46 lines
1.5 KiB
Text
46 lines
1.5 KiB
Text
|
import "pe"
|
||
|
rule DevilsTongue_HijackDll
|
||
|
{
|
||
|
meta:
|
||
|
description = "Detects SOURGUM's DevilsTongue hijack DLL"
|
||
|
reference = "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/"
|
||
|
author = "Microsoft Threat Intelligence Center (MSTIC)"
|
||
|
date = "2021-07-15"
|
||
|
strings:
|
||
|
$str1 = "windows.old\\windows" wide
|
||
|
$str2 = "NtQueryInformationThread"
|
||
|
$str3 = "dbgHelp.dll" wide
|
||
|
$str4 = "StackWalk64"
|
||
|
$str5 = "ConvertSidToStringSidW"
|
||
|
$str6 = "S-1-5-18" wide
|
||
|
$str7 = "SMNew.dll" // DLL original name
|
||
|
// Call check in stack manipulation
|
||
|
// B8 FF 15 00 00 mov eax, 15FFh
|
||
|
// 66 39 41 FA cmp [rcx-6], ax
|
||
|
// 74 06 jz short loc_1800042B9
|
||
|
// 80 79 FB E8 cmp byte ptr [rcx-5], 0E8h ; 'è'
|
||
|
$code1 = {B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8}
|
||
|
// PRNG to generate number of times to sleep 1s before exiting
|
||
|
// 44 8B C0 mov r8d, eax
|
||
|
// B8 B5 81 4E 1B mov eax, 1B4E81B5h
|
||
|
// 41 F7 E8 imul r8d
|
||
|
// C1 FA 05 sar edx, 5
|
||
|
// 8B CA mov ecx, edx
|
||
|
// C1 E9 1F shr ecx, 1Fh
|
||
|
// 03 D1 add edx, ecx
|
||
|
// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch
|
||
|
// 44 2B C1 sub r8d, ecx
|
||
|
// 45 85 C0 test r8d, r8d
|
||
|
// 7E 19 jle short loc_1800014D0
|
||
|
$code2 = {44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19}
|
||
|
condition:
|
||
|
filesize < 800KB and
|
||
|
uint16(0) == 0x5A4D and
|
||
|
(pe.characteristics & pe.DLL) and
|
||
|
(
|
||
|
4 of them or
|
||
|
($code1 and $code2) or
|
||
|
(pe.imphash() == "9a964e810949704ff7b4a393d9adda60")
|
||
|
)
|
||
|
}
|