30-c093-57f6-af01-72a2534cc6f4"
|
||
|
strings:
|
||
|
$encrypted_strings_sizes = {
|
||
|
05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00
|
||
|
08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00
|
||
|
01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00
|
||
|
05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00
|
||
|
}
|
||
|
$password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C }
|
||
|
$rsa_512_mod_header = { 10 11 02 00 09 02 00 }
|
||
|
$strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE }
|
||
|
|
||
|
condition:
|
||
|
uint16(0) == 0x457f and /* modification by Florian Roth to avoid false posirives */
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
rule APT_MAL_LNX_Kobalos_SSH_Credential_Stealer {
|
||
|
meta:
|
||
|
description = "Kobalos SSH credential stealer seen in OpenSSH client"
|
||
|
author = "Marc-Etienne M.Leveille"
|
||
|
date = "2020-11-02"
|
||
|
reference = "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
id = "0f923f92-c5d8-500d-9a2e-634ca7945c5c"
|
||
|
strings:
|
||
|
$ = "user: %.128s host: %.128s port %05d user: %.128s password: %.128s"
|
||
|
|
||
|
condition:
|
||
|
uint16(0) == 0x457f and /* modification by Florian Roth to avoid false posirives */
|
||
|
any of them
|
||
|
}
|