include "../../MachO.yara" rule malware_macos_apt_sofacy_xagent { meta: description = "sofacy xagent for macOS" reference_1 = "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" reference_2 = "https://blog.malwarebytes.com/cybercrime/2017/03/two-new-mac-backdoors-discovered/" author = "@mimeframe" md5 = "4fe4b9560e99e33dabca553e2eeee510" strings: // malware commands $a1 = "remoteShell" ascii wide $a2 = "getInfoOSX" ascii wide $a3 = "ftpUpload" ascii wide $a4 = "startUploading" ascii wide $a5 = "deleteFile:" ascii wide $a6 = "executeShellCommand" ascii wide $a7 = "getFirefoxPassword" ascii wide $a8 = "generateRandomPathAndName" ascii wide $a9 = "createCryptPacket" ascii wide $a10 = "CameraShot" ascii wide $a11 = "7Cryptor" ascii wide $a12 = "8ICryptor" ascii wide $a13 = "Keylogger" ascii wide $a14 = "BootXLoader" ascii wide $a15 = "InjectApp" ascii wide // unique malware strings $b1 = "/Project/XAgentOSX/" ascii wide $b2 = "XLoader_OSX" fullword ascii wide $b3 = "" ascii wide $b4 = "" ascii wide $b5 = "" ascii wide $b6 = "
Stop take screenshot
" ascii wide // c2 domains $c1 = "http://23.227.196.215/" ascii wide $c2 = "http://apple-iclods.org/" ascii wide $c3 = "http://apple-checker.org/" ascii wide $c4 = "http://apple-uptoday.org/" ascii wide $c5 = "http://apple-search.info" ascii wide // c2 URL paths $d1 = "watch/?" fullword ascii wide $d2 = "search/?" fullword ascii wide $d3 = "find/?" fullword ascii wide $d4 = "results/?" fullword ascii wide $d5 = "open/?" fullword ascii wide $d6 = "search/?" fullword ascii wide $d7 = "close/?" fullword ascii wide // c2 URL parameters $e1 = "itwm=" fullword ascii wide $e2 = "text=" fullword ascii wide $e3 = "from=" fullword ascii wide $e4 = "itwm=" fullword ascii wide $e5 = "ags=" fullword ascii wide $e6 = "btnG=" fullword ascii wide $e7 = "oprnd=" fullword ascii wide $e8 = "itwm=" fullword ascii wide $e9 = "utm=" fullword ascii wide $e10 = "channel=" fullword ascii wide condition: MachO and (5 of ($a*) or any of ($b*) or any of ($c*) or 4 of ($d*) or 5 of ($e*)) }