28 lines
1,013 B
Text
28 lines
1,013 B
Text
|
rule trojan_golang_pantegana : Commodity
|
||
|
{
|
||
|
meta:
|
||
|
author = "threatintel@volexity.com"
|
||
|
description = "Detects PANTEGANA, a Golang backdoor used by a range of threat actors due to its public availability."
|
||
|
date = "2022-03-30"
|
||
|
hash1 = "8297c99391aae918f154077c61ea94a99c7a339166e7981d9912b7fdc2e0d4f0"
|
||
|
reference = "https://github.com/elleven11/pantegana"
|
||
|
reference2 = "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"
|
||
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
||
|
memory_suitable = 1
|
||
|
|
||
|
strings:
|
||
|
$s1 = "RunFingerprinter" ascii
|
||
|
$s2 = "SendSysInfo" ascii
|
||
|
$s3 = "ExecAndGetOutput" ascii
|
||
|
$s4 = "RequestCommand" ascii
|
||
|
$s5 = "bindataRead" ascii
|
||
|
$s6 = "RunClient" ascii
|
||
|
|
||
|
$magic = "github.com/elleven11/pantegana" ascii
|
||
|
|
||
|
condition:
|
||
|
5 of ($s*) or
|
||
|
$magic
|
||
|
}
|
||
|
|