// For feedback or questions contact us at: github@eset.com // https://github.com/eset/malware-ioc/ // // These YARA rules are provided to the community under the two-clause BSD // license as follows: // // Copyright (c) 2020, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // rule APT_MAL_LNX_Kobalos { meta: description = "Kobalos malware" author = "Marc-Etienne M.Leveille" date = "2020-11-02" reference = "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" id = "dfa47e30-c093-57f6-af01-72a2534cc6f4" strings: $encrypted_strings_sizes = { 05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00 08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00 } $password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C } $rsa_512_mod_header = { 10 11 02 00 09 02 00 } $strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE } condition: uint16(0) == 0x457f and /* modification by Florian Roth to avoid false posirives */ any of them } rule APT_MAL_LNX_Kobalos_SSH_Credential_Stealer { meta: description = "Kobalos SSH credential stealer seen in OpenSSH client" author = "Marc-Etienne M.Leveille" date = "2020-11-02" reference = "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" id = "0f923f92-c5d8-500d-9a2e-634ca7945c5c" strings: $ = "user: %.128s host: %.128s port %05d user: %.128s password: %.128s" condition: uint16(0) == 0x457f and /* modification by Florian Roth to avoid false posirives */ any of them }