Sneed-Reactivity/yara-Neo23x0/apt_bitter.yar

22 lines
856 B
Text
Raw Normal View History

rule EXT_APT_Bitter_Win32k_0day_Feb21 {
meta:
description = "Detects code that exploits a Windows 0day exploited by Bitter APT group"
author = "dbappsecurity_lieying_lab"
date = "2021-01-01"
reference = "https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/"
id = "b1892b52-4b94-5571-ad63-8750a321f1f2"
strings:
$s1 = "NtUserConsoleControl" ascii wide
$s2 = "NtCallbackReturn" ascii wide
$s3 = "CreateWindowEx" ascii wide
$s4 = "SetWindowLong" ascii wide
$a1 = {48 C1 E8 02 48 C1 E9 02 C7 04 8A}
$a2 = {66 0F 1F 44 00 00 80 3C 01 E8 74 22 FF C2 48 FF C1}
$a3 = {48 63 05 CC 69 05 00 8B 0D C2 69 05 00 48 C1 E0 20 48 03 C1}
condition:
uint16(0) == 0x5a4d and all of ($s*) and 1 of ($a*)
}