Sneed-Reactivity/yara-Neo23x0/apt_apt19.yar

70 lines
2.8 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Ian.Ahl@fireeye.com @TekDefense, modified by Florian Roth
Date: 2017-06-05
Identifier: APT19
Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
*/
rule Beacon_K5om {
meta:
description = "Detects Meterpreter Beacon - file K5om.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html"
date = "2017-06-07"
hash1 = "e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9"
id = "9354d20a-d798-55bf-a735-820f21d4a861"
strings:
$x1 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
$x2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
$x3 = "%d is an x86 process (can't inject x64 content)" fullword ascii
$s1 = "Could not open process token: %d (%u)" fullword ascii
$s2 = "0fd00b.dll" fullword ascii
$s3 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
$s4 = "Could not connect to pipe (%s): %d" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 3 of them ) )
}
/* Rule Set ----------------------------------------------------------------- */
rule FE_LEGALSTRIKE_MACRO {
meta:
version=".1"
filetype="MACRO"
author="Ian.Ahl@fireeye.com @TekDefense - modified by Florian Roth"
date="2017-06-02"
description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
id = "eb15e5aa-16e5-5c07-a293-ad15c0c09d8e"
strings:
// OBSFUCATION
$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
// wscript
$wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
$wsobj2 = "Obj.Run " ascii wide
condition:
all of them
}
rule FE_LEGALSTRIKE_RTF {
meta:
version=".1"
filetype="MACRO"
author="joshua.kim@FireEye. - modified by Florian Roth"
date="2017-06-02"
description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
id = "b62ceffa-445f-517e-b86b-56e47876c6c0"
strings:
$lnkinfo = "4c0069006e006b0049006e0066006f"
$encoded1 = "4f4c45324c696e6b"
$encoded2 = "52006f006f007400200045006e007400720079"
$encoded3 = "4f0062006a0049006e0066006f"
$encoded4 = "4f006c0065"
$datastore = "\\*\\datastore"
condition:
uint32be(0) == 0x7B5C7274 and all of them
}