Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_macos_bella.yara

23 lines
1 KiB
Text
Raw Normal View History

rule malware_macos_bella
{
meta:
description = "Bella is a pure python post-exploitation data mining tool & remote administration tool for macOS."
reference = "https://github.com/Trietptm-on-Security/Bella"
author = "@mimeframe"
strings:
// Bella.py
$a1 = "Verified! [2FV Enabled] Account ->" wide ascii
$a2 = "There is no root shell to perform this command. See [rooter] manual entry." wide ascii
$a3 = "Attempt to escalate Bella to root through a variety of attack vectors." wide ascii
$a4 = "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER." wide ascii
// Control Center.py
$b1 = "user_pass_phish" fullword wide ascii
$b2 = "bella_info" fullword wide ascii
$b3 = "get_root" fullword wide ascii
// Builder
$c1 = "Please specify a bella server." wide ascii
$c2 = "What port should Bella connect on [Default is 4545]:" wide ascii
condition:
any of ($a*) or all of ($b*) or all of ($c*)
}