20 lines
679 B
Text
20 lines
679 B
Text
|
rule trojan_win_backwash_cpp : XEGroup
|
||
|
{
|
||
|
meta:
|
||
|
author = "threatintel@volexity.com"
|
||
|
description = "CPP loader for the Backwash malware."
|
||
|
reference = "https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/"
|
||
|
date = "2021-11-17"
|
||
|
hash1 = "0cf93de64aa4dba6cec99aa5989fc9c5049bc46ca5f3cb327b49d62f3646a852"
|
||
|
memory_suitable = 1
|
||
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
||
|
|
||
|
strings:
|
||
|
$s1 = "cor1dbg.dll" wide
|
||
|
$s2 = "XEReverseShell.exe" wide
|
||
|
$s3 = "XOJUMAN=" wide
|
||
|
|
||
|
condition:
|
||
|
2 of them
|
||
|
}
|