/* root9B Yara Rules for SHELLTEA + POSLURP MALWARE blog entry https://www.root9b.com/newsroom/shelltea-poslurp-malware */ rule PoSlurpFile : PoSlurp { meta: copyright = "root9b, LLC" authors = "Matt Weeks, Dax Morrow" description = "ShellTea + PoSlurp PoS Malware on Disk PoSlurp executable" reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware" version = "1.0" last_modified = "2017-06-27" strings: $hex1 = { 81 C2 FF 5C F3 22 52 56 E8 } // outer layer custom function resolver condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $hex1 } rule inRegPowerSniff : PowerSniff { meta: copyright = "root9b, LLC" authors = "Matt Weeks, Dax Morrow" description = "ShellTea + PoSlurp PoS Malware in Registry PowerSniff" reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware" version = "1.0" last_modified = "2017-06-27" strings: $hex1 = { 41 2B CF 81 38 BE BA AD AB 48 8B D0 75 09 81 78 04 0D F0 AD 8B } //shellcode blob in registry condition: $hex1 } rule inRegShellTea : ShellTea { meta: copyright = "root9b, LLC" authors = "Matt Weeks, Dax Morrow" description = "ShellTea + PoSlurp PoS Malware in Registry ShