Sneed-Reactivity/yara-mikesxrs/eset/InvisiMole.yar

298 lines
10 KiB
Text
Raw Normal View History

// For feedback or questions contact us at: github@eset.com
// https://github.com/eset/malware-ioc/
//
// These YARA rules are provided to the community under the two-clause BSD
// license as follows:
//
// Copyright (c) 2021, ESET
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this
// list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
import "pe"
private rule InvisiMole_Blob {
meta:
description = "Detects InvisiMole blobs by magic values"
author = "ESET Research"
date = "2021-05-17"
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
strings:
$magic_old_32 = {F9 FF D0 DE}
$magic_old_64 = {64 FF D0 DE}
$magic_new_32 = {86 DA 11 CE}
$magic_new_64 = {64 DA 11 CE}
condition:
($magic_old_32 at 0) or ($magic_old_64 at 0) or ($magic_new_32 at 0) or ($magic_new_64 at 0)
}
rule apt_Windows_InvisiMole_Logs {
meta:
description = "Detects log files with collected created by InvisiMole's RC2CL backdoor"
author = "ESET Research"
date = "2021-05-17"
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
condition:
uint32(0) == 0x08F1CAA1 or
uint32(0) == 0x08F1CAA2 or
uint32(0) == 0x08F1CCC0 or
uint32(0) == 0x08F2AFC0 or
uint32(0) == 0x083AE4DF or
uint32(0) == 0x18F2CBB1 or
uint32(0) == 0x1900ABBA or
uint32(0) == 0x24F2CEA1 or
uint32(0) == 0xDA012193 or
uint32(0) == 0xDA018993 or
uint32(0) == 0xDA018995 or
uint32(0) == 0xDD018991
}
rule apt_Windows_InvisiMole_SFX_Dropper {
meta:
description = "Detects trojanized InvisiMole files: patched RAR SFX droppers with added InvisiMole blobs (config encrypted XOR 2A at the end of a file)"
author = "ESET Research"
date = "2021-05-17"
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
strings:
$encrypted_config = {5F 59 4F 58 19 18 04 4E 46 46 2A 5D 59 5A 58 43 44 5E 4C 7D 2A 0F 2A 59 2A 78 2A 4B 2A 58 2A 0E 2A 6F 2A 72 2A 4B 2A 0F 2A 4E 2A 04 2A 0F 2A 4E 2A 76 2A 0F 2A 79 2A 2A 2A 79 42 4F 46 46 6F 52 4F 49 5F 5E 4F 7D 2A 79 42 4F 46 46 19 18 04 4E 46 46 2A 7C 43 58 5E 5F 4B 46 6B 46 46 45 49 2A 66 45 4B 4E 66 43 48 58 4B 58 53 6B}
condition:
uint16(0) == 0x5A4D and $encrypted_config
}
rule apt_Windows_InvisiMole_CPL_Loader {
meta:
description = "CPL loader"
author = "ESET Research"
date = "2021-05-17"
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
strings:
$s1 = "WScr%steObject(\"WScr%s.Run(\"::{20d04fe0-3a%s30309d}\\\\::{21EC%sDD-08002B3030%s\", 0);"
$s2 = "\\Control.js" wide
$s3 = "\\Control Panel.lnk" wide
$s4 = "FPC 3.0.4 [2019/04/13] for x86_64 - Win64"
$s5 = "FPC 3.0.4 [2019/04/13] for i386 - Win32"
$s6 = "imageapplet.dat" wide
$s7 = "wkssvmtx"
condition:
uint16(0) == 0x5A4D and (3 of them)
}
rule apt_Windows_InvisiMole_Wrapper_DLL {
meta:
description = "Detects InvisiMole wrapper DLL with embedded RC2CL and RC2FM backdoors, by export and resource names"
author = "ESET Research"
date = "2021-05-17"
reference = "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
condition:
pe.exports("GetDataLength") and
for any y in (0..pe.number_of_resources - 1): (
pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00C\x00L\x00"
) and
for any y in (0..pe.number_of_resources - 1): (
pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00F\x00M\x00"
)
}
rule apt_Windows_InvisiMole_DNS_Downloader {
meta:
description = "InvisiMole DNS downloader"
