Sneed-Reactivity/yara-mikesxrs/eset/ta410.yar

742 lines
28 KiB
Text
Raw Normal View History

// For feedback or questions contact us at: github@eset.com
// https://github.com/eset/malware-ioc/
//
// These yara rules are provided to the community under the two-clause BSD
// license as follows:
//
// Copyright (c) 2022, ESET
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this
// list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
import "pe"
rule apt_Windows_TA410_Tendyron_dropper
{
meta:
description = "TA410 Tendyron Dropper"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2020-12-09"
strings:
$s1 = "Global\\{F473B3BE-08EE-4710-A727-9E248F804F4A}" wide
$s2 = "Global\\8D32CCB321B2" wide
$s3 = "Global\\E4FE94F75490" wide
$s4 = "Program Files (x86)\\Internet Explorer\\iexplore.exe" wide
$s5 = "\\RPC Control\\OLE" wide
$s6 = "ALPC Port" wide
condition:
int16(0) == 0x5A4D and 4 of them
}
rule apt_Windows_TA410_Tendyron_installer
{
meta:
description = "TA410 Tendyron Installer"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2020-12-09"
strings:
$s1 = "Tendyron" wide
$s2 = "OnKeyToken_KEB.dll" wide
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
$s4 = "Global\\8D32CCB321B2"
$s5 = "\\RTFExploit\\"
condition:
int16(0) == 0x5A4D and 3 of them
}
rule apt_Windows_TA410_Tendyron_Downloader
{
meta:
description = "TA410 Tendyron Downloader"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2020-12-09"
strings:
/*
0x401250 8A10 mov dl, byte ptr [eax]
0x401252 80F25C xor dl, 0x5c
0x401255 80C25C add dl, 0x5c
0x401258 8810 mov byte ptr [eax], dl
0x40125a 40 inc eax
0x40125b 83E901 sub ecx, 1
0x40125e 75F0 jne 0x401250
*/
$chunk_1 = {
8A 10
80 F2 5C
80 C2 5C
88 10
40
83 E9 01
75 ??
}
$s1 = "startModule" fullword
condition:
int16(0) == 0x5A4D and all of them
}
rule apt_Windows_TA410_X4_strings
{
meta:
description = "Matches various strings found in TA410 X4"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2020-10-09"
strings:
$s1 = "[X]InLoadSC" ascii wide nocase
$s3 = "MachineKeys\\Log\\rsa.txt" ascii wide nocase
$s4 = "MachineKeys\\Log\\output.log" ascii wide nocase
condition:
any of them
}
rule apt_Windows_TA410_X4_hash_values
{
meta:
description = "Matches X4 hash function found in TA410 X4"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2020-10-09"
strings:
$s1 = {D1 10 76 C2 B6 03}
$s2 = {71 3E A8 0D}
$s3 = {DC 78 94 0E}
$s4 = {40 0D E7 D6 06}
$s5 = {83 BB FD E8 06}
$s6 = {92 9D 9B FF EC 03}
$s7 = {DD 0E FC FA F5 03}
$s8 = {15 60 1E FB F5 03}
condition:
uint16(0) == 0x5a4d and 4 of them
}
rule apt_Windows_TA410_X4_hash_fct
{
meta:
description = "Matches X4 hash function found in TA410 X4"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2020-10-09"
/*
0x6056cc2150 0FB601 movzx eax, byte ptr [rcx]
0x6056cc2153 84C0 test al, al
0x6056cc2155 7416 je 0x6056cc216d
0x6056cc2157 4869D283000000 imul rdx, rdx, 0x83
0x6056cc215e 480FBEC0 movsx rax, al
0x6056cc2162 4803D0 add rdx, rax
0x6056cc2165 48FFC1 inc rcx
0x6056cc2168 E9E3FFFFFF jmp 0x6056cc2150
*/
strings:
$chunk_1 = {
0F B6 01
84 C0
74 ??
48 69 D2 83 00 00 00
48 0F BE C0
48 03 D0
48 FF C1
E9 ?? ?? ?? ??
