// For feedback or questions contact us at: github@eset.com // https://github.com/eset/malware-ioc/ // // These yara rules are provided to the community under the two-clause BSD // license as follows: // // Copyright (c) 2018, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // private rule ssh_client : sshdoor { meta: description = "Signature to match the clean (or not) OpenSSH client (ssh)" author = "Marc-Etienne M.Leveille" email = "leveille@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $usage = "usage: ssh [" $old_version = "-L listen-port:host:port" condition: $usage or $old_version } private rule ssh_daemon : sshdoor { meta: description = "Signature to match the clean (or not) OpenSSH daemon (sshd)" author = "Marc-Etienne M.Leveille" email = "leveille@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $usage = "usage: sshd [" $old_version = "Listen on the specified port (default: 22)" condition: $usage or $old_version } private rule ssh_add : sshdoor { meta: description = "Signature to match the clean (or not) OpenSSH add (ssh-add)" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $usage = "usage: %s [options] [file ...]\n" $log = "Could not open a connection to your authentication agent.\n" condition: $usage and $log } private rule ssh_agent : sshdoor { meta: description = "Signature to match the clean (or not) OpenSSH agent (ssh-agent)" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $usage = "usage: %s [options] [command [arg ...]]" condition: $usage } private rule ssh_askpass : sshdoor { meta: description = "Signature to match the clean (or not) OpenSSH daemon (sshd)" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $pass = "Enter your OpenSSH passphrase:" $log = "Could not grab %s. A malicious client may be eavesdropping on you" condition: $pass and $log } private rule ssh_keygen : sshdoor { meta: description = "Signature to match the clean (or not) OpenSSH keygen (ssh-keygen)" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $pass = "Enter new passphrase (empty for no passphrase):" $log = "revoking certificates by key ID requires specification of a CA key" condition: $pass and $log } private rule ssh_keyscan : sshdoor { meta: description = "Signature to match the clean (or not) OpenSSH keyscan (ssh-keyscan)" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $usage = "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]" condition: $usage } private rule ssh_binary : sshdoor { meta: description = "Signature to match any clean (or not) SSH binary" author = "Hugo Porcher" email = "hugo.porcher@eset.com" condition: ssh_client or ssh_daemon or ssh_add or ssh_askpass or ssh_keygen or ssh_keyscan } private rule stack_string { meta: description = "Rule to detect use of string-stacking" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: // single byte offset from base pointer $bp = /(\xC6\x45.{2}){25}/ // dword ss with single byte offset from base pointer $bp_dw = /(\xC7\x45.{5}){20}/ // 4-bytes offset from base pointer $bp_off = /(\xC6\x85.{5}){25}/ // single byte offset from stack pointer $sp = /(\xC6\x44\x24.{2}){25}/ // 4-bytes offset from stack pointer $sp_off = /(\xC6\x84\x24.{5}){25}/ condition: any of them } rule abafar { meta: description = "Rule to detect Abafar family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $log_c = "%s:%s@%s" $log_d = "%s:%s from %s" condition: ssh_binary and any of them } rule akiva { meta: description = "Rule to detect Akiva family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $log = /(To|From):\s(%s\s\-\s)?%s:%s\n/ condition: ssh_binary and $log } rule alderaan { meta: description = "Rule to detect Alderaan family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $log = /login\s(in|at):\s(%s\s)?