Sneed-Reactivity/yara-Neo23x0/apt_apt29_nobelium_may21.yar

306 lines
12 KiB
Text
Raw Normal View History

import "math"
import "pe"
/*
YARA Rules by Volexity
Reference: https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
*/
rule APT_APT29_Win_FlipFlop_LDR : APT29 {
meta:
author = "threatintel@volexity.com"
date = "2021-05-25"
description = "A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload."
hash = "ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330"
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
id = "58696a6f-55a9-5212-9372-a539cc327e6b"
strings:
$s1 = "irnjadle"
$s2 = "BADCFEHGJILKNMPORQTSVUXWZY"
$s3 = "iMrcsofo taBesC yrtpgoarhpciP orived r1v0."
condition:
all of ($s*)
}
rule APT_APT28_Win_FreshFire : APT29 {
meta:
author = "threatintel@volexity.com"
date = "2021-05-27"
description = "The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server."
hash = "ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c"
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
id = "050b8e61-139a-5ff5-998a-7de67c9975bf"
strings:
$uniq1 = "UlswcXJJWhtHIHrVqWJJ"
$uniq2 = "gyibvmt\x00"
$path1 = "root/time/%d/%s.json"
$path2 = "C:\\dell.sdr"
$path3 = "root/data/%d/%s.json"
condition:
(
pe.number_of_exports == 1 and pe.exports("WaitPrompt")
) or
any of ($uniq*) or
2 of ($path*)
}
/*
YARA Rules by Florian
Mostly based on MSTICs report
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
Not shared publicly: rules for CobaltStrike loader samples, ISOs, specifc msiexec method found in some samples
only available in THOR and VALHALLA
*/
rule APT_APT29_NOBELIUM_JS_EnvyScout_May21_1 {
meta:
description = "Detects EnvyScout deobfuscator code as used by NOBELIUM group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
id = "42739aad-a88a-545b-8256-1f727c79c4f8"
strings:
$x1 = "[i].charCodeAt(0) ^ 2);}"
condition:
filesize < 5000KB and 1 of them
}
rule APT_APT29_NOBELIUM_JS_EnvyScout_May21_2 {
meta:
description = "Detects EnvyScout deobfuscator code as used by NOBELIUM group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
id = "d5cf3365-fe24-533a-a678-b5b6d4d99997"
strings:
$s1 = "saveAs(blob, " ascii
$s2 = ".iso\");" ascii
$s3 = "application/x-cd-image" ascii
$s4 = ".indexOf(\"Win\")!=-1" ascii
condition:
filesize < 5000KB and all of them
}
rule APT_APT29_NOBELIUM_LNK_NV_Link_May21_2 {
meta:
description = "Detects NV Link as used by NOBELIUM group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
id = "52c2caf9-13df-5614-9c9e-afcd76ec77f9"
strings:
$s1 = "RegisterOCX BOOM" ascii wide
$s2 = "cmd.exe /c start BOOM.exe" ascii wide
condition:
filesize < 5000KB and 1 of them
}
rule APT_APT29_NOBELIUM_LNK_Samples_May21_1 {
meta:
description = "Detects link file characteristics as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 85
hash1 = "24caf54e7c3fe308444093f7ac64d6d520c8f44ea4251e09e24931bdb72f5548"
id = "c807ab5a-f66a-5622-81b1-6e69b6df8446"
strings:
$a1 = "rundll32.exe" wide
$sa1 = "IMGMountingService.dll" wide