}
condition:
uint16(0) == 0x5a4d and any of them
}
rule apt_Windows_TA410_LookBack_decryption
{
meta:
description = "Matches encryption/decryption function used by LookBack."
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
$initialize = {
8B C6 //mov eax, esi
99 //cdq
83 E2 03 //and edx, 3
03 C2 //add eax, edx
C1 F8 02 //sar eax, 2
8A C8 //mov cl, al
02 C0 //add al, al
02 C8 //add cl, al
88 4C 34 10 //mov byte ptr [esp + esi + 0x10], cl
46 //inc esi
81 FE 00 01 00 00 //cmp esi, 0x100
72 ??
}
$generate = {
8A 94 1C 10 01 ?? ?? //mov dl, byte ptr [esp + ebx + 0x110]
8D 8C 24 10 01 ?? ?? //lea ecx, [esp + 0x110]
0F B6 C3 //movzx eax, bl
0F B6 44 04 10 //movzx eax, byte ptr [esp + eax + 0x10]
32 C2 //xor al, dl
02 F0 //add dh, al
0F B6 C6 //movzx eax, dh
03 C8 //add ecx, eax
0F B6 01 //movzx eax, byte ptr [ecx]
88 84 1C 10 01 ?? ?? //mov byte ptr [esp + ebx + 0x110], al
43 //inc ebx
88 11 //mov byte ptr [ecx], dl
81 FB 00 06 00 00 //cmp ebx, 0x600
72 ?? //jb 0x10025930
}
$decrypt = {
0F B6 C6 //movzx eax, dh
8D 8C 24 10 01 ?? ?? //lea ecx, [esp + 0x110]
03 C8 //add ecx, eax
8A 19 //mov bl, byte ptr [ecx]
8A C3 //mov al, bl
02 C6 //add al, dh
FE C6 //inc dh
02 F8 //add bh, al
0F B6 C7 //movzx eax, bh
8A 94 04 10 01 ?? ?? //mov dl, byte ptr [esp + eax + 0x110]
88 9C 04 10 01 ?? ?? //mov byte ptr [esp + eax + 0x110], bl
88 11 //mov byte ptr [ecx], dl
0F B6 C2 //movzx eax, dl
0F B6 CB //movzx ecx, bl
33 C8 //xor ecx, eax
8A 84 0C 10 01 ?? ?? //mov al, byte ptr [esp + ecx + 0x110]
30 04 2E //xor byte ptr [esi + ebp], al
46 //inc esi
3B F7 //cmp esi, edi
7C ?? //jl 0x10025980
}
condition:
uint16(0) == 0x5a4d and all of them
}
rule apt_Windows_TA410_LookBack_loader
{
meta:
description = "Matches the modified function in LookBack libcurl loader."
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
$chunk_1 = {
FF 15 ?? ?? ?? ?? //call dword ptr [0x100530e0]
6A 40 //push 0x40
68 00 10 00 00 //push 0x1000
68 F0 04 00 00 //push 0x4f0
6A 00 //push 0
FF 15 ?? ?? ?? ?? //call dword ptr [0x100530d4]
8B E8 //mov ebp, eax
B9 3C 01 00 00 //mov ecx, 0x13c
BE 60 30 06 10 //mov esi, 0x10063060
8B FD //mov edi, ebp
68 F0 04 00 00 //push 0x4f0
F3 A5 //rep movsd dword ptr es:[edi], dword ptr [esi]
55 //push ebp
E8 ?? ?? ?? ?? //call 0x100258d0
8B 0D ?? ?? ?? ?? //mov ecx, dword ptr [0x100530e4]
A1 ?? ?? ?? ?? //mov eax, dword ptr [0x100530c8]
68 6C 02 00 00 //push 0x26c
89 4C 24 ?? //mov dword ptr [esp + 0x1c], ecx
89 44 24 ?? //mov dword ptr [esp + 0x20], eax
FF 15 ?? ?? ?? ?? //call dword ptr [0x10063038]
8B D8 //mov ebx, eax
B9 9B 00 00 00 //mov ecx, 0x9b
BE 50 35 06 10 //mov esi, 0x10063550
8B FB //mov edi, ebx
68 6C 02 00 00 //push 0x26c
F3 A5 //rep movsd dword ptr es:[edi], dword ptr [esi]
53 //push ebx
E8 ?? ?? ?? ?? //call 0x100258d0
83 C4 14 //add esp, 0x14
8D 44 24 ?? //lea eax, [esp + 0x10]
50 //push eax
53 //push ebx
8D 44 24 ?? //lea eax, [esp + 0x3c]
50 //push eax
A1 ?? ?? ?? ?? //mov eax, dword ptr [0x10063058]
FF 74 24 ?? //push dword ptr [esp + 0x28]
03 C5 //add eax, ebp
FF D0 //call eax
}
condition:
uint16(0) == 0x5a4d and all of them
}
rule apt_Windows_TA410_LookBack_strings
{
meta:
description = "Matches multiple strings and export names in TA410 LookBack."
