298 lines
10 KiB
Text
298 lines
10 KiB
Text
|
// For feedback or questions contact us at: github@eset.com
|
||
|
// https://github.com/eset/malware-ioc/
|
||
|
//
|
||
|
// These YARA rules are provided to the community under the two-clause BSD
|
||
|
// license as follows:
|
||
|
//
|
||
|
// Copyright (c) 2021, ESET
|
||
|
// All rights reserved.
|
||
|
//
|
||
|
// Redistribution and use in source and binary forms, with or without
|
||
|
// modification, are permitted provided that the following conditions are met:
|
||
|
//
|
||
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
||
|
// list of conditions and the following disclaimer.
|
||
|
//
|
||
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
||
|
// this list of conditions and the following disclaimer in the documentation
|
||
|
// and/or other materials provided with the distribution.
|
||
|
//
|
||
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
||
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||
|
//
|
||
|
|
||
|
import "pe"
|
||
|
|
||
|
private rule InvisiMole_Blob {
|
||
|
meta:
|
||
|
description = "Detects InvisiMole blobs by magic values"
|
||
|
author = "ESET Research"
|
||
|
date = "2021-05-17"
|
||
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
strings:
|
||
|
$magic_old_32 = {F9 FF D0 DE}
|
||
|
$magic_old_64 = {64 FF D0 DE}
|
||
|
$magic_new_32 = {86 DA 11 CE}
|
||
|
$magic_new_64 = {64 DA 11 CE}
|
||
|
|
||
|
condition:
|
||
|
($magic_old_32 at 0) or ($magic_old_64 at 0) or ($magic_new_32 at 0) or ($magic_new_64 at 0)
|
||
|
}
|
||
|
|
||
|
rule apt_Windows_InvisiMole_Logs {
|
||
|
meta:
|
||
|
description = "Detects log files with collected created by InvisiMole's RC2CL backdoor"
|
||
|
author = "ESET Research"
|
||
|
date = "2021-05-17"
|
||
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
condition:
|
||
|
uint32(0) == 0x08F1CAA1 or
|
||
|
uint32(0) == 0x08F1CAA2 or
|
||
|
uint32(0) == 0x08F1CCC0 or
|
||
|
uint32(0) == 0x08F2AFC0 or
|
||
|
uint32(0) == 0x083AE4DF or
|
||
|
uint32(0) == 0x18F2CBB1 or
|
||
|
uint32(0) == 0x1900ABBA or
|
||
|
uint32(0) == 0x24F2CEA1 or
|
||
|
uint32(0) == 0xDA012193 or
|
||
|
uint32(0) == 0xDA018993 or
|
||
|
uint32(0) == 0xDA018995 or
|
||
|
uint32(0) == 0xDD018991
|
||
|
}
|
||
|
|
||
|
rule apt_Windows_InvisiMole_SFX_Dropper {
|
||
|
|
||
|
meta:
|
||
|
description = "Detects trojanized InvisiMole files: patched RAR SFX droppers with added InvisiMole blobs (config encrypted XOR 2A at the end of a file)"
|
||
|
author = "ESET Research"
|
||
|
date = "2021-05-17"
|
||
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
strings:
|
||
|
$encrypted_config = {5F 59 4F 58 19 18 04 4E 46 46 2A 5D 59 5A 58 43 44 5E 4C 7D 2A 0F 2A 59 2A 78 2A 4B 2A 58 2A 0E 2A 6F 2A 72 2A 4B 2A 0F 2A 4E 2A 04 2A 0F 2A 4E 2A 76 2A 0F 2A 79 2A 2A 2A 79 42 4F 46 46 6F 52 4F 49 5F 5E 4F 7D 2A 79 42 4F 46 46 19 18 04 4E 46 46 2A 7C 43 58 5E 5F 4B 46 6B 46 46 45 49 2A 66 45 4B 4E 66 43 48 58 4B 58 53 6B}