$sa2 = "MountImgHelper" wide
$sb1 = "diassvcs.dll" wide
$sb2 = "InitializeComponent" wide
$sc1 = "MsDiskMountService.dll" wide
$sc2 = "DiskDriveIni" wide
$sd1 = "GraphicalComponent.dll" wide
$sd2 = "VisualServiceComponent" wide
$se1 = "data/mstu.dll,MicrosoftUpdateService" wide
condition:
uint16(0) == 0x004c and
filesize < 4KB and $a1 and
( all of ($sa*) or all of ($sb*) or all of ($sc*) or all of ($sd*) or all of ($se*) )
}
rule APT_APT29_NOBELIUM_BoomBox_May21_1 {
meta:
description = "Detects BoomBox malware as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 85
id = "fe964f3e-1cda-5f16-838f-dd7b23cd5651"
strings:
$xa1 = "123do3y4r378o5t34onf7t3o573tfo73" ascii wide fullword
$xa2 = "1233t04p7jn3n4rg" ascii wide fullword
condition:
1 of them
}
rule APT_APT29_NOBELIUM_BoomBox_PDF_Masq_May21_1 {
meta:
description = "Detects PDF documents as used by BoomBox as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 70
id = "bdfb9600-edda-5c8c-ab23-14fb71c8e647"
strings:
$ah1 = { 25 50 44 46 2d 31 2e 33 0a 25 } /* PDF Header */
$af1 = { 0a 25 25 45 4f 46 0a } /* EOF */
$fp1 = "endobj" ascii
$fp2 = "endstream" ascii
$fp3 = { 20 6F 62 6A 0A } /* obj\x0a */
condition:
$ah1 at 0 and $af1 at (filesize-7) and filesize < 100KB
and not 1 of ($fp*)
and math.entropy(16,filesize) > 7
}
rule APT_APT29_NOBELIUM_NativeZone_Loader_May21_1 {
meta:
description = "Detects NativeZone loader as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 85
hash1 = "136f4083b67bc8dc999eb15bb83042aeb01791fc0b20b5683af6b4ddcf0bbc7d"
id = "02d9257d-f439-5071-96b0-a973b088e329"
strings:
$s1 = "\\SystemCertificates\\Lib\\CertPKIProvider.dll" ascii
$s2 = "rundll32.exe %s %s" ascii fullword
$s3 = "eglGetConfigs" ascii fullword
$op1 = { 80 3d 74 8c 01 10 00 0f 85 96 00 00 00 33 c0 40 b9 6c 8c 01 10 87 01 33 db 89 5d fc }
$op2 = { 8b 46 18 e9 30 ff ff ff 90 87 2f 00 10 90 2f 00 10 }
$op3 = { e8 14 dd ff ff 8b f1 80 3d 74 8c 01 10 00 0f 85 96 00 00 00 33 c0 40 b9 6c 8c 01 10 87 01 }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and 3 of them or 4 of them
}
rule APT_APT29_NOBELIUM_BoomBox_May21_2 {
meta:
description = "Detects BoomBox malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "0acb884f2f4cfa75b726cb8290b20328c8ddbcd49f95a1d761b7d131b95bafec"
hash2 = "8199f309478e8ed3f03f75e7574a3e9bce09b4423bd7eb08bb5bff03af2b7c27"
hash3 = "cf1d992f776421f72eabc31d5afc2f2067ae856f1c9c1d6dc643a67cb9349d8c"
id = "a4144c00-48b2-5520-b773-5d0a5de95fb1"
strings:
$x1 = "\\Microsoft\\NativeCache\\NativeCacheSvc.dll" wide
$x2 = "\\NativeCacheSvc.dll _configNativeCache" wide
$a1 = "/content.dropboxapi.com" wide fullword
$s1 = "rundll32.exe {0} {1}" wide fullword
$s2 = "\\\\CertPKIProvider.dll" wide
$s3 = "/tmp/readme.pdf" wide
$s4 = "temp/[^\"]*)\"" wide fullword
$op1 = { 00 78 00 2d 00 41 00 50 00 49 00 2d 00 41 00 72 00 67 00 01 2f 4f 00 72 00 }
$op2 = { 25 72 98 01 00 70 6f 34 00 00 0a 25 6f 35 00 00 0a 72 71 02 00 70 72 }
$op3 = { 4d 05 20 00 12 80 91 04 20 01 08 0e 04 20 00 12 }
