Sneed-Reactivity/yara-mikesxrs/Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara

rule FE_LEGALSTRIKE_MACRO {
       meta:version=".1"
       filetype="MACRO"
       author="Ian.Ahl@fireeye.com @TekDefense"
       date="2017-06-02"
       description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
       reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
strings:
       // OBSFUCATION
       $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
       $ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide
       $ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide
       $ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide
       $ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide
       $ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide
       $ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide
       $ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide
       $obreg1 = /(\w{5}\s&\s){7}\w{5}/
       $obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/
       // wscript
       $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
       $wsobj2 = "Obj.Run " ascii wide

condition:
        (
              (
                      (uint16(0) != 0x5A4D)
              )
              and
              (
                      all of ($wsobj*) and 3 of ($ob*)
                      or
                      all of ($wsobj*) and all of ($obreg*)
              )
       )
}

rule FE_LEGALSTRIKE_MACRO_2 {
       meta:version=".1"
       filetype="MACRO"
       author="Ian.Ahl@fireeye.com @TekDefense"
       date="2017-06-02"
       description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4."
       reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
strings:
       // Setting the environment
       $env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide
       $env2 = "windir = Environ(\"windir\")" ascii wide
       $env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide
       // powershell command fragments
       $ps1 = "-NoP" ascii wide
       $ps2 = "-NonI" ascii wide
       $ps3 = "-W Hidden" ascii wide
       $ps4 = "-Command" ascii wide
       $ps5 = "New-Object IO.StreamReader" ascii wide
       $ps6 = "IO.Compression.DeflateStream" ascii wide
       $ps7 = "IO.MemoryStream" ascii wide
       $ps8 = ",$([Convert]::FromBase64String" ascii wide
       $ps9 = "ReadToEnd();" ascii wide
       $psregex1 = /\W\w+\s+\s\".+\"/
condition:
       (
              (
                      (uint16(0) != 0x5A4D)
              )
              and
              (
                      all of ($env*) and 6 of ($ps*)
                      or
                      all of ($env*) and 4 of ($ps*) and all of ($psregex*)
              )
       )
}

rule FE_LEGALSTRIKE_RTF {
    meta:
        version=".1"
        filetype="MACRO"
        author="joshua.kim@FireEye.com"
        date="2017-06-02"
        description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
        reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html

    strings:
        $header = "{\\rt"

        $lnkinfo = "4c0069006e006b0049006e0066006f"

        $encoded1 = "4f4c45324c696e6b"
        $encoded2 = "52006f006f007400200045006e007400720079"
        $encoded3 = "4f0062006a0049006e0066006f"
        $encoded4 = "4f006c0065"

        $http1 = "68{"
        $http2 = "74{"
        $http3 = "07{"

        // 2bunny.com
        $domain1 = "32{\\"
        $domain2 = "62{\\"
        $domain3 = "75{\\"
        $domain4 = "6e{\\"
        $domain5 = "79{\\"
        $domain6 = "2e{\\"
        $domain7 = "63{\\"
        $domain8 = "6f{\\"
        $domain9 = "6d{\\"

        $datastore = "\\*\\datastore"

    condition:
        $header at 0 and all of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule FE_LEGALSTRIKE_MACRO {`
			`meta:version=".1"`
			`filetype="MACRO"`
			`author="Ian.Ahl@fireeye.com @TekDefense"`
			`date="2017-06-02"`
			`description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."`
			`reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html`
			`strings:`
			`// OBSFUCATION`
			`$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide`
			`$ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide`
			`$ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide`
			`$ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide`
			`$ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide`
			`$ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide`
			`$ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide`
			`$ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide`
			`$obreg1 = /(\w{5}\s&\s){7}\w{5}/`
			`$obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/`
			`// wscript`
			`$wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide`
			`$wsobj2 = "Obj.Run " ascii wide`

			`condition:`
			`(`
			`(`
			`(uint16(0) != 0x5A4D)`
			`)`
			`and`
			`(`
			`all of ($wsobj) and 3 of ($ob)`
			`or`
			`all of ($wsobj) and all of ($obreg)`
			`)`
			`)`
			`}`

			`rule FE_LEGALSTRIKE_MACRO_2 {`
			`meta:version=".1"`
			`filetype="MACRO"`
			`author="Ian.Ahl@fireeye.com @TekDefense"`
			`date="2017-06-02"`
			`description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4."`
			`reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html`
			`strings:`
			`// Setting the environment`
			`$env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide`
			`$env2 = "windir = Environ(\"windir\")" ascii wide`
			`$env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide`
			`// powershell command fragments`
			`$ps1 = "-NoP" ascii wide`
			`$ps2 = "-NonI" ascii wide`
			`$ps3 = "-W Hidden" ascii wide`
			`$ps4 = "-Command" ascii wide`
			`$ps5 = "New-Object IO.StreamReader" ascii wide`
			`$ps6 = "IO.Compression.DeflateStream" ascii wide`
			`$ps7 = "IO.MemoryStream" ascii wide`
			`$ps8 = ",$([Convert]::FromBase64String" ascii wide`
			`$ps9 = "ReadToEnd();" ascii wide`
			`$psregex1 = /\W\w+\s+\s\".+\"/`
			`condition:`
			`(`
			`(`
			`(uint16(0) != 0x5A4D)`
			`)`
			`and`
			`(`
			`all of ($env) and 6 of ($ps)`
			`or`
			`all of ($env) and 4 of ($ps) and all of ($psregex*)`
			`)`
			`)`
			`}`

			`rule FE_LEGALSTRIKE_RTF {`
			`meta:`
			`version=".1"`
			`filetype="MACRO"`
			`author="joshua.kim@FireEye.com"`
			`date="2017-06-02"`
			`description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"`
			`reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html`

			`strings:`
			`$header = "{\\rt"`

			`$lnkinfo = "4c0069006e006b0049006e0066006f"`

			`$encoded1 = "4f4c45324c696e6b"`
			`$encoded2 = "52006f006f007400200045006e007400720079"`
			`$encoded3 = "4f0062006a0049006e0066006f"`
			`$encoded4 = "4f006c0065"`

			`$http1 = "68{"`
			`$http2 = "74{"`
			`$http3 = "07{"`

			`// 2bunny.com`
			`$domain1 = "32{\\"`
			`$domain2 = "62{\\"`
			`$domain3 = "75{\\"`
			`$domain4 = "6e{\\"`
			`$domain5 = "79{\\"`
			`$domain6 = "2e{\\"`
			`$domain7 = "63{\\"`
			`$domain8 = "6f{\\"`
			`$domain9 = "6d{\\"`

			`$datastore = "\\*\\datastore"`

			`condition:`
			`$header at 0 and all of them`
			`}`