Sneed-Reactivity/yara-mikesxrs/Volexity/apt_win_bluelight_b.yar

102 lines
4.4 KiB
Text
Raw Permalink Normal View History

rule apt_win_bluelight_b : InkySquid
{
meta:
author = "threatintel@volexity.com"
description = "North Korean origin malware which uses a custom Google App for c2 communications."
reference = "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"
date = "2021-06-21"
hash1 = "837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed"
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
strings:
$magic = "host_name: %ls, cookie_name: %s, cookie: %s, CT: %llu, ET: %llu, value: %s, path: %ls, secu: %d, http: %d, last: %llu, has: %d"
$f1 = "%ls.INTEG.RAW" wide
$f2 = "edb.chk" ascii
$f3 = "edb.log" ascii
$f4 = "edbres00001.jrs" ascii
$f5 = "edbres00002.jrs" ascii
$f6 = "edbtmp.log" ascii
$f7 = "cheV01.dat" ascii
$chrome1 = "Failed to get chrome cookie"
$chrome2 = "mail.google.com, cookie_name: OSID"
$chrome3 = ".google.com, cookie_name: SID,"
$chrome4 = ".google.com, cookie_name: __Secure-3PSID,"
$chrome5 = "Failed to get Edge cookie"
$chrome6 = "google.com, cookie_name: SID,"
$chrome7 = "google.com, cookie_name: __Secure-3PSID,"
$chrome8 = "Failed to get New Edge cookie"
$chrome9 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
$chrome10 = "Content-Type: application/x-www-form-urlencoded;charset=utf-8"
$chrome11 = "Cookie: SID=%s; OSID=%s; __Secure-3PSID=%s"
$chrome12 = "https://mail.google.com"
$chrome13 = "result.html"
$chrome14 = "GM_ACTION_TOKEN"
$chrome15 = "GM_ID_KEY="
$chrome16 = "/mail/u/0/?ik=%s&at=%s&view=up&act=prefs"
$chrome17 = "p_bx_ie=1"
$chrome18 = "myaccount.google.com, cookie_name: OSID"
$chrome19 = "Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3"
$chrome20 = "Content-Type: application/x-www-form-urlencoded;charset=utf-8"
$chrome21 = "Cookie: SID=%s; OSID=%s; __Secure-3PSID=%s"
$chrome22 = "https://myaccount.google.com"
$chrome23 = "result.html"
$chrome24 = "myaccount.google.com"
$chrome25 = "/_/AccountSettingsUi/data/batchexecute"
$chrome26 = "f.req=%5B%5B%5B%22BqLdsd%22%2C%22%5Btrue%5D%22%2Cnull%2C%22generic%22%5D%5D%5D&at="
$chrome27 = "response.html"
$msg1 = "https_status is %s"
$msg2 = "Success to find GM_ACTION_TOKEN and GM_ID_KEY"
$msg3 = "Failed to find GM_ACTION_TOKEN and GM_ID_KEY"
$msg4 = "Failed HttpSendRequest to mail.google.com"
$msg5 = "Success to enable imap"
$msg6 = "Failed to enable imap"
$msg7 = "Success to find SNlM0e"
$msg8 = "Failed to find SNlM0e"
$msg9 = "Failed HttpSendRequest to myaccount.google.com"
$msg10 = "Success to enable thunder access"
$msg11 = "Failed to enable thunder access"
$keylogger_component1 = "[TAB]"
$keylogger_component2 = "[RETURN]"
$keylogger_component3 = "PAUSE"
$keylogger_component4 = "[ESC]"
$keylogger_component5 = "[PAGE UP]"
$keylogger_component6 = "[PAGE DOWN]"
$keylogger_component7 = "[END]"
$keylogger_component8 = "[HOME]"
$keylogger_component9 = "[ARROW LEFT]"
$keylogger_component10 = "[ARROW UP]"
$keylogger_component11 = "[ARROW RIGHT]"
$keylogger_component12 = "[ARROW DOWN]"
$keylogger_component13 = "[INS]"
$keylogger_component14 = "[DEL]"
$keylogger_component15 = "[WIN]"
$keylogger_component16 = "[NUM *]"
$keylogger_component17 = "[NUM +]"
$keylogger_component18 = "[NUM ,]"
$keylogger_component19 = "[NUM -]"
$keylogger_component20 = "[NUM .]"
$keylogger_component21 = "NUM /]"
$keylogger_component22 = "[NUMLOCK]"
$keylogger_component23 = "[SCROLLLOCK]"
$keylogger_component24 = "Time: "
$keylogger_component25 = "Window: "
$keylogger_component26 = "CAPSLOCK+"
$keylogger_component27 = "SHIFT+"
$keylogger_component28 = "CTRL+"
$keylogger_component29 = "ALT+"
condition:
$magic or
(
all of ($f*) and
5 of ($keylogger_component*)
) or
24 of ($chrome*) or
4 of ($msg*) or
27 of ($keylogger_component*)
}