Sneed-Reactivity/yara-mikesxrs/Fireeye/APT32_ActiveMime_Lure.yar

rule APT32_ActiveMime_Lure{
	meta:
		filetype = "MIME entity"
		author = "Ian Ahl (@TekDefense) and Nick Carr (@ItsReallyNick)"
		date = "2017-03-02"
		description = "Developed to detect APT32 (OceanLotus Group phishing lures used to target Fireeye Customers in 2016 and 2017"
		reference = "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
	strings:
		$a1 = "office_text" wide ascii
		$a2 = "schtasks /create /tn" wide ascii
		$a3 = "scrobj.dll" wide ascii
		$a4 = "new-object net.webclient" wide ascii
		$a5 = "GetUserName" wide ascii
		$a6 = "WSHnet.UserDomain" wide ascii
		$a7 = "WSHnet.UserName" wide ascii
	condition:
		4 of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule APT32_ActiveMime_Lure{`
			`meta:`
			`filetype = "MIME entity"`
			`author = "Ian Ahl (@TekDefense) and Nick Carr (@ItsReallyNick)"`
			`date = "2017-03-02"`
			`description = "Developed to detect APT32 (OceanLotus Group phishing lures used to target Fireeye Customers in 2016 and 2017"`
			`reference = "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"`
			`strings:`
			`$a1 = "office_text" wide ascii`
			`$a2 = "schtasks /create /tn" wide ascii`
			`$a3 = "scrobj.dll" wide ascii`
			`$a4 = "new-object net.webclient" wide ascii`
			`$a5 = "GetUserName" wide ascii`
			`$a6 = "WSHnet.UserDomain" wide ascii`
			`$a7 = "WSHnet.UserName" wide ascii`
			`condition:`
			`4 of them`
			`}`