31 lines
1.2 KiB
Text
31 lines
1.2 KiB
Text
|
|
||
|
|
rule HKTL_Venom_LIB_Dec22 {
|
||
|
|
meta:
|
||
|
|
description = "Detects Venom - a library that meant to perform evasive communication using stolen browser socket"
|
||
|
|
author = "Ido Veltzman, Florian Roth"
|
||
|
|
reference = "https://github.com/Idov31/Venom"
|
||
|
|
date = "2022-12-17"
|
||
|
|
score = 75
|
||
|
|
id = "b13b8a9c-52a4-53ac-817e-9f729fbf17c2"
|
||
|
|
strings:
|
||
|
|
$x1 = "[ + ] Created detached hidden msedge process: " fullword ascii
|
||
|
|
|
||
|
|
$ss1 = "WS2_32.dll" fullword ascii
|
||
|
|
$ss2 = "WSASocketW" fullword ascii
|
||
|
|
$ss3 = "WSADuplicateSocketW" fullword ascii
|
||
|
|
$ss5 = "\\Device\\Afd" wide fullword
|
||
|
|
|
||
|
|
$sx1 = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe --no-startup-window" fullword wide
|
||
|
|
$sx2 = "[ + ] Data sent!" fullword ascii
|
||
|
|
$sx3 = "[ + ] Socket obtained!" fullword ascii
|
||
|
|
|
||
|
|
$op1 = { 4c 8b f0 48 3b c1 48 b8 ff ff ff ff ff ff ff 7f }
|
||
|
|
$op2 = { 48 8b cf e8 1c 34 00 00 48 8b 5c 24 30 48 8b c7 }
|
||
|
|
$op3 = { 48 8b da 48 8b f9 45 33 f6 48 85 c9 0f 84 34 01 }
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 500KB and (
|
||
|
|
( 3 of ($ss*) and all of ($op*) )
|
||
|
|
or 2 of ($sx*)
|
||
|
|
) or $x1 or all of ($sx*)
|
||
|
|
}
|