21 lines
762 B
Text
21 lines
762 B
Text
|
rule apt_py_bluelight_ldr : InkySquid
|
||
|
{
|
||
|
meta:
|
||
|
author = "threatintel@volexity.com"
|
||
|
description = "Python Loader used to execute the BLUELIGHT malware family."
|
||
|
reference = "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
|
||
|
date = "2021-06-22"
|
||
|
hash1 = "80269413be6ad51b8b19631b2f5559c9572842e789bbce031babe6e879d2e120"
|
||
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
||
|
|
||
|
strings:
|
||
|
$s1 = "\"\".join(chr(ord(" ascii
|
||
|
$s2 = "import ctypes " ascii
|
||
|
$s3 = "ctypes.CFUNCTYPE(ctypes.c_int)" ascii
|
||
|
$s4 = "ctypes.memmove" ascii
|
||
|
$s5 = "python ended" ascii
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|