condition:
uint16(0) == 0x5a4d and
filesize < 40KB and
3 of them or 4 of them
}
rule APT_APT29_NOBELIUM_Malware_May21_2 {
meta:
description = "Detects malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "292e5b0a12fea4ff3fc02e1f98b7a370f88152ce71fe62670dd2f5edfaab2ff8"
hash2 = "776014a63bf3cc7034bd5b6a9c36c75a930b59182fe232535bb7a305e539967b"
id = "b1462b4b-227f-5aeb-92ea-bda6a86831c7"
strings:
$op1 = { 48 03 c8 42 0f b6 04 21 88 03 0f b6 43 01 8b c8 83 e0 0f 48 83 e1 f0 48 03 c8 }
$op2 = { 48 03 c8 42 0f b6 04 21 88 43 01 41 0f b6 c7 8b c8 83 e0 0f 48 83 e1 f0 48 03 c8 }
$op3 = { 45 0f b6 43 ff 41 8b c2 99 44 88 03 41 0f b6 2b 83 e2 03 03 c2 40 88 6b 01 }
condition:
filesize < 2200KB and
all of them
}
rule APT_APT29_NOBELIUM_Stageless_Loader_May21_2 {
meta:
description = "Detects stageless loader as used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf"
hash2 = "c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78"
id = "7b83d327-52fc-5401-ae35-00f6b825678a"
strings:
$x1 = "DLL_stageless.dll" ascii fullword
$s1 = "c:\\users\\devuser\\documents" ascii fullword nocase
$s2 = "VisualServiceComponent" ascii fullword
$s3 = "CheckUpdteFrameJavaCurrentVersion" ascii fullword
$op1 = { a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 68 d8 d4 00 10 57 a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 }
$op2 = { ff d6 33 05 00 ?0 0? 10 68 d8 d4 00 10 57 a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 68 e8 d4 00 10 }
condition:
uint16(0) == 0x5a4d and
filesize < 900KB and
2 of them or 3 of them
}
rule APT_APT29_NOBELIUM_Malware_May21_3 {
meta:
description = "Detects malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "2a352380d61e89c89f03f4008044241a38751284995d000c73acf9cad38b989e"
id = "89cb6884-4242-5b5a-b0ac-b31041dd261c"
strings:
$s1 = "Win32Project1.dll" ascii fullword
$op1 = { 59 c3 6a 08 68 70 5e 01 10 e8 d2 8c ff ff 8b 7d 08 8b c7 c1 f8 05 }
$op2 = { 8d 4d f0 e8 c4 12 00 00 68 64 5b 01 10 8d 45 f0 c7 45 f0 6c 01 01 10 50 e8 ea 13 00 00 cc }
$op4 = { 40 c3 8b 65 e8 e8 a6 86 ff ff cc 6a 0c 68 88 60 01 10 e8 b0 4d ff ff }
$xc1 = { 25 73 25 73 00 00 00 00 2F 65 2C 20 00 00 00 00
43 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00
77 00 73 00 5C 00 65 00 78 00 70 00 6C 00 6F 00
72 00 65 00 72 00 2E 00 65 00 78 00 65 }
condition:
filesize < 3000KB and
( $xc1 or 3 of them )
}
rule APT_APT29_NOBELIUM_Malware_May21_4 {
meta:
description = "Detects malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4"
id = "56193475-52b4-5720-abc5-72249e2a0c37"
strings:
$s1 = "KM.FileSystem.dll" ascii fullword
$op1 = { 80 3d 50 6b 04 10 00 0f 85 96 00 00 00 33 c0 40 b9 48 6b 04 10 87 01 33 db 89 5d fc }
$op2 = { c3 33 c0 b9 7c 6f 04 10 40 87 01 c3 8b ff 55 }
$op3 = { 8d 4d f4 e8 53 ff ff ff 68 d0 22 01 10 8d 45 f4 50 e8 d8 05 00 00 cc 8b 41 04 }
$xc1 = { 2E 64 6C 6C 00 00 00 00 41 53 4B 4F 44 00 00 00
53 75 63 63 65 73 73 }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and
( $xc1 or 3 of them )
}