/* Yara Rule Set Author: Florian Roth Date: 2016-01-30 Identifier: Codoso Comment: Reduced signature set for LOKI integration */ /* Rule Set ----------------------------------------------------------------- */ rule Codoso_PlugX_3 { meta: description = "Detects Codoso APT PlugX Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3" id = "55066812-3a8e-5099-afb4-ff7a59f1ccb2" strings: $s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide $s2 = "mcs.exe" fullword ascii $s3 = "McAltLib.dll" fullword ascii $s4 = "WinRAR self-extracting archive" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1200KB and all of them } rule Codoso_PlugX_2 { meta: description = "Detects Codoso APT PlugX Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb" id = "0402a0ff-5664-52db-a739-51c5181853f8" strings: $s1 = "%TEMP%\\HID" fullword wide $s2 = "%s\\hid.dll" fullword wide $s3 = "%s\\SOUNDMAN.exe" fullword wide $s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide $s5 = "%s\\HID.dllx" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them } rule Codoso_CustomTCP_4 { meta: description = "Detects Codoso APT CustomTCP Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash1 = "ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0" hash2 = "130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8" hash3 = "3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa" hash4 = "02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13" id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c" strings: $x1 = "varus_service_x86.dll" fullword ascii $s1 = "/s %s /p %d /st %d /rt %d" fullword ascii $s2 = "net start %%1" fullword ascii $s3 = "ping 127.1 > nul" fullword ascii $s4 = "McInitMISPAlertEx" fullword ascii $s5 = "sc start %%1" fullword ascii $s6 = "net stop %%1" fullword ascii $s7 = "WorkerRun" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 5 of them ) or ( $x1 and 2 of ($s*) ) } rule Codoso_CustomTCP_3 { meta: description = "Detects Codoso APT CustomTCP Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "d66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090" id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c" strings: $s1 = "DnsApi.dll" fullword ascii $s2 = "softWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%s" ascii $s3 = "CONNECT %s:%d hTTP/1.1" ascii $s4 = "CONNECT %s:%d HTTp/1.1" ascii $s5 = "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)" ascii $s6 = "iphlpapi.dll" ascii $s7 = "%systemroot%\\Web\\" ascii $s8 = "Proxy-Authorization: Negotiate %s" ascii $s9 = "CLSID\\{%s}\\InprocServer32" ascii condition: ( uint16(0) == 0x5a4d and filesize < 500KB and 5 of them ) or 7 of them } rule Codoso_CustomTCP_2 { meta: description = "Detects Codoso APT CustomTCP Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3" id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c" strings: $s1 = "varus_service_x86.dll" fullword ascii $s2 = "/s %s /p %d /st %d /rt %d" fullword ascii $s3 = "net start %%1" fullword ascii $s4 = "ping 127.1 > nul" fullword ascii $s5 = "McInitMISPAlertEx" fullword ascii $s6 = "sc start %%1" fullword ascii $s7 = "B_WKNDNSK^" fullword ascii $s8 = "net stop %%1" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 406KB and all of them } rule Codoso_PGV_PVID_6 { meta: description = "Detects Codoso APT PGV_PVID Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f" id = "6d1d8490-fdcb-5263-ae00-0b436e822fc3" strings: $s0 = "rundll32 \"%s\",%s" fullword ascii $s1 = "/c ping 127.%d & del \"%s\"" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 6000KB and all of them } rule Codoso_Gh0st_3 { meta: description = "Detects Codoso APT Gh0st Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd" id = "55fb17c5-ee11-55be-9af3-e9fe8d6160b5" strings: $x1 = "RunMeByDLL32" fullword ascii $s1 = "svchost.dll" fullword wide $s2 = "server.dll" fullword ascii $s3 = "Copyright ? 2008" fullword wide $s4 = "testsupdate33" fullword ascii $s5 = "Device Protect Application" fullword wide $s6 = "MSVCP60.DLL" fullword ascii /* Goodware String - occured 1 times */ $s7 = "mail-news.eicp.net" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 195KB and $x1 or 4 of them } rule Codoso_Gh0st_2 { meta: description = "Detects Codoso APT Gh0st Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841" id = "5643d028-2a76-5bce-bf2f-8be706ab1fd5" strings: $s0 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii $s1 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii $s13 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide $s14 = "%s -r debug 1" fullword ascii $s15 = "\\\\.\\keymmdrv1" fullword ascii $s17 = "RunMeByDLL32" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 500KB and 1 of them } rule Codoso_CustomTCP { meta: description = "Codoso CustomTCP Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "b95d7f56a686a05398198d317c805924c36f3abacbb1b9e3f590ec0d59f845d8" id = "b6ed6939-db0c-5a47-8839-3337d1bc1f6c" strings: $s4 = "wnyglw" fullword ascii $s5 = "WorkerRun" fullword ascii $s7 = "boazdcd" fullword ascii $s8 = "wayflw" fullword ascii $s9 = "CODETABL" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 405KB and all of them } /* Super Rules ------------------------------------------------------------- */ rule Codoso_PGV_PVID_5 { meta: description = "Detects Codoso APT PGV PVID Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" hash2 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" id = "0202d82c-c1f8-59f7-96b6-b21f21c1dc69" strings: $s1 = "/c del %s >> NUL" fullword ascii $s2 = "%s%s.manifest" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 500KB and all of them } rule Codoso_Gh0st_1 { meta: description = "Detects Codoso APT Gh0st Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841" hash2 = "7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8" hash3 = "d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297" id = "24d9e64c-4b35-5737-92ae-8ec391d494c7" strings: $x1 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii $x2 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii $x3 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide $x4 = "\\\\.