/* Yara Rule Set Author: Florian Roth Date: 2017-02-03 Identifier: ZeroT CN APT */ /* Rule Set ----------------------------------------------------------------- */ rule PP_CN_APT_ZeroT_1 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" hash1 = "09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0" id = "c16f3abb-ac7e-5d5f-b8d7-b105cff3886e" strings: $s1 = "suprise.exe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule PP_CN_APT_ZeroT_2 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" hash1 = "74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df" id = "8433216e-1189-568c-bd18-051fb1fec215" strings: $s1 = "NO2-2016101902.exe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule PP_CN_APT_ZeroT_3 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" hash1 = "ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2" id = "99aa29cf-d962-5a3d-bd28-6486c40822bb" strings: $s1 = "/svchost.exe" fullword ascii $s2 = "RasTls.dll" fullword ascii $s3 = "20160620.htm" fullword ascii $s4 = "* $l&$" fullword ascii $s5 = "dfjhmh" fullword ascii $s6 = "/20160620.htm" fullword ascii condition: ( uint16(0) == 0x5449 and filesize < 1000KB and 3 of them ) or ( all of them ) } rule PP_CN_APT_ZeroT_4 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" hash1 = "a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8" id = "b21961ee-d346-51d3-bacd-02554240162d" strings: $s1 = "Mcutil.dll" fullword ascii $s2 = "mcut.exe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) } rule PP_CN_APT_ZeroT_5 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" hash1 = "74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d" id = "2a7c6a36-aace-562e-bbc4-425c1d93fab1" strings: $x1 = "dbozcb" fullword ascii $s1 = "nflogger.dll" fullword ascii $s2 = "/svchost.exe" fullword ascii $s3 = "1207.htm" fullword ascii $s4 = "/1207.htm" fullword ascii condition: ( uint16(0) == 0x5449 and filesize < 1000KB and 1 of ($x*) and 1 of ($s*) ) or ( all of them ) } rule PP_CN_APT_ZeroT_6 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" hash1 = "a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3" id = "2e3bb4bd-5e20-56e7-a82b-d717d83eaeeb" strings: $s1 = "jGetgQ|0h9=" fullword ascii $s2 = "\\sfxrar32\\Release\\sfxrar.pdb" condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule PP_CN_APT_ZeroT_7 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" hash1 = "fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478" id = "e9cdca86-84a8-5673-935c-c319b523674b" strings: $s1 = "RasTls.dll" fullword ascii $s2 = "RasTls.exe" fullword ascii $s4 = "LOADER ERROR" fullword ascii $s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) } rule PP_CN_APT_ZeroT_8 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" hash1 = "4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff" id = "f9a4f092-c699-5e91-9667-64ffe1b02bc1" strings: $s1 = "/svchost.exe" fullword ascii $s2 = "RasTls.dll" fullword ascii $s3 = "20160620.htm" fullword ascii $s4 = "/20160620.htm" fullword ascii condition: ( uint16(0) == 0x5449 and filesize < 1000KB and 3 of them ) } rule PP_CN_APT_ZeroT_9 { meta: description = "Detects malware from the Proofpoint CN APT ZeroT incident" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-03" hash1 = "a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0" id = "e1c32993-409c-5a62-8239-cff99fb83a7f" strings: $x1 = "nflogger.dll" fullword ascii $s7 = "Zlh.exe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) } rule CN_APT_ZeroT_nflogger { meta: description = "Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-04" hash1 = "946adbeb017616d56193a6d43fe9c583be6ad1c7f6a22bab7df9db42e6e8ab10" id = "0d23f312-e3b6-5c23-855b-25ae54265512" strings: $x1 = "\\LoaderDll.VS2010\\Release\\" ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule CN_APT_ZeroT_extracted_Go { meta: description = "Chinese APT by Proofpoint ZeroT RAT - file Go.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-04" modified = "2023-01-06" hash1 = "83ddc69fe0d3f3d2f46df7e72995d59511c1bfcca1a4e14c330cb71860b4806b" id = "ba929e6d-4162-58e7-b8a8-bcb066b64522" strings: $x1 = "%s\\cmd.exe /c %s\\Zlh.exe" fullword ascii $x2 = "\\BypassUAC.VS2010\\Release\\" ascii $s1 = "Zjdsf.exe" fullword ascii $s2 = "SS32prep.exe" fullword ascii $s3 = "windowsgrep.exe" fullword ascii $s4 = "Sysdug.exe" fullword ascii $s5 = "Proessz.exe" fullword ascii $s6 = "%s\\Zlh.exe" fullword ascii $s7 = "/C %s\\%s" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 3 of ($s*) ) ) or ( 7 of them ) } rule CN_APT_ZeroT_extracted_Mcutil { meta: description = "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-04" hash1 = "266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500" id = "c887d36b-8aeb-54f1-a683-727561723238" strings: $s1 = "LoaderDll.dll" fullword ascii $s2 = "QageBox1USER" fullword ascii $s3 = "xhmowl" fullword ascii $s4 = "?KEYKY" fullword ascii $s5 = "HH:mm:_s" fullword ascii $s6 = "=licni] has maX0t" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 90KB and 3 of them ) or ( all of them ) } rule CN_APT_ZeroT_extracted_Zlh { meta: description = "Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" date = "2017-02-04" hash1 = "711f0a635bbd6bf1a2890855d0bd51dff79021db45673541972fe6e1288f5705" id = "4c8b9a90-6cb3-5aba-a993-f73207341d0e" strings: $s1 = "nflogger.dll" fullword wide $s2 = "%s %d: CreateProcess('%s', '%s') failed. Windows error code is 0x%08x" fullword ascii $s3 = "_StartZlhh(): Executed \"%s\"" ascii $s4 = "Executable: '%s' (%s) %i" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them ) }