Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_macos_apt_sofacy_xagent.yara

include "../../MachO.yara"

rule malware_macos_apt_sofacy_xagent
{
    meta:
        description = "sofacy xagent for macOS"
        reference_1 = "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/"
        reference_2 = "https://blog.malwarebytes.com/cybercrime/2017/03/two-new-mac-backdoors-discovered/"
        author = "@mimeframe"
        md5 = "4fe4b9560e99e33dabca553e2eeee510"
    strings:
        // malware commands
        $a1 = "remoteShell" ascii wide
        $a2 = "getInfoOSX" ascii wide
        $a3 = "ftpUpload" ascii wide
        $a4 = "startUploading" ascii wide
        $a5 = "deleteFile:"  ascii wide
        $a6 = "executeShellCommand" ascii wide
        $a7 = "getFirefoxPassword" ascii wide
        $a8 = "generateRandomPathAndName" ascii wide
        $a9 = "createCryptPacket" ascii wide
        $a10 = "CameraShot" ascii wide
        $a11 = "7Cryptor" ascii wide
        $a12 = "8ICryptor" ascii wide
        $a13 = "Keylogger" ascii wide
        $a14 = "BootXLoader" ascii wide
        $a15 = "InjectApp" ascii wide
        // unique malware strings
        $b1 = "/Project/XAgentOSX/" ascii wide
        $b2 = "XLoader_OSX" fullword ascii wide
        $b3 = "<span class='keylog_user_keys'>" ascii wide
        $b4 = "<span class='keylog_process'>" ascii wide
        $b5 = "<span class='keylog_spec_key'>" ascii wide
        $b6 = "<font size=4 color=red><pre>Stop take screenshot</pre></font>" ascii wide
        // c2 domains
        $c1 = "http://23.227.196.215/" ascii wide
        $c2 = "http://apple-iclods.org/" ascii wide
        $c3 = "http://apple-checker.org/" ascii wide
        $c4 = "http://apple-uptoday.org/" ascii wide
        $c5 = "http://apple-search.info" ascii wide
        // c2 URL paths
        $d1 = "watch/?" fullword ascii wide
        $d2 = "search/?" fullword ascii wide
        $d3 = "find/?" fullword ascii wide
        $d4 = "results/?" fullword ascii wide
        $d5 = "open/?" fullword ascii wide
        $d6 = "search/?" fullword ascii wide
        $d7 = "close/?" fullword ascii wide
        // c2 URL parameters
        $e1 = "itwm=" fullword ascii wide
        $e2 = "text=" fullword ascii wide
        $e3 = "from=" fullword ascii wide
        $e4 = "itwm=" fullword ascii wide
        $e5 = "ags=" fullword ascii wide
        $e6 = "btnG=" fullword ascii wide
        $e7 = "oprnd=" fullword ascii wide
        $e8 = "itwm=" fullword ascii wide
        $e9 = "utm=" fullword ascii wide
        $e10 = "channel=" fullword ascii wide
    condition:
        MachO and (5 of ($a*) or any of ($b*) or any of ($c*) or 4 of ($d*) or 5 of ($e*))
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`include "../../MachO.yara"`

			`rule malware_macos_apt_sofacy_xagent`
			`{`
			`meta:`
			`description = "sofacy xagent for macOS"`
			`reference_1 = "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/"`
			`reference_2 = "https://blog.malwarebytes.com/cybercrime/2017/03/two-new-mac-backdoors-discovered/"`
			`author = "@mimeframe"`
			`md5 = "4fe4b9560e99e33dabca553e2eeee510"`
			`strings:`
			`// malware commands`
			`$a1 = "remoteShell" ascii wide`
			`$a2 = "getInfoOSX" ascii wide`
			`$a3 = "ftpUpload" ascii wide`
			`$a4 = "startUploading" ascii wide`
			`$a5 = "deleteFile:" ascii wide`
			`$a6 = "executeShellCommand" ascii wide`
			`$a7 = "getFirefoxPassword" ascii wide`
			`$a8 = "generateRandomPathAndName" ascii wide`
			`$a9 = "createCryptPacket" ascii wide`
			`$a10 = "CameraShot" ascii wide`
			`$a11 = "7Cryptor" ascii wide`
			`$a12 = "8ICryptor" ascii wide`
			`$a13 = "Keylogger" ascii wide`
			`$a14 = "BootXLoader" ascii wide`
			`$a15 = "InjectApp" ascii wide`
			`// unique malware strings`
			`$b1 = "/Project/XAgentOSX/" ascii wide`
			`$b2 = "XLoader_OSX" fullword ascii wide`
			`$b3 = "<span class='keylog_user_keys'>" ascii wide`
			`$b4 = "<span class='keylog_process'>" ascii wide`
			`$b5 = "<span class='keylog_spec_key'>" ascii wide`
			`$b6 = "<font size=4 color=red><pre>Stop take screenshot</pre></font>" ascii wide`
			`// c2 domains`
			`$c1 = "http://23.227.196.215/" ascii wide`
			`$c2 = "http://apple-iclods.org/" ascii wide`
			`$c3 = "http://apple-checker.org/" ascii wide`
			`$c4 = "http://apple-uptoday.org/" ascii wide`
			`$c5 = "http://apple-search.info" ascii wide`
			`// c2 URL paths`
			`$d1 = "watch/?" fullword ascii wide`
			`$d2 = "search/?" fullword ascii wide`
			`$d3 = "find/?" fullword ascii wide`
			`$d4 = "results/?" fullword ascii wide`
			`$d5 = "open/?" fullword ascii wide`
			`$d6 = "search/?" fullword ascii wide`
			`$d7 = "close/?" fullword ascii wide`
			`// c2 URL parameters`
			`$e1 = "itwm=" fullword ascii wide`
			`$e2 = "text=" fullword ascii wide`
			`$e3 = "from=" fullword ascii wide`
			`$e4 = "itwm=" fullword ascii wide`
			`$e5 = "ags=" fullword ascii wide`
			`$e6 = "btnG=" fullword ascii wide`
			`$e7 = "oprnd=" fullword ascii wide`
			`$e8 = "itwm=" fullword ascii wide`
			`$e9 = "utm=" fullword ascii wide`
			`$e10 = "channel=" fullword ascii wide`
			`condition:`
			`MachO and (5 of ($a) or any of ($b) or any of ($c) or 4 of ($d) or 5 of ($e*))`
			`}`