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
$s1 = "SodomMainFree" ascii wide
$s2 = "SodomMainInit" ascii wide
$s3 = "SodomNormal.bin" ascii wide
$s4 = "SodomHttp.bin" ascii wide
$s5 = "sodom.ini" ascii wide
$s6 = "SodomMainProc" ascii wide
condition:
uint16(0) == 0x5a4d and (2 of them or pe.exports("SodomBodyLoad") or pe.exports("SodomBodyLoadTest"))
}
rule apt_Windows_TA410_LookBack_HTTP
{
meta:
description = "Matches LookBack's hardcoded HTTP request"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
$s1 = "POST http://%s/status.php?r=%d%d HTTP/1.1\x0d\nAccept: text/html, application/xhtml+xml, */*\x0d\nAccept-Language: en-us\x0d\nUser-Agent: %s\x0d\nContent-Type: application/x-www-form-urlencoded\x0d\nAccept-Encoding: gzip, deflate\x0d\nHost: %s\x0d\nContent-Length: %d\x0d\nConnection: Keep-Alive\x0d\nCache-Control: no-cache\x0d\n\x0d\n" ascii wide
$s2 = "id=1&op=report&status="
condition:
uint16(0) == 0x5a4d and all of them
}
rule apt_Windows_TA410_LookBack_magic
{
meta:
description = "Matches message header creation in LookBack."
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
$s1 = {
C7 03 C2 2E AB 48 //mov dword ptr [ebx], 0x48ab2ec2
( A1 | 8B 15 ) ?? ?? ?? ?? //mov (eax | edx), x
[0-1] //push ebp
89 ?3 04 //mov dword ptr [ebc + 4], reg
8B 4? 24 ?? //mov reg, dword ptr [esp + X]
89 4? 08 //mov dword ptr [ebx + 8], ??
89 ?? 0C //mov dword ptr [ebx + 0xc], ??
8B 4? 24 ?? //mov reg, dword ptr [esp + X]
[1-2] //push 1 or 2 args
E8 ?? ?? ?? ?? //call
}
condition:
uint16(0) == 0x5a4d and all of them
}
rule apt_Windows_TA410_FlowCloud_loader_strings
{
meta:
description = "Matches various strings found in TA410 FlowCloud first stage."
