19 lines
725 B
Text
19 lines
725 B
Text
|
|
||
|
rule APT_Equation_Group_Op_Triangulation_TriangleDB_Implant_Jun23_1 {
|
||
|
meta:
|
||
|
description = "Detects TriangleDB implant found being used in Operation Triangulation on iOS devices (maybe also used on macOS systems)"
|
||
|
author = "Florian Roth"
|
||
|
reference = "https://securelist.com/triangledb-triangulation-implant/110050/"
|
||
|
date = "2023-06-21"
|
||
|
score = 80
|
||
|
id = "d81a5103-41c8-5dba-a560-8fb5514f6c0a"
|
||
|
strings:
|
||
|
$s1 = "unmungeHexString" ascii fullword
|
||
|
$s2 = "CRPwrInfo" ascii fullword
|
||
|
$s3 = "CRConfig" ascii fullword
|
||
|
$s4 = "CRXConfigureDBServer" ascii fullword
|
||
|
condition:
|
||
|
( uint16(0) == 0xfacf and filesize < 30MB and $s1 and 2 of them )
|
||
|
or all of them
|
||
|
}
|