36 lines
1.3 KiB
Text
36 lines
1.3 KiB
Text
|
rule trojan_any_pupyrat_b : Commodity
|
||
|
|
{
|
||
|
|
meta:
|
||
|
|
author = "threatintel@volexity.com"
|
||
|
|
description = "Detects the PUPYRAT malware family, a cross-platform RAT written in Python."
|
||
|
|
date = "2022-04-07"
|
||
|
|
hash1 = "7474a6008b99e45686678f216af7d6357bb70a054c6d9b05e1817c8d80d536b4"
|
||
|
|
reference = "https://github.com/n1nj4sec/pupy"
|
||
|
|
reference2 = "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"
|
||
|
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
||
|
|
memory_suitable = 1
|
||
|
|
|
||
|
|
strings:
|
||
|
|
$elf1 = "LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1>/dev/null 2>/dev/null" ascii
|
||
|
|
$elf2 = "reflective_inject_dll" fullword ascii
|
||
|
|
$elf3 = "ld_preload_inject_dll" fullword ascii
|
||
|
|
|
||
|
|
$pupy1 = "_pupy.error" ascii
|
||
|
|
$pupy2 = "_pupy" ascii
|
||
|
|
$pupy3 = "pupy://" ascii
|
||
|
|
|
||
|
|
$s1 = "Args not passed" ascii
|
||
|
|
$s2 = "Too many args" ascii
|
||
|
|
$s3 = "Can't execute" ascii
|
||
|
|
$s4 = "mexec:stdin" ascii
|
||
|
|
$s5 = "mexec:stdout" ascii
|
||
|
|
$s6 = "mexec:stderr" ascii
|
||
|
|
$s7 = "LZMA error" ascii
|
||
|
|
|
||
|
|
|
||
|
|
condition:
|
||
|
|
any of ($elf*) or
|
||
|
|
all of ($pupy*) or
|
||
|
|
all of ($s*)
|
||
|
|
}
|