%s:%s\n/ condition: ssh_binary and $log } rule ando { meta: description = "Rule to detect Ando family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $s1 = "%s:%s\n" $s2 = "HISTFILE" $i = "fopen64" $m1 = "cat " $m2 = "mail -s" condition: ssh_binary and all of ($s*) and ($i or all of ($m*)) } rule anoat { meta: description = "Rule to detect Anoat family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $log = "%s at: %s | user: %s, pass: %s\n" condition: ssh_binary and $log } rule atollon { meta: description = "Rule to detect Atollon family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $f1 = "PEM_read_RSA_PUBKEY" $f2 = "RAND_add" $log = "%s:%s" $rand = "/dev/urandom" condition: ssh_binary and stack_string and all of them } rule batuu { meta: description = "Rule to detect Batuu family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $args = "ssh: ~(av[%d]: %s\n)" $log = "readpass: %s\n" condition: ssh_binary and any of them } rule bespin { meta: description = "Rule to detect Bespin family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $log1 = "%Y-%m-%d %H:%M:%S" $log2 = "%s %s%s" $log3 = "[%s]" condition: ssh_binary and all of them } rule bonadan { meta: description = "Rule to detect Bonadan family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $s1 = "g_server" $s2 = "mine.sock" $s3 = "tspeed" $e1 = "6106#x=%d#%s#%s#speed=%s" $e2 = "usmars.mynetgear.com" $e3 = "user=%s#os=%s#eip=%s#cpu=%s#mem=%s" condition: ssh_binary and any of them } rule borleias { meta: description = "Rule to detect Borleias family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $log = "%Y-%m-%d %H:%M:%S [%s]" condition: ssh_binary and all of them } rule chandrila { meta: description = "Rule to detect Chandrila family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $log = "S%s %s:%s" $magic = { 05 71 92 7D } condition: ssh_binary and all of them } rule coruscant { meta: description = "Rule to detect Coruscant family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $s1 = "%s:%s@%s\n" $s2 = "POST" $s3 = "HTTP/1.1" condition: ssh_binary and all of them } rule crait { meta: description = "Signature to detect Crait family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $i1 = "flock" $i2 = "fchmod" $i3 = "sendto" condition: ssh_binary and 2 of them } rule endor { meta: description = "Rule to detect Endor family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $u = "user: %s" $p = "password: %s" condition: ssh_binary and $u and $p in (@u..@u+20) } rule jakuu { meta: description = "Rule to detect Jakuu family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" notes = "Strings can be encrypted" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $dec = /GET\s\/\?(s|c)id=/ $enc1 = "getifaddrs" $enc2 = "usleep" $ns = "gethostbyname" $log = "%s:%s" $rc4 = { A1 71 31 17 11 1A 22 27 55 00 66 A3 10 FE C2 10 22 32 6E 95 90 84 F9 11 73 62 95 5F 4D 3B DB DC } condition: ssh_binary and $log and $ns and ($dec or all of ($enc*) or $rc4) } rule kamino { meta: description = "Rule to detect Kamino family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $s1 = "/var/log/wtmp" $s2 = "/var/log/secure" $s3 = "/var/log/auth.log" $s4 = "/var/log/messages" $s5 = "/var/log/audit/audit.log" $s6 = "/var/log/httpd-access.log" $s7 = "/var/log/httpd-error.log" $s8 = "/var/log/xferlog" $i1 = "BIO_f_base64" $i2 = "PEM_read_bio_RSA_PUBKEY" $i3 = "srand" $i4 = "gethostbyname" condition: ssh_binary and 5 of ($s*) and 3 of ($i*) } rule kessel { meta: description = "Rule to detect Kessel family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $rc4 = "Xee5chu1Ohshasheed1u" $s1 = "ssh:%s:%s:%s:%s" $s2 = "sshkey:%s:%s:%s:%s:%s" $s3 = "sshd:%s:%s" $i1 = "spy_report" $i2 = "protoShellCMD" $i3 = "protoUploadFile" $i4 = "protoSendReport" $i5 = "tunRecvDNS" $i6 = "tunPackMSG" condition: ssh_binary and (2 of ($s*) or 2 of ($i*) or $rc4) } rule mimban { meta: description = "Rule to detect Mimban family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $s1 = "<|||%s|||%s|||%d|||>" $s2 = />\|\|\|%s\|\|\|%s\|\|\|\d\|\|\|%s\|\|\|%s\|\|\|%s\|\|\|%s\|\|\| %s:%s\n" $client = /user(,|:)(a,)?password@host \-\-> %s(,|:)(b,)?%s@%s\n/ condition: ssh_binary and ($daemon or $client) } rule polis_massa { meta: description = "Rule to detect Polis Massa family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $log = /\b\w+(:|\s-+>)\s%s(:%d)?\s\t(\w+)?:\s%s\s\t(\w+)?:\s%s/ condition: ssh_binary and $log } rule quarren { meta: description = "Rule to detect Quarren family" author = "Hugo Porcher" email = "hugo.porcher@eset.com" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" date = "2018-12-05" license = "BSD 2-Clause" strings: $log = "h: %s, u: %s, p: %s\n" condition: ssh_binary and $log }