|
||
|
|
||
|
condition:
|
||
|
uint16(0) == 0x5A4D and $encrypted_config
|
||
|
}
|
||
|
|
||
|
rule apt_Windows_InvisiMole_CPL_Loader {
|
||
|
meta:
|
||
|
description = "CPL loader"
|
||
|
author = "ESET Research"
|
||
|
date = "2021-05-17"
|
||
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
strings:
|
||
|
$s1 = "WScr%steObject(\"WScr%s.Run(\"::{20d04fe0-3a%s30309d}\\\\::{21EC%sDD-08002B3030%s\", 0);"
|
||
|
$s2 = "\\Control.js" wide
|
||
|
$s3 = "\\Control Panel.lnk" wide
|
||
|
$s4 = "FPC 3.0.4 [2019/04/13] for x86_64 - Win64"
|
||
|
$s5 = "FPC 3.0.4 [2019/04/13] for i386 - Win32"
|
||
|
$s6 = "imageapplet.dat" wide
|
||
|
$s7 = "wkssvmtx"
|
||
|
|
||
|
condition:
|
||
|
uint16(0) == 0x5A4D and (3 of them)
|
||
|
}
|
||
|
|
||
|
rule apt_Windows_InvisiMole_Wrapper_DLL {
|
||
|
meta:
|
||
|
description = "Detects InvisiMole wrapper DLL with embedded RC2CL and RC2FM backdoors, by export and resource names"
|
||
|
author = "ESET Research"
|
||
|
date = "2021-05-17"
|
||
|
reference = "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
condition:
|
||
|
pe.exports("GetDataLength") and
|
||
|
for any y in (0..pe.number_of_resources - 1): (
|
||
|
pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00C\x00L\x00"
|
||
|
) and
|
||
|
for any y in (0..pe.number_of_resources - 1): (
|
||
|
pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00F\x00M\x00"
|
||
|
)
|
||
|
}
|
||
|
|
||
|
rule apt_Windows_InvisiMole_DNS_Downloader {
|
||
|
|
||
|
meta:
|
||
|
description = "InvisiMole DNS downloader"
|
||
|
author = "ESET Research"
|
||
|
date = "2021-05-17"
|
||
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
strings:
|
||
|
$d = "DnsQuery_A"
|
||
|
|
||
|
$s1 = "Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B}" xor
|
||
|
$s2 = "AddIns\\" ascii wide xor
|
||
|
$s3 = "pcornomeex." xor
|
||
|
$s4 = "weriahsek.rxe" xor
|
||
|
$s5 = "dpmupaceex." xor
|
||
|
$s6 = "TCPViewClass" xor
|
||
|
$s7 = "PROCMON_WINDOW_CLASS" xor
|
||
|
$s8 = "Key%C"
|
||
|
$s9 = "AutoEx%C" xor
|
||
|
$s10 = "MSO~"
|
||
|
$s11 = "MDE~"
|
||
|
$s12 = "DNS PLUGIN, Step %d" xor
|
||
|
$s13 = "rundll32.exe \"%s\",StartUI"
|
||
|
|
||
|
condition:
|
||
|
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $d and 5 of ($s*)
|
||
|
}
|
||
|
|
||
|
rule apt_Windows_InvisiMole_RC2CL_Backdoor {
|
||
|
|
||
|
meta:
|
||
|
description = "InvisiMole RC2CL backdoor"
|
||
|
author = "ESET Research"
|
||
|
date = "2021-05-17"
|
||
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
strings:
|
||
|
$s1 = "RC2CL" wide
|
||
|
|
||
|
$s2 = "hp12KsNh92Dwd" wide
|
||
|
$s3 = "ZLib package %s: files: %d, total size: %d" wide
|
||
|
$s4 = "\\Un4seen" wide
|
||
|
$s5 = {9E 01 3A AD} // encryption key
|
||
|
|
||
|
$s6 = "~mrc_" wide
|
||
|
$s7 = "~src_" wide
|
||
|
$s8 = "~wbc_" wide
|
||
|
$s9 = "zdf_" wide
|
||
|
$s10 = "~S0PM" wide
|
||
|
$s11 = "~A0FM" wide
|
||
|