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
$key = "y983nfdicu3j2dcn09wur9*^&initialize(y4r3inf;'fdskaf'SKF"
$s2 = "startModule" fullword
$s4 = "auto_start_module" wide
$s5 = "load_main_module_after_install" wide
$s6 = "terminate_if_fail" wide
$s7 = "clear_run_mru" wide
$s8 = "install_to_vista" wide
$s9 = "load_ext_module" wide
$s10= "sll_only" wide
$s11= "fail_if_already_installed" wide
$s12= "clear_hardware_info" wide
$s13= "av_check" wide fullword
$s14= "check_rs" wide
$s15= "check_360" wide
$s16= "responsor.dat" wide ascii
$s17= "auto_start_after_install_check_anti" wide fullword
$s18= "auto_start_after_install" wide fullword
$s19= "extern_config.dat" wide fullword
$s20= "is_hhw" wide fullword
$s21= "SYSTEM\\Setup\\PrintResponsor" wide
$event= "Global\\Event_{201a283f-e52b-450e-bf44-7dc436037e56}" wide ascii
$s23= "invalid encrypto hdr while decrypting"
condition:
uint16(0) == 0x5a4d and ($key or $event or 5 of ($s*))
}
rule apt_Windows_TA410_FlowCloud_header_decryption
{
meta:
description = "Matches the function used to decrypt resources headers in TA410 FlowCloud"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
/*
0x416a70 8B1E mov ebx, dword ptr [esi]
0x416a72 8BCF mov ecx, edi
0x416a74 D3CB ror ebx, cl
0x416a76 8D0C28 lea ecx, [eax + ebp]
0x416a79 83C706 add edi, 6
0x416a7c 3018 xor byte ptr [eax], bl
0x416a7e 8B1E mov ebx, dword ptr [esi]
0x416a80 D3CB ror ebx, cl
0x416a82 8D0C02 lea ecx, [edx + eax]
0x416a85 305801 xor byte ptr [eax + 1], bl
0x416a88 8B1E mov ebx, dword ptr [esi]
0x416a8a D3CB ror ebx, cl
0x416a8c 8B4C240C mov ecx, dword ptr [esp + 0xc]
0x416a90 03C8 add ecx, eax
0x416a92 305802 xor byte ptr [eax + 2], bl
0x416a95 8B1E mov ebx, dword ptr [esi]
0x416a97 D3CB ror ebx, cl
0x416a99 8B4C2410 mov ecx, dword ptr [esp + 0x10]
0x416a9d 03C8 add ecx, eax
0x416a9f 305803 xor byte ptr [eax + 3], bl
0x416aa2 8B1E mov ebx, dword ptr [esi]
0x416aa4 D3CB ror ebx, cl
0x416aa6 8B4C2414 mov ecx, dword ptr [esp + 0x14]
0x416aaa 03C8 add ecx, eax
0x416aac 83C006 add eax, 6
0x416aaf 3058FE xor byte ptr [eax - 2], bl
0x416ab2 8B1E mov ebx, dword ptr [esi]
0x416ab4 D3CB ror ebx, cl
0x416ab6 3058FF xor byte ptr [eax - 1], bl
0x416ab9 83FF10 cmp edi, 0x10
0x416abc 72B2 jb 0x416a70
*/
strings:
$chunk_1 = {
8B 1E
8B CF
D3 CB
8D 0C 28
83 C7 06
30 18
8B 1E
D3 CB
8D 0C 02
30 58 ??
8B 1E
D3 CB
8B 4C 24 ??
03 C8
30 58 ??
8B 1E
D3 CB
8B 4C 24 ??
03 C8
30 58 ??
8B 1E
D3 CB
8B 4C 24 ??
03 C8
83 C0 06
30 58 ??
8B 1E
D3 CB
30 58 ??
83 FF 10
72 ??
}
condition:
uint16(0) == 0x5a4d and all of them
}
rule apt_Windows_TA410_FlowCloud_dll_hijacking_strings
{
meta:
description = "Matches filenames inside TA410 FlowCloud malicious DLL."
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
$dat1 = "emedres.dat" wide
$dat2 = "vviewres.dat" wide
$dat3 = "setlangloc.dat" wide
$dll1 = "emedres.dll" wide
$dll2 = "vviewres.dll" wide
$dll3 = "setlangloc.dll" wide
condition:
uint16(0) == 0x5a4d and (all of ($dat*) or all of ($dll*))
}
rule apt_Windows_TA410_FlowCloud_malicious_dll_antianalysis
{
meta:
description = "Matches anti-analysis techniques used in TA410 FlowCloud hijacking DLL."
