42 lines
1.4 KiB
Text
42 lines
1.4 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: SECUINFRA Falcon Team
|
||
|
Date: 2022-06-23
|
||
|
Identifier: 0x03-yara_win-Bitter_T-APT-17
|
||
|
Reference: "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
|
||
|
*/
|
||
|
|
||
|
/* Rule Set —————————————————————– */
|
||
|
|
||
|
rule APT_Bitter_Maldoc_Verify {
|
||
|
|
||
|
meta:
|
||
|
description = "Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)"
|
||
|
author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
|
||
|
tlp = "WHITE"
|
||
|
reference = "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
|
||
|
date = "2022-06-01"
|
||
|
hash0 = "0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450"
|
||
|
hash1 = "bd0d25194634b2c74188cfa3be6668590e564e6fe26a6fe3335f95cbc943ce1d"
|
||
|
hash2 = "3992d5a725126952f61b27d43bd4e03afa5fa4a694dca7cf8bbf555448795cd6"
|
||
|
|
||
|
strings:
|
||
|
// This rule is meant to be used for verification of a Bitter Maldoc
|
||
|
// rather than a hunting rule since the oleObject it is matching is
|
||
|
// compressed in the doc zip
|
||
|
|
||
|
$xor_string0 = "LoadLibraryA" xor
|
||
|
$xor_string1 = "urlmon.dll" xor
|
||
|
$xor_string2 = "Shell32.dll" xor
|
||
|
$xor_string3 = "ShellExecuteA" xor
|
||
|
$xor_string4 = "MoveFileA" xor
|
||
|
$xor_string5 = "CreateDirectoryA" xor
|
||
|
$xor_string6 = "C:\\Windows\\explorer" xor
|
||
|
$padding = {000001128341000001128341000001128342000001128342}
|
||
|
|
||
|
condition:
|
||
|
3 of ($xor_string*)
|
||
|
and $padding
|
||
|
}
|
||
|
|