Sneed-Reactivity/yara-mikesxrs/alienvault/PrismaticSuccessor.yar

106 lines
1.4 KiB
Text
Raw Normal View History

rule PrismaticSuccessor : LinuxMalware
{
meta:
author = "AlienLabs"
description = "Prismatic Successor malware backdoor"
reference = "aaeee0e6f7623f0087144e6e318441352fef4000e7a8dd84b74907742c244ff5"
reference2 = "https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar
copyright = "Alienvault Inc. 2021"
strings:
$s1 = "echo -e \""
$s2 = "[\x1B[32m+\x1B[0m]`/bin/hostname`"
$s3 = "[\x1B[32m+\x1B[0m]`/usr/bin/id`"
$s4 = "[\x1B[32m+\x1B[0m]`uname -r`"
$s5 = "[+]HostUrl->\t%s\n"
$s6 = "[+]PortUrl->\t%s\n"
$s7 = "/var/run/sshd.lock"
$shellcode = {
48 31 C9
48 81 E9 [4]
48 8D 05 [4]
48 BB [8]
48 31 [2]
48 2D [2-4]
E2 F4
}
$c1 = {
8B 45 ??
BE 00 00 00 00
89 C7
E8 [4]
8B 45 ??
BE 01 00 00 00
89 C7
E8 [4]
8B 45 ??
BE 02 00 00 00
89 C7
E8 [4]
8B 45 ??
BA [4]
BE [4]
89 C7
E8
}
condition:
uint32(0) == 0x464C457F and
filesize > 500KB and filesize < 5MB and
5 of ($s*) and
all of ($c*) and
#shellcode == 2
}