145 lines
5.8 KiB
Text
145 lines
5.8 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Florian Roth
|
||
|
Date: 2018-03-09
|
||
|
Identifier: Slingshot APT
|
||
|
Reference: https://securelist.com/apt-slingshot/84312/
|
||
|
*/
|
||
|
|
||
|
import "pe"
|
||
|
|
||
|
rule Slingshot_APT_Spork_Downloader {
|
||
|
meta:
|
||
|
description = "Detects malware from Slingshot APT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://securelist.com/apt-slingshot/84312/"
|
||
|
date = "2018-03-09"
|
||
|
id = "21e02f78-40d8-5b56-b747-3f2a7a692259"
|
||
|
strings:
|
||
|
$s1 = "Usage: spork -c IP:PORT" fullword ascii wide
|
||
|
$s2 = "connect-back IP address and port number"
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them
|
||
|
}
|
||
|
|
||
|
rule Slingshot_APT_Minisling {
|
||
|
meta:
|
||
|
description = "Detects malware from Slingshot APT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://securelist.com/apt-slingshot/84312/"
|
||
|
date = "2018-03-09"
|
||
|
id = "99f9d5a1-b29f-52f7-9aec-02df4a51a756"
|
||
|
strings:
|
||
|
$s1 = "{6D29520B-F138-442e-B29F-A4E7140F33DE}" fullword ascii wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them
|
||
|
}
|
||
|
|
||
|
rule Slingshot_APT_Ring0_Loader {
|
||
|
meta:
|
||
|
description = "Detects malware from Slingshot APT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://securelist.com/apt-slingshot/84312/"
|
||
|
date = "2018-03-09"
|
||
|
id = "b5301a45-a4ec-5e56-a990-bc6300ee6365"
|
||
|
strings:
|
||
|
$s1 = " -> Missing element in DataDir -- cannot install" ascii
|
||
|
$s2 = " -> Primary loader not present in the DataDir" ascii
|
||
|
$s3 = "\\\\.\\amxpci" fullword ascii
|
||
|
$s4 = " -> [Goad] ERROR in CreateFile:" fullword ascii
|
||
|
$s5 = "\\\\.\\Sandra" fullword ascii
|
||
|
$s6 = " -> [Sandra] RingZeroCode" fullword ascii
|
||
|
$s7 = " -> [Sandra] Value from IOCTL_RDMSR:" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them
|
||
|
}
|
||
|
|
||
|
rule Slingshot_APT_Malware_1 {
|
||
|
meta:
|
||
|
description = "Detects malware from Slingshot APT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://securelist.com/apt-slingshot/84312/"
|
||
|
date = "2018-03-09"
|
||
|
hash1 = "4b250304e28648574b441831bf579b844e8e1fda941fb7f86a7ea7c4291bbca6"
|
||
|
id = "72f4a52b-c70b-511f-acf5-6d680a95c7d6"
|
||
|
strings:
|
||
|
$s1 = "SlingDll.dll" fullword ascii
|
||
|
$s2 = "BogusDll." ascii
|
||
|
$s3 = "smsvcrt -h 0x%p" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 700KB and (
|
||
|
pe.imphash() == "7ead4bb0d752003ce7c062adb7ffc51a" or
|
||
|
pe.exports("WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW0000") or
|
||
|
1 of them
|
||
|
)
|
||
|
}
|
||
|
|
||
|
rule Slingshot_APT_Malware_2 {
|
||
|
meta:
|
||
|
description = "Detects malware from Slingshot APT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://securelist.com/apt-slingshot/84312/"
|
||
|
date = "2018-03-09"
|
||
|
hash1 = "2a51ef6d115daa648ddd57d1e4480f5a18daf40986bfde32aab19349aa010e67"
|
||
|
id = "b85d3d81-0148-5ea0-9eff-d9bb63e3e75b"
|
||
|
strings:
|
||
|
$x1 = "\\\\?\\c:\\RECYCLER\\S-1-5-21-2225084468-623340172-1005306204-500\\INFO5" fullword wide
|
||
|
$x_slingshot = {09 46 BE 57 42 DD 70 35 5E }
|
||
|
|
||
|
$s1 = "Opening service %s for stop access failed.#" fullword wide
|
||
|
$s2 = "LanMan setting <%s> is ignored because system has a higher value already." fullword wide
|
||
|
$s3 = "\\DosDevices\\amxpci" wide
|
||
|
$s4 = "lNTLMqSpPD" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 900KB and ( 1 of ($x*) or 4 of them )
|
||
|
}
|
||
|
|
||
|
rule Slingshot_APT_Malware_3 {
|
||
|
meta:
|
||
|
description = "Detects malware from Slingshot APT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://securelist.com/apt-slingshot/84312/"
|
||
|
date = "2018-03-09"
|
||
|
hash1 = "fa513c65cded25a7992e2b0ab03c5dd5c6d0fc2282cd64a1e11a387a3341ce18"
|
||
|
id = "4ef1f9a6-3d80-545e-8ac3-c6d46c71fca1"
|
||
|
strings:
|
||
|
$a1 = "chmhlpr.dll" fullword ascii
|
||
|
$s2 = "%hc%hc%hc%hc" fullword ascii
|
||
|
$s3 = "%hc%hc%hc=" fullword ascii
|
||
|
$s4 = "%hc%hc==" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 100KB and (
|
||
|
pe.imphash() == "2f3b3df466e24e0792e0e90d668856bc" or
|
||
|
pe.exports("dll_u") or
|
||
|
( $a1 and 2 of ($s*) )
|
||
|
)
|
||
|
}
|
||
|
|
||
|
rule Slingshot_APT_Malware_4 {
|
||
|
meta:
|
||
|
description = "Detects malware from Slingshot APT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://securelist.com/apt-slingshot/84312/"
|
||
|
date = "2018-03-09"
|
||
|
hash1 = "38c4f5320b03cbaf5c14997ea321507730a8c16906e5906cbf458139c91d5945"
|
||
|
id = "0f957330-1834-550f-ba5d-fb2bf0dfba7f"
|
||
|
strings:
|
||
|
$x1 = "Ss -a 4104 -s 257092 -o 8 -l 406016 -r 4096 -z 315440" fullword wide
|
||
|
|
||
|
$s1 = "Slingshot" fullword ascii
|
||
|
$s2 = "\\\\?\\e:\\$Recycle.Bin\\" wide
|
||
|
$s3 = "LineRecs.reloc" fullword ascii
|
||
|
$s4 = "EXITGNG" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1000KB and (
|
||
|
$x1 or 2 of them
|
||
|
)
|
||
|
}
|