rule OSX_backdoor_EvilOSX 
{
    meta:
        description = "EvilOSX MacOS/OSX backdoor"
        author = "John Lambert @JohnLaTwC"
        reference = "https://github.com/Marten4n6/EvilOSX, https://twitter.com/JohnLaTwC/status/966139336436498432"
        date = "2018-02-23"
        hash = "89e5b8208daf85f549d9b7df8e2a062e47f15a5b08462a4224f73c0a6223972a"

    strings:
        $h1 = /#!\/usr\/bin\/env\s+python/
        $s0 = "import base64" fullword ascii
        $s1 = "b64decode" fullword ascii

        //strings present in decoded python script:
        $x0 = "EvilOSX" fullword ascii
        $x1 = "get_launch_agent_directory" fullword ascii

        //Base64 encoded versions of these strings
        //EvilOSX
        $enc_x0 = /(AHYAaQBsAE8AUwBYA|dmlsT1NY|RQB2AGkAbABPAFMAWA|RXZpbE9TW|UAdgBpAGwATwBTAFgA|V2aWxPU1)/ ascii
        
        //get_launch_agent_directory
        $enc_x1 = /(AGUAdABfAGwAYQB1AG4AYwBoAF8AYQBnAGUAbgB0AF8AZABpAHIAZQBjAHQAbwByAHkA|cAZQB0AF8AbABhAHUAbgBjAGgAXwBhAGcAZQBuAHQAXwBkAGkAcgBlAGMAdABvAHIAeQ|dldF9sYXVuY2hfYWdlbnRfZGlyZWN0b3J5|Z2V0X2xhdW5jaF9hZ2VudF9kaXJlY3Rvcn|ZwBlAHQAXwBsAGEAdQBuAGMAaABfAGEAZwBlAG4AdABfAGQAaQByAGUAYwB0AG8AcgB5A|ZXRfbGF1bmNoX2FnZW50X2RpcmVjdG9ye)/ ascii

    condition:
        $h1 at 0
        and filesize < 30KB 
        and all of ($s*)
        and 
            1 of ($x*)
            or 1 of ($enc_x*)
}

rule OSX_backdoor_Bella
{
    meta:
        description = "Bella MacOS/OSX backdoor"
        author = "John Lambert @JohnLaTwC"
        reference = "https://twitter.com/JohnLaTwC/status/911998777182924801"
        date = "2018-02-23"
        hash = "4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be"

    strings:
        $h1 = /#!\/usr\/bin\/env\s+python/

        //prereqs
        $s0 = "subprocess" fullword ascii
        $s1 = "import sys" fullword ascii
        $s2 = "shutil" fullword ascii

        $p0 = "create_bella_helpers" fullword ascii
        $p1 = "is_there_SUID_shell" fullword ascii
        $p2 = "BELLA IS NOW RUNNING" fullword ascii
        $p3 = "SELECT * FROM bella WHERE id" fullword ascii

        $subpart1_a = "inject_payloads" fullword ascii
        $subpart1_b = "check_if_payloads" fullword ascii
        $subpart1_c = "updateDB" fullword ascii

        $subpart2_a = "appleIDPhishHelp" fullword ascii
        $subpart2_b = "appleIDPhish" fullword ascii
        $subpart2_c = "iTunes" fullword ascii
    condition:
        $h1 at 0
        and filesize < 120KB 
        and @s0[1] < 100
        and @s1[1] < 100
        and @s2[1] < 100
        and 
            1 of ($p*)
            or all of ($subpart1_*)
            or all of ($subpart2_*)
}


rule persistence_agent_macos
{
    meta:
        hash = "4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be"

    strings:
        $h1 = "#!/usr/bin/env python"
        $s_1= "<plist" ascii fullword
        $s_2= "ProgramArguments" ascii fullword
        $s_3= "Library" ascii fullword
        $sinterval_1= "StartInterval" ascii fullword
        $sinterval_2= "RunAtLoad" ascii fullword

        //<plist
        $e_1 = /(AHAAbABpAHMAdA|cGxpc3|PABwAGwAaQBzAHQA|PHBsaXN0|wAcABsAGkAcwB0A|xwbGlzd)/ ascii

        //ProgramArguments
        $e_2 =/(AAcgBvAGcAcgBhAG0AQQByAGcAdQBtAGUAbgB0AHMA|AHIAbwBnAHIAYQBtAEEAcgBnAHUAbQBlAG4AdABzA|Byb2dyYW1Bcmd1bWVudH|cm9ncmFtQXJndW1lbnRz|UAByAG8AZwByAGEAbQBBAHIAZwB1AG0AZQBuAHQAcw|UHJvZ3JhbUFyZ3VtZW50c)/ ascii
        //Library
        $e_4 = /(AGkAYgByAGEAcgB5A|aWJyYXJ5|TABpAGIAcgBhAHIAeQ|TGlicmFye|wAaQBiAHIAYQByAHkA|xpYnJhcn)/ ascii

        //StartInterval
        $einterval_a = /(AHQAYQByAHQASQBuAHQAZQByAHYAYQBsA|dGFydEludGVydmFs|MAdABhAHIAdABJAG4AdABlAHIAdgBhAGwA|N0YXJ0SW50ZXJ2YW|U3RhcnRJbnRlcnZhb|UwB0AGEAcgB0AEkAbgB0AGUAcgB2AGEAbA)/ ascii
        $einterval_b = /(AHUAbgBBAHQATABvAGEAZA|dW5BdExvYW|IAdQBuAEEAdABMAG8AYQBkA|J1bkF0TG9hZ|UgB1AG4AQQB0AEwAbwBhAGQA|UnVuQXRMb2Fk)/ ascii

    condition:
        $h1 at 0
        and filesize < 120KB
        and 
        (
            (all of ($s_*) and 1 of ($sinterval*))
            or
            (all of ($e_*) and 1 of ($einterval*))
        )

}