29 lines
1,022 B
Text
29 lines
1,022 B
Text
|
import "pe"
|
||
|
|
||
|
rule apt_win_freshfire : APT29
|
||
|
{
|
||
|
meta:
|
||
|
author = "threatintel@volexity.com"
|
||
|
date = "2021-05-27"
|
||
|
description = "The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server."
|
||
|
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
|
||
|
hash = "ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c"
|
||
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
||
|
|
||
|
strings:
|
||
|
$uniq1 = "UlswcXJJWhtHIHrVqWJJ"
|
||
|
$uniq2 = "gyibvmt\x00"
|
||
|
|
||
|
$path1 = "root/time/%d/%s.json"
|
||
|
$path2 = "C:\\dell.sdr"
|
||
|
$path3 = "root/data/%d/%s.json"
|
||
|
|
||
|
condition:
|
||
|
(
|
||
|
pe.number_of_exports == 1 and
|
||
|
pe.exports("WaitPrompt")
|
||
|
) or
|
||
|
any of ($uniq*) or
|
||
|
2 of ($path*)
|
||
|
}
|