22 lines
842 B
Text
22 lines
842 B
Text
|
include "../../MachO.yara"
|
||
|
|
||
|
rule malware_macos_proton_rat_generic
|
||
|
{
|
||
|
meta:
|
||
|
description = "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/"
|
||
|
reference = "https://objective-see.com/blog/blog_0x1D.html"
|
||
|
author = "@mimeframe"
|
||
|
md5 = "6a2d0c8b20efc3fa283176a4bc76d6fd"
|
||
|
strings:
|
||
|
// https://github.com/facebook/SocketRocket
|
||
|
$a1 = "SRWebSocket" nocase wide ascii
|
||
|
$a2 = "SocketRocket" nocase wide ascii
|
||
|
// https://github.com/joeroback/SSHTunnel/
|
||
|
$b1 = "SSH tunnel not launched" nocase wide ascii
|
||
|
$b2 = "SSH tunnel still running" nocase wide ascii
|
||
|
$b3 = "SSH tunnel already launched" nocase wide ascii
|
||
|
$b4 = "Entering interactive session." nocase wide ascii
|
||
|
condition:
|
||
|
MachO and any of ($a*) and any of ($b*)
|
||
|
}
|