Sneed-Reactivity/yara-Neo23x0/apt_sharptongue.yar

46 lines
1.9 KiB
Text
Raw Permalink Normal View History

rule APT_SharpTongue_JS_SharpExt_Chrome_Extension : SharpTongue {
meta:
author = "threatintel@volexity.com"
date = "2021-09-14"
description = "A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim"
reference = "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/"
hash1 = "1c9664513fe226beb53268b58b11dacc35b80a12c50c22b76382304badf4eb00"
hash2 = "6025c66c2eaae30c0349731beb8a95f8a5ba1180c5481e9a49d474f4e1bb76a4"
hash3 = "6594b75939bcdab4253172f0fa9066c8aee2fa4911bd5a03421aeb7edcd9c90c"
memory_suitable = 1
score = 85
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
id = "61b5176a-ff73-5fce-bc70-c9e09bb5afed"
strings:
$s1 = "\"mode=attach&name=\"" ascii
$s2 = "\"mode=new&mid=\"" ascii
$s3 = "\"mode=attlist\"" ascii
$s4 = "\"mode=list\"" ascii
$s5 = "\"mode=domain\"" ascii
$s6 = "\"mode=black\"" ascii
$s7 = "\"mode=newD&d=\"" ascii
$mark1 = "chrome.runtime.onMessage.addListener" ascii
$mark2 = "chrome.webNavigation.onCompleted.addListener" ascii
$enc1 = "function BSue(string){" ascii
$enc2 = "function BSE(input){" ascii
$enc3 = "function bin2hex(byteArray)" ascii
$xhr1 = ".send(\"mode=cd1" ascii
$xhr2 = ".send(\"mode=black" ascii
$xhr3 = ".send(\"mode=domain" ascii
$xhr4 = ".send(\"mode=list" ascii
$manifest1 = "\"description\":\"advanced font\"," ascii
$manifest2 = "\"scripts\":[\"bg.js\"]" ascii
$manifest3 = "\"devtools_page\":\"dev.html\"" ascii
condition:
(
5 of ($s*) and
all of ($mark*)
) or
all of ($enc*) or
3 of ($xhr*) or
2 of ($manifest*)
}