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
/*
33C0 xor eax, eax
E8320C0000 call 0x10001d30
83C010 add eax, 0x10
3D00000080 cmp eax, 0x80000000
7D01 jge +3
EBFF jmp +1 / jmp eax
E050 loopne 0x1000115c / push eax
C3 ret
*/
$chunk_1 = {
33 C0
E8 ?? ?? ?? ??
83 C0 10
3D 00 00 00 80
7D 01
EB FF
E0 50
C3
}
condition:
uint16(0) == 0x5a4d and all of them
}
rule apt_Windows_TA410_FlowCloud_pdb
{
meta:
description = "Matches PDB paths found in TA410 FlowCloud."
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
condition:
uint16(0) == 0x5a4d and (pe.pdb_path contains "\\FlowCloud\\trunk\\" or pe.pdb_path contains "\\flowcloud\\trunk\\")
}
rule apt_Windows_TA410_FlowCloud_shellcode_decryption
{
meta:
description = "Matches the decryption function used in TA410 FlowCloud self-decrypting DLL"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
/*
0x211 33D2 xor edx, edx
0x213 8B4510 mov eax, dword ptr [ebp + 0x10]
0x216 BB6B040000 mov ebx, 0x46b
0x21b F7F3 div ebx
0x21d 81C2A8010000 add edx, 0x1a8
0x223 81E2FF000000 and edx, 0xff
0x229 8B7D08 mov edi, dword ptr [ebp + 8]
0x22c 33C9 xor ecx, ecx
0x22e EB07 jmp 0x237
0x230 301439 xor byte ptr [ecx + edi], dl
0x233 001439 add byte ptr [ecx + edi], dl
0x236 41 inc ecx
0x237 3B4D0C cmp ecx, dword ptr [ebp + 0xc]
0x23a 72F4 jb 0x230
*/
strings:
$chunk_1 = {
33 D2
8B 45 ??
BB 6B 04 00 00
F7 F3
81 C2 A8 01 00 00
81 E2 FF 00 00 00
8B 7D ??
33 C9
EB ??
30 14 39
00 14 39
41
3B 4D ??
72 ??
}
condition:
uint16(0) == 0x5a4d and all of them
}
rule apt_Windows_TA410_FlowCloud_fcClient_strings
{
meta:
description = "Strings found in fcClient/rescure.dat module."
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
$s1 = "df257bdd-847c-490e-9ef9-1d7dc883d3c0"
$s2 = "\\{2AFF264E-B722-4359-8E0F-947B85594A9A}"
$s3 = "Global\\{26C96B51-2B5D-4D7B-BED1-3DCA4848EDD1}" wide
$s4 = "{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" wide
$s5 = "{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" wide
$s6 = "XXXModule_func.dll"
$driver1 = "\\drivers\\hidmouse.sys" wide fullword
$driver2 = "\\drivers\\hidusb.sys" wide fullword
condition:
uint16(0) == 0x5a4d and (any of ($s*) or all of ($driver*))
}
rule apt_Windows_TA410_FlowCloud_fcClientDll_strings
{
meta:
description = "Strings found in fcClientDll/responsor.dat module."