$s12 = "~70Z63\\" wide
|
||
|
$s13 = "~E070C" wide
|
||
|
$s14 = "~N031E" wide
|
||
|
|
||
|
$s15 = "%szdf_%s.data" wide
|
||
|
$s16 = "%spicture.crd" wide
|
||
|
$s17 = "%s70zf_%s.cab" wide
|
||
|
$s18 = "%spreview.crd" wide
|
||
|
|
||
|
$s19 = "Value_Bck" wide
|
||
|
$s20 = "Value_WSFX_ZC" wide
|
||
|
$s21 = "MachineAccessStateData" wide
|
||
|
$s22 = "SettingsSR2" wide
|
||
|
|
||
|
condition:
|
||
|
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and 5 of ($s*)
|
||
|
}
|
||
|
|
||
|
rule apt_Windows_InvisiMole {
|
||
|
|
||
|
meta:
|
||
|
description = "InvisiMole magic values, keys and strings"
|
||
|
author = "ESET Research"
|
||
|
date = "2021-05-17"
|
||
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
strings:
|
||
|
$s1 = "CryptProtectData"
|
||
|
$s2 = "CryptUnprotectData"
|
||
|
$s3 = {9E 01 3A AD}
|
||
|
$s4 = "GET /getversion2a/%d%.2X%.2X/U%sN HTTP/1.1"
|
||
|
$s5 = "PULSAR_LOADER.dll"
|
||
|
|
||
|
/*
|
||
|
cmp reg, 0DED0FFF9h
|
||
|
*/
|
||
|
$check_magic_old_32 = {3? F9 FF D0 DE}
|
||
|
|
||
|
/*
|
||
|
cmp reg, 0DED0FF64h
|
||
|
*/
|
||
|
$check_magic_old_64 = {3? 64 FF D0 DE}
|
||
|
|
||
|
/*
|
||
|
cmp dword ptr [reg], 0CE11DA86h
|
||
|
*/
|
||
|
$check_magic_new_32 = {81 3? 86 DA 11 CE}
|
||
|
|
||
|
/*
|
||
|
cmp dword ptr [reg], 0CE11DA64h
|
||
|
*/
|
||
|
$check_magic_new_64 = {81 3? 64 DA 11 CE}
|
||
|
|
||
|
condition:
|
||
|
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and (any of ($check_magic*)) and (2 of ($s*))
|
||
|
}
|
||
|
|
||
|
rule apt_Windows_InvisiMole_C2 {
|
||
|
|
||
|
meta:
|
||
|
description = "InvisiMole C&C servers"
|
||
|
author = "ESET Research"
|
||
|
date = "2021-05-17"
|
||
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
version = "1"
|
||
|
|
||
|
strings:
|
||
|
$s1 = "46.165.220.228" ascii wide
|
||
|
$s2 = "80.255.3.66" ascii wide
|
||
|
$s3 = "85.17.26.174" ascii wide
|
||
|
$s4 = "185.193.38.55" ascii wide
|
||
|
$s5 = "194.187.249.157" ascii wide
|
||
|
$s6 = "195.154.255.211" ascii wide
|
||
|
$s7 = "153.re" ascii wide fullword
|
||
|
$s8 = "adstat.red" ascii wide
|
||
|
$s9 = "adtrax.net" ascii wide
|
||
|
$s10 = "akamai.sytes.net" ascii wide
|
||
|
$s11 = "amz-eu401.com" ascii wide
|
||
|
$s12 = "blabla234342.sytes.net" ascii wide
|
||
|
$s13 = "mx1.be" ascii wide fullword
|
||
|
$s14 = "statad.de" ascii wide
|
||
|
$s15 = "time.servehttp.com" ascii wide
|
||
|
$s16 = "upd.re" ascii wide fullword
|
||
|
$s17 = "update.xn--6frz82g" ascii wide
|
||
|
$s18 = "updatecloud.sytes.net" ascii wide
|
||
|
$s19 = "updchecking.sytes.net" ascii wide
|
||
|
$s20 = "wlsts.net" ascii wide
|
||
|
$s21 = "ro2.host" ascii wide fullword
|
||
|
$s22 = "2ld.xyz" ascii wide fullword
|
||
|
$s23 = "the-haba.com" ascii wide
|
||
|
$s24 = "82.202.172.134" ascii wide
|
||
|
$s25 = "update.xn--6frz82g" ascii wide
|
||
|
|
||
|
condition:
|
||
|
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $s21 and any of them
|
||
|
}
|