author = "ESET Research"
date = "2021-05-17"
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
strings:
$d = "DnsQuery_A"
$s1 = "Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B}" xor
$s2 = "AddIns\\" ascii wide xor
$s3 = "pcornomeex." xor
$s4 = "weriahsek.rxe" xor
$s5 = "dpmupaceex." xor
$s6 = "TCPViewClass" xor
$s7 = "PROCMON_WINDOW_CLASS" xor
$s8 = "Key%C"
$s9 = "AutoEx%C" xor
$s10 = "MSO~"
$s11 = "MDE~"
$s12 = "DNS PLUGIN, Step %d" xor
$s13 = "rundll32.exe \"%s\",StartUI"
condition:
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $d and 5 of ($s*)
}
rule apt_Windows_InvisiMole_RC2CL_Backdoor {
meta:
description = "InvisiMole RC2CL backdoor"
author = "ESET Research"
date = "2021-05-17"
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
strings:
$s1 = "RC2CL" wide
$s2 = "hp12KsNh92Dwd" wide
$s3 = "ZLib package %s: files: %d, total size: %d" wide
$s4 = "\\Un4seen" wide
$s5 = {9E 01 3A AD} // encryption key
$s6 = "~mrc_" wide
$s7 = "~src_" wide
$s8 = "~wbc_" wide
$s9 = "zdf_" wide
$s10 = "~S0PM" wide
$s11 = "~A0FM" wide
$s12 = "~70Z63\\" wide
$s13 = "~E070C" wide
$s14 = "~N031E" wide
$s15 = "%szdf_%s.data" wide
$s16 = "%spicture.crd" wide
$s17 = "%s70zf_%s.cab" wide
$s18 = "%spreview.crd" wide
$s19 = "Value_Bck" wide
$s20 = "Value_WSFX_ZC" wide
$s21 = "MachineAccessStateData" wide
$s22 = "SettingsSR2" wide
condition:
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and 5 of ($s*)
}
rule apt_Windows_InvisiMole {
meta:
description = "InvisiMole magic values, keys and strings"
author = "ESET Research"
date = "2021-05-17"
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
strings:
$s1 = "CryptProtectData"
$s2 = "CryptUnprotectData"
$s3 = {9E 01 3A AD}
$s4 = "GET /getversion2a/%d%.2X%.2X/U%sN HTTP/1.1"
$s5 = "PULSAR_LOADER.dll"
/*
cmp reg, 0DED0FFF9h
*/
$check_magic_old_32 = {3? F9 FF D0 DE}
/*
cmp reg, 0DED0FF64h
*/
$check_magic_old_64 = {3? 64 FF D0 DE}
/*
cmp dword ptr [reg], 0CE11DA86h
*/
$check_magic_new_32 = {81 3? 86 DA 11 CE}
/*
cmp dword ptr [reg], 0CE11DA64h
*/
$check_magic_new_64 = {81 3? 64 DA 11 CE}
condition:
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and (any of ($check_magic*)) and (2 of ($s*))
}
rule apt_Windows_InvisiMole_C2 {
meta:
description = "InvisiMole C&C servers"
author = "ESET Research"
date = "2021-05-17"
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
strings:
$s1 = "46.165.220.228" ascii wide
$s2 = "80.255.3.66" ascii wide
$s3 = "85.17.26.174" ascii wide
$s4 = "185.193.38.55" ascii wide
$s5 = "194.187.249.157" ascii wide
$s6 = "195.154.255.211" ascii wide
$s7 = "153.re" ascii wide fullword
$s8 = "adstat.red" ascii wide
$s9 = "adtrax.net" ascii wide
$s10 = "akamai.sytes.net" ascii wide
$s11 = "amz-eu401.com" ascii wide
$s12 = "blabla234342.sytes.net" ascii wide
$s13 = "mx1.be" ascii wide fullword
$s14 = "statad.de" ascii wide
$s15 = "time.servehttp.com" ascii wide
$s16 = "upd.re" ascii wide fullword
$s17 = "update.xn--6frz82g" ascii wide
$s18 = "updatecloud.sytes.net" ascii wide
$s19 = "updchecking.sytes.net" ascii wide
$s20 = "wlsts.net" ascii wide
$s21 = "ro2.host" ascii wide fullword
$s22 = "2ld.xyz" ascii wide fullword
$s23 = "the-haba.com" ascii wide
$s24 = "82.202.172.134" ascii wide
$s25 = "update.xn--6frz82g" ascii wide
condition:
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $s21 and any of them
}