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
$s1 = "http://%s/html/portlet/ext/draco/resources/draco_manager.swf/[[DYNAMIC]]/1"
$s2 = "Cookie: COOKIE_SUPPORT=true; JSESSIONID=5C7E7A60D01D2891F40648DAB6CB3DF4.jvm1; COMPANY_ID=10301; ID=666e7375545678695645673d; PASSWORD=7a4b48574d746470447a303d; LOGIN=6863303130; SCREEN_NAME=4a2b455377766b657451493d; GUEST_LANGUAGE_ID=en-US"
$fc_msg = ".fc_net.msg"
$s4 = "\\pipe\\namedpipe_keymousespy_english" wide
$s5 = "8932910381748^&*^$58876$%^ghjfgsa413901280dfjslajflsdka&*(^7867=89^&*F(^&*5678f5ds765f76%&*%&*5"
$s6 = "cls_{CACB140B-0B82-4340-9B05-7983017BA3A4}" wide
$s7 = "HTTP/1.1 200 OK\x0d\nServer: Apache-Coyote/1.1\x0d\nPragma: No-cache\x0d\nCache-Control: no-cache\x0d\nExpires: Thu, 01 Jan 1970 08:00:00 CST\x0d\nLast-Modified: Fri, 27 Apr 2012 08:11:04 GMT\x0d\nContent-Type: application/xml\x0d\nContent-Length: %d\x0d\nDate: %s GMT"
$sql1 = "create table if not exists table_filed_space"
$sql2 = "create table if not exists clipboard"
$sql3 = "create trigger if not exists file_after_delete after delete on file"
$sql4 = "create trigger if not exists file_data_after_insert after insert on file_data"
$sql5 = "create trigger if not exists file_data_after_delete after delete on file_data"
$sql6 = "create trigger if not exists file_data_after_update after update on file_data"
$sql7 = "insert into file_data(file_id, ofs, data, status)"
condition:
uint16(0) == 0x5a4d and (any of ($s*) or #fc_msg >= 8 or 4 of ($sql*))
}
rule apt_Windows_TA410_Rootkit_strings
{
meta:
description = "Strings found in TA410's Rootkit"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
strings:
$driver1 = "\\Driver\\kbdclass" wide
$driver2 = "\\Driver\\mouclass" wide
$device1 = "\\Device\\KeyboardClass0" wide
$device2 = "\\Device\\PointerClass0" wide
$driver3 = "\\Driver\\tcpip" wide
$device3 = "\\Device\\tcp" wide
$driver4 = "\\Driver\\nsiproxy" wide
$device4 = "\\Device\\Nsi" wide
$reg1 = "\\Registry\\Machine\\SYSTEM\\Setup\\AllowStart\\ceipCommon" wide
$reg2 = "RHH%d" wide
$reg3 = "RHP%d" wide
$s1 = "\\SystemRoot\\System32\\drivers\\hidmouse.sys" wide
condition:
uint16(0) == 0x5a4d and all of ($s1,$reg*) and (all of ($driver*) or all of ($device*))
}
rule apt_Windows_TA410_FlowCloud_v5_resources
{
meta:
description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 5.0.2"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
condition:
uint16(0) == 0x5a4d and pe.number_of_resources >= 13 and
for 12 resource in pe.resources:
( resource.type == 10 and resource.language == 1033 and
//resource name is one of 100, 1000, 10000, 1001, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 2000, 2001 as widestring
(resource.name_string == "1\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x000\x00" or
resource.name_string == "1\x000\x000\x001\x00" or resource.name_string == "1\x000\x001\x00" or resource.name_string == "1\x000\x002\x00" or
resource.name_string == "1\x000\x003\x00" or resource.name_string == "1\x000\x004\x00" or resource.name_string == "1\x000\x005\x00" or
resource.name_string == "1\x000\x006\x00" or resource.name_string == "1\x000\x007\x00" or resource.name_string == "1\x000\x008\x00" or
resource.name_string == "1\x000\x009\x00" or resource.name_string == "1\x001\x000\x00" or resource.name_string == "2\x000\x000\x000\x00" or resource.name_string == "2\x000\x000\x001\x00")
)
}
rule apt_Windows_TA410_FlowCloud_v4_resources
{
meta:
description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 4.1.3"
reference = "https://www.welivesecurity.com/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
author = "ESET Research"
date = "2021-10-12"
condition:
uint16(0) == 0x5a4d and pe.number_of_resources >= 6 and
for 5 resource in pe.resources:
( resource.type == 10 and resource.language == 1033 and
// resource name is one of 10000, 10001, 10002, 10003, 10004, 10005, 10100 as wide string
(resource.name_string == "1\x000\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x001\x00" or
resource.name_string == "1\x000\x000\x000\x002\x00" or resource.name_string == "1\x000\x000\x000\x003\x00" or
resource.name_string == "1\x000\x000\x000\x004\x00" or resource.name_string == "1\x000\x000\x000\x005\x00" or resource.name_string == "1\x000\x001\x000\x000\x00")
)
}