Sneed-Reactivity/yara-mikesxrs/Blackberry/Mal_Infostealer_MSI_EXE_Jupyter_Certificate.yar

44 lines
2 KiB
Text
Raw Normal View History

rule Mal_Infostealer_MSI_EXE_Jupyter_Certificate
{
meta:
description = "Detects Jupter by certificate"
reference = "https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise"
author = "BlackBerry Threat Research Team"
date = "2021-11-04"
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
strings:
// MSI Installer
$msi = { D0 CF 11 E0 A1 B1 1A E1 }
// MSI Strings
$a1 = "EMCO MSI Package Builder"
// PowerShell execution strings
$b1 = "powershell-ExecutionPolicy bypass -command \"iex([\\[]IO.File[\\]]::ReadAllText('[CurrentUserProfileFolder]" nocase
$b2 = "powershell-ep bypass -file \"[AppDataFolder]" nocase
$b3 = /powershell-ep bypass -windowstyle hidden -command \"\$xp=\'\[AppDataFolder\].{0,256}\.{0,256}\'/ nocase
$b4 = /powershell-ep bypass -windowstyle hidden -command \"\$p=\'\[AppDataFolder\].{0,256}\.{0,256}\'/ nocase
$b5 = /powershell-ExecutionPolicy bypass -command \"iex\(\[\\\[\]IO.File\[\\\]\]::ReadAllText\(\'\[CurrentUserProfileFolder\].{1,256}\..{1,256}\'\)\)/ nocase
// Certificate Name
$c1 = "OOO ENDI"
$c2 = "OOO MVS"
$c3 = "OOO LEVELAP"
$c4 = "Soto Manufacturing SRL"
$c5 = "Decapolis Consulting Inc."
// Co-signers
$f1 = "SSL.com EV Root Certification Authority RSA R2"
$f2 = "SSL.com EV Code Signing Intermediate CA RSA R3"
$f3 = "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
$f4 = "DigiCert Trusted Root G40"
condition:
($msi at 0 or uint16(0) == 0x5a4d) and
all of ($a*) and
1 of ($b*) and
1 of ($c*) and
2 of ($f*)
}