// For feedback or questions contact us at: github@eset.com // https://github.com/eset/malware-ioc/ // // These YARA rules are provided to the community under the two-clause BSD // license as follows: // // Copyright (c) 2021, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // import "pe" private rule IIS_Native_Module { meta: description = "Signature to match an IIS native module (clean or malicious)" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $e1 = "This module subscribed to event" $e2 = "CHttpModule::OnBeginRequest" $e3 = "CHttpModule::OnPostBeginRequest" $e4 = "CHttpModule::OnAuthenticateRequest" $e5 = "CHttpModule::OnPostAuthenticateRequest" $e6 = "CHttpModule::OnAuthorizeRequest" $e7 = "CHttpModule::OnPostAuthorizeRequest" $e8 = "CHttpModule::OnResolveRequestCache" $e9 = "CHttpModule::OnPostResolveRequestCache" $e10 = "CHttpModule::OnMapRequestHandler" $e11 = "CHttpModule::OnPostMapRequestHandler" $e12 = "CHttpModule::OnAcquireRequestState" $e13 = "CHttpModule::OnPostAcquireRequestState" $e14 = "CHttpModule::OnPreExecuteRequestHandler" $e15 = "CHttpModule::OnPostPreExecuteRequestHandler" $e16 = "CHttpModule::OnExecuteRequestHandler" $e17 = "CHttpModule::OnPostExecuteRequestHandler" $e18 = "CHttpModule::OnReleaseRequestState" $e19 = "CHttpModule::OnPostReleaseRequestState" $e20 = "CHttpModule::OnUpdateRequestCache" $e21 = "CHttpModule::OnPostUpdateRequestCache" $e22 = "CHttpModule::OnLogRequest" $e23 = "CHttpModule::OnPostLogRequest" $e24 = "CHttpModule::OnEndRequest" $e25 = "CHttpModule::OnPostEndRequest" $e26 = "CHttpModule::OnSendResponse" $e27 = "CHttpModule::OnMapPath" $e28 = "CHttpModule::OnReadEntity" $e29 = "CHttpModule::OnCustomRequestNotification" $e30 = "CHttpModule::OnAsyncCompletion" $e31 = "CGlobalModule::OnGlobalStopListening" $e32 = "CGlobalModule::OnGlobalCacheCleanup" $e33 = "CGlobalModule::OnGlobalCacheOperation" $e34 = "CGlobalModule::OnGlobalHealthCheck" $e35 = "CGlobalModule::OnGlobalConfigurationChange" $e36 = "CGlobalModule::OnGlobalFileChange" $e37 = "CGlobalModule::OnGlobalApplicationStart" $e38 = "CGlobalModule::OnGlobalApplicationResolveModules" $e39 = "CGlobalModule::OnGlobalApplicationStop" $e40 = "CGlobalModule::OnGlobalRSCAQuery" $e41 = "CGlobalModule::OnGlobalTraceEvent" $e42 = "CGlobalModule::OnGlobalCustomNotification" $e43 = "CGlobalModule::OnGlobalThreadCleanup" $e44 = "CGlobalModule::OnGlobalApplicationPreload" condition: uint16(0) == 0x5A4D and pe.exports("RegisterModule") and any of ($e*) } rule IIS_Group01_IISRaid { meta: description = "Detects Group 1 native IIS malware family (IIS-Raid derivates)" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $s1 = "cmd.exe" ascii wide $s2 = "CMD" $s3 = "PIN" $s4 = "INJ" $s5 = "DMP" $s6 = "UPL" $s7 = "DOW" $s8 = "C:\\Windows\\System32\\credwiz.exe" ascii wide $p1 = "C:\\Windows\\Temp\\creds.db" $p2 = "C:\\Windows\\Temp\\thumbs.db" $p3 = "C:\\Windows\\Temp\\AAD30E0F.tmp" $p4 = "X-Chrome-Variations" $p5 = "X-Cache" $p6 = "X-Via" $p7 = "COM_InterProt" $p8 = "X-FFEServer" $p9 = "X-Content-Type-Options" $p10 = "Strict-Transport-Security" $p11 = "X-Password" $p12 = "XXXYYY-Ref" $p13 = "X-BLOG" $p14 = "X-BlogEngine" condition: IIS_Native_Module and 3 of ($s*) and any of ($p*) } rule IIS_Group02 { meta: description = "Detects Group 2 native IIS malware family" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $s1 = "HttpModule.pdb" ascii wide $s2 = "([\\w+%]+)=([^&]*)" $s3 = "([\\w+%]+)=([^!]*)" $s4 = "cmd.exe" $s5 = "C:\\Users\\Iso\\Documents\\Visual Studio 2013\\Projects\\IIS 5\\x64\\Release\\Vi.pdb" ascii wide $s6 = "AVRSAFunction" condition: IIS_Native_Module and 3 of ($s*) } rule IIS_Group03 { meta: description = "Detects Group 3 native IIS malware family" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $s1 = "IIS-Backdoor.dll" $s2 = "CryptStringToBinaryA" $s3 = "CreateProcessA" $s4 = "X-Cookie" condition: IIS_Native_Module and 3 of ($s*) } rule IIS_Group04_RGDoor { meta: description = "Detects Group 4 native IIS malware family (RGDoor)" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" reference = "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $i1 = "RGSESSIONID=" $s2 = "upload$" $s3 = "download$" $s4 = "cmd$" $s5 = "cmd.exe" condition: IIS_Native_Module and ($i1 or all of ($s*)) } rule IIS_Group05_IIStealer { meta: description = "Detects Group 5 native IIS malware family (IIStealer)" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $s1 = "tojLrGzFMbcDTKcH" ascii wide $s2 = "4vUOj3IutgtrpVwh" ascii wide $s3 = "SoUnRCxgREXMu9bM" ascii wide $s4 = "9Zr1Z78OkgaXj1Xr" ascii wide $s5 = "cache.txt" ascii wide $s6 = "/checkout/checkout.aspx" ascii wide $s7 = "/checkout/Payment.aspx" ascii wide $s8 = "/privacy.aspx" $s9 = "X-IIS-Data" $s10 = "POST" // string stacking of "/checkout/checkout.aspx" $s11 = {C7 ?? CF 2F 00 63 00 C7 ?? D3 68 00 65 00 C7 ?? D7 63 00 6B 00 C7 ?? DB 6F 00 75 00 C7 ?? DF 74 00 2F 00 C7 ?? E3 63 00 68 00 C7 ?? E7 65 00 63 00 C7 ?? EB 6B 00 6F 00 C7 ?? EF 75 00 74 00 C7 ?? F3 2E 00 61 00 C7 ?? F7 73 00 70 00 C7 ?? FB 78 00 00 00} // string stacking of "/privacy.aspx" $s12 = {C7 ?? AF 2F 00 70 00 C7 ?? B3 72 00 69 00 C7 ?? B7 76 00 61 00 C7 ?? BB 63 00 79 00 C7 ?? BF 2E 00 61 00 C7 ?? C3 73 00 70 00 C7 ?? C7 78 00 00 00} condition: IIS_Native_Module and 3 of ($s*) } rule IIS_Group06_ISN { meta: description = "Detects Group 6 native IIS malware family (ISN)" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" reference = "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $s1 = "isn7 config reloaded" $s2 = "isn7 config NOT reloaded, not found or empty" $s3 = "isn7 log deleted" $s4 = "isn7 log not deleted, ERROR 0x%X" $s5 = "isn7 log NOT found" $s6 = "isn_reloadconfig" $s7 = "D:\\soft\\Programming\\C++\\projects\\isapi\\isn7" $s8 = "get POST failed %d" $s9 = "isn7.dll" condition: IIS_Native_Module and 3 of ($s*) } rule IIS_Group07_IISpy { meta: description = "Detects Group 7 native IIS malware family (IISpy)" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $s1 = "/credential/username" $s2 = "/credential/password" $s3 = "/computer/domain" $s4 = "/computer/name" $s5 = "/password" $s6 = "/cmd" $s7 = "%.8s%.8s=%.8s%.16s%.8s%.16s" $s8 = "ImpersonateLoggedOnUser" $s9 = "WNetAddConnection2W" $t1 = "X-Forwarded-Proto" $t2 = "Sec-Fetch-Mode" $t3 = "Sec-Fetch-Site" $t4 = "Cookie" // PNG IEND $t5 = {49 45 4E 44 AE 42 60 82} // PNG HEADER $t6 = {89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52} condition: IIS_Native_Module and 2 of ($s*) and any of ($t*) } rule IIS_Group08 { meta: description = "Detects Group 8 native IIS malware family" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $i1 = "FliterSecurity.dll" $i2 = "IIS7NativeModule.dll" $i3 = "Ver1.0." $s1 = "Cmd" $s2 = "Realy path : %s" $s3 = "Logged On Users : %d" $s4 = "Connect OK!" $s5 = "You are fucked!" $s6 = "Shit!Error" $s7 = "Where is the God!!" $s8 = "Shit!Download False!" $s9 = "Good!Run OK!" $s10 = "Shit!Run False!" $s11 = "Good!Download OK!" $s12 = "[%d]safedog" $s13 = "ed81bfc09d069121" $s14 = "a9478ef01967d190" $s15 = "af964b7479e5aea2" $s16 = "1f9e6526bea65b59" $s17 = "2b9e9de34f782d31" $s18 = "33cc5da72ac9d7bb" $s19 = "b1d71f4c2596cd55" $s20 = "101fb9d9e86d9e6c" condition: IIS_Native_Module and 1 of ($i*) and 3 of ($s*) } rule IIS_Group09 { meta: description = "Detects Group 9 native IIS malware family" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $i1 = "FliterSecurity.dll" $i2 = {56565656565656565656565656565656} $i3 = "app|hot|alp|svf|fkj|mry|poc|doc|20" xor $i4 = "yisouspider|yisou|soso|sogou|m.sogou|sogo|sogou|so.com|baidu|bing|360" xor $i5 = "baidu|m.baidu|soso|sogou|m.sogou|sogo|sogou|so.com|google|youdao" xor $i6 = "118|abc|1go|evk" xor $s1 = "AVCFuckHttpModuleFactory" $s2 = "X-Forward" $s3 = "fuck32.dat" $s4 = "fuck64.dat" $s5 = "&ipzz1=" $s6 = "&ipzz2=" $s7 = "&uuu=" $s8 = "http://20.3323sf.c" xor $s9 = "http://bj.whtjz.c" xor $s10 = "http://bj2.wzrpx.c" xor $s11 = "http://cs.whtjz.c" xor $s12 = "http://df.e652.c" xor $s13 = "http://dfcp.yyphw.c" xor $s14 = "http://es.csdsx.c" xor $s15 = "http://hz.wzrpx.c" xor $s16 = "http://id.3323sf.c" xor $s17 = "http://qp.008php.c" xor $s18 = "http://qp.nmnsw.c" xor $s19 = "http://sc.300bt.c" xor $s20 = "http://sc.wzrpx.c" xor $s21 = "http://sf2223.c" xor $s22 = "http://sx.cmdxb.c" xor $s23 = "http://sz.ycfhx.c" xor $s24 = "http://xpq.0660sf.c" xor $s25 = "http://xsc.b1174.c" xor condition: IIS_Native_Module and any of ($i*) and 3 of ($s*) } rule IIS_Group10 { meta: description = "Detects Group 10 native IIS malware family" author = "ESET Research" date = "2021-08-04" reference = "https://www.welivesecurity.com/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" strings: $s1 = "IIS7.dll" $s2 = "