rule FE_LEGALSTRIKE_MACRO { meta:version=".1" filetype="MACRO" author="Ian.Ahl@fireeye.com @TekDefense" date="2017-06-02" description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7." reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html strings: // OBSFUCATION $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide $ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide $ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide $ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide $ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide $ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide $ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide $ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide $obreg1 = /(\w{5}\s&\s){7}\w{5}/ $obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/ // wscript $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide $wsobj2 = "Obj.Run " ascii wide condition: ( ( (uint16(0) != 0x5A4D) ) and ( all of ($wsobj*) and 3 of ($ob*) or all of ($wsobj*) and all of ($obreg*) ) ) } rule FE_LEGALSTRIKE_MACRO_2 { meta:version=".1" filetype="MACRO" author="Ian.Ahl@fireeye.com @TekDefense" date="2017-06-02" description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4." reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html strings: // Setting the environment $env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide $env2 = "windir = Environ(\"windir\")" ascii wide $env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide // powershell command fragments $ps1 = "-NoP" ascii wide $ps2 = "-NonI" ascii wide $ps3 = "-W Hidden" ascii wide $ps4 = "-Command" ascii wide $ps5 = "New-Object IO.StreamReader" ascii wide $ps6 = "IO.Compression.DeflateStream" ascii wide $ps7 = "IO.MemoryStream" ascii wide $ps8 = ",$([Convert]::FromBase64String" ascii wide $ps9 = "ReadToEnd();" ascii wide $psregex1 = /\W\w+\s+\s\".+\"/ condition: ( ( (uint16(0) != 0x5A4D) ) and ( all of ($env*) and 6 of ($ps*) or all of ($env*) and 4 of ($ps*) and all of ($psregex*) ) ) } rule FE_LEGALSTRIKE_RTF { meta: version=".1" filetype="MACRO" author="joshua.kim@FireEye.com" date="2017-06-02" description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom" reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html strings: $header = "{\\rt" $lnkinfo = "4c0069006e006b0049006e0066006f" $encoded1 = "4f4c45324c696e6b" $encoded2 = "52006f006f007400200045006e007400720079" $encoded3 = "4f0062006a0049006e0066006f" $encoded4 = "4f006c0065" $http1 = "68{" $http2 = "74{" $http3 = "07{" // 2bunny.com $domain1 = "32{\\" $domain2 = "62{\\" $domain3 = "75{\\" $domain4 = "6e{\\" $domain5 = "79{\\" $domain6 = "2e{\\" $domain7 = "63{\\" $domain8 = "6f{\\" $domain9 = "6d{\\" $datastore = "\\*\\datastore" condition: $header at 0 and all of them }