Sneed-Reactivity/yara-Neo23x0/apt_eqgrp_triangulation_jun23.yar

19 lines
725 B
Text
Raw Normal View History

rule APT_Equation_Group_Op_Triangulation_TriangleDB_Implant_Jun23_1 {
meta:
description = "Detects TriangleDB implant found being used in Operation Triangulation on iOS devices (maybe also used on macOS systems)"
author = "Florian Roth"
reference = "https://securelist.com/triangledb-triangulation-implant/110050/"
date = "2023-06-21"
score = 80
id = "d81a5103-41c8-5dba-a560-8fb5514f6c0a"
strings:
$s1 = "unmungeHexString" ascii fullword
$s2 = "CRPwrInfo" ascii fullword
$s3 = "CRConfig" ascii fullword
$s4 = "CRXConfigureDBServer" ascii fullword
condition:
( uint16(0) == 0xfacf and filesize < 30MB and $s1 and 2 of them )
or all of them
}