29 lines
934 B
Text
29 lines
934 B
Text
|
import “pe”
|
||
|
|
||
|
rule generic_carbon
|
||
|
{
|
||
|
meta:
|
||
|
author = "ESET Research"
|
||
|
date = "2017-03-30"
|
||
|
description = "Turla Carbon malware"
|
||
|
reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"
|
||
|
strings:
|
||
|
$s1 = “ModStart”
|
||
|
$s2 = “ModuleStart”
|
||
|
$t1 = “STOP|OK”
|
||
|
$t2 = “STOP|KILL”
|
||
|
condition:
|
||
|
(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
|
||
|
}
|
||
|
|
||
|
rule carbon_metadata
|
||
|
{
|
||
|
meta:
|
||
|
author = "ESET Research"
|
||
|
date = "2017-03-30"
|
||
|
description = "Turla Carbon malware"
|
||
|
reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"
|
||
|
condition:
|
||
|
(pe.version_info[“InternalName”] contains “SERVICE.EXE” or pe.version_info[“InternalName”] contains “MSIMGHLP.DLL” or pe.version_info[“InternalName”] contains “MSXIML.DLL”) and pe.version_info[“CompanyName”] contains “Microsoft Corporation”
|
||
|
}
|