\\keymmdrv1" fullword ascii $s1 = "spideragent.exe" fullword ascii $s2 = "AVGIDSAgent.exe" fullword ascii $s3 = "kavsvc.exe" fullword ascii $s4 = "mspaint.exe" fullword ascii $s5 = "kav.exe" fullword ascii $s6 = "avp.exe" fullword ascii $s7 = "NAV.exe" fullword ascii $c1 = "Elevation:Administrator!new:" wide $c2 = "Global\\RUNDLL32EXITEVENT_NAME{12845-8654-543}" fullword ascii $c3 = "\\sysprep\\sysprep.exe" wide $c4 = "\\sysprep\\CRYPTBASE.dll" wide $c5 = "Global\\TERMINATEEVENT_NAME{12845-8654-542}" fullword ascii $c6 = "ConsentPromptBehaviorAdmin" fullword ascii $c7 = "\\sysprep" wide $c8 = "Global\\UN{5FFC0C8B-8BE5-49d5-B9F2-BCDC8976EE10}" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and ( 4 of ($s*) or 4 of ($c*) ) or 1 of ($x*) or 6 of ($c*) } rule Codoso_PGV_PVID_4 { meta: description = "Detects Codoso APT PlugX Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761" hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1" hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" id = "c1c753a6-77b6-5bfb-89f9-16127c264fd0" strings: $x1 = "dropper, Version 1.0" fullword wide $x2 = "dropper" fullword wide $x3 = "DROPPER" fullword wide $x4 = "About dropper" fullword wide $s1 = "Microsoft Windows Manager Utility" fullword wide $s2 = "SYSTEM\\CurrentControlSet\\Services\\" ascii /* Goodware String - occured 9 times */ $s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */ $s4 = "" fullword ascii /* Goodware String - occured 65 times */ condition: uint16(0) == 0x5a4d and filesize < 900KB and 2 of ($x*) and 2 of ($s*) } rule Codoso_PlugX_1 { meta: description = "Detects Codoso APT PlugX Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b" hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8" hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2" id = "af777818-5cff-5571-b5e9-0f5a4c8b08ff" strings: $s1 = "GETPASSWORD1" fullword ascii $s2 = "NvSmartMax.dll" fullword ascii $s3 = "LICENSEDLG" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 800KB and all of them } rule Codoso_PGV_PVID_3 { meta: description = "Detects Codoso APT PGV PVID Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "126fbdcfed1dfb31865d4b18db2fb963f49df838bf66922fea0c37e06666aee1" hash2 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" hash3 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761" hash4 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1" hash5 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" hash6 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" id = "08003dba-1201-5f74-9edd-ea321bb26e99" strings: $x1 = "Copyright (C) Microsoft Corporation. All rights reserved.(C) 2012" fullword wide condition: $x1 } rule Codoso_PGV_PVID_2 { meta: description = "Detects Codoso APT PGV PVID Malware" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" hash2 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" hash3 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" id = "e4c00806-3092-5ec2-844f-b638c31fa6a5" strings: $s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii $s1 = "regsvr32.exe /s \"%s\"" fullword ascii $s2 = "Help and Support" fullword ascii $s3 = "netsvcs" fullword ascii $s9 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" fullword ascii /* Goodware String - occured 4 times */ $s10 = "winlogon" fullword ascii /* Goodware String - occured 4 times */ $s11 = "System\\CurrentControlSet\\Services" fullword ascii /* Goodware String - occured 11 times */ condition: uint16(0) == 0x5a4d and filesize < 907KB and all of them } rule Codoso_PGV_PVID_1 { meta: description = "Detects Codoso APT PGV PVID Malware" author = "Florian Roth (Nextron Systems)" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824" hash2 = "58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3" hash3 = "934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7" hash4 = "ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266" hash5 = "e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1" id = "9487773a-01d9-558e-8866-b8a8650996ba" strings: $x1 = "DRIVERS\\ipinip.sys" fullword wide $s1 = "TsWorkSpaces.dll" fullword ascii $s2 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide $s3 = "/selfservice/microsites/search.php?%016I64d" fullword ascii $s4 = "/solutions/company-size/smb/index.htm?%016I64d" fullword ascii $s5 = "Microsoft Chart ActiveX Control" fullword wide $s6 = "MSChartCtrl.ocx" fullword wide $s7 = "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}" fullword ascii $s8 = "WUServiceMain" fullword ascii /* Goodware String - occured 2 times */ $s9 = "Cookie: pgv_pvid=" ascii condition: ( uint16(0) == 0x5a4d and ( 1 of ($x*) or 3 of them ) ) or 5 of them }