31 lines
989 B
Text
31 lines
989 B
Text
|
import "pe"
|
||
|
|
|
||
|
|
rule general_win_golang_socks
|
||
|
|
{
|
||
|
|
meta:
|
||
|
|
author = "paloaltonetworks"
|
||
|
|
date = "2022-03-13"
|
||
|
|
description = "potentially unwanted GO application with proxy communication capabilities"
|
||
|
|
reference = "https://unit42.paloaltonetworks.com/popping-eagle-malware/"
|
||
|
|
|
||
|
|
strings:
|
||
|
|
$go_name_1 = "main.go" nocase ascii // default go name for the “func main(){...}” in "package main”
|
||
|
|
$go_name_2 = "eagle" nocase ascii
|
||
|
|
$go_name_3 = "popo" nocase ascii
|
||
|
|
$go_name_4 = "-Client-Dll/" nocase ascii
|
||
|
|
|
||
|
|
$go_pkg_1 = "github.com/armon/go-socks5" nocase wide ascii
|
||
|
|
$go_pkg_2 = "github.com/hashicorp/yamux" nocase wide ascii
|
||
|
|
$go_pkg_3 = "github.com/fatedier/frp/vendor" wide ascii
|
||
|
|
$go_pkg_4 = "github.com/rofl0r/rocksocks5" wide ascii
|
||
|
|
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and
|
||
|
|
filesize < 7MB and
|
||
|
|
(
|
||
|
|
1 of ($go_name_*) and
|
||
|
|
2 of ($go_pkg_*)
|
||
|
|
)
|
||
|
|
}
|
||
|
|
|