Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_macos_proton_rat_generic.yara

22 lines
842 B
Text
Raw Permalink Normal View History

include "../../MachO.yara"
rule malware_macos_proton_rat_generic
{
meta:
description = "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/"
reference = "https://objective-see.com/blog/blog_0x1D.html"
author = "@mimeframe"
md5 = "6a2d0c8b20efc3fa283176a4bc76d6fd"
strings:
// https://github.com/facebook/SocketRocket
$a1 = "SRWebSocket" nocase wide ascii
$a2 = "SocketRocket" nocase wide ascii
// https://github.com/joeroback/SSHTunnel/
$b1 = "SSH tunnel not launched" nocase wide ascii
$b2 = "SSH tunnel still running" nocase wide ascii
$b3 = "SSH tunnel already launched" nocase wide ascii
$b4 = "Entering interactive session." nocase wide ascii
condition:
MachO and any of ($a*) and any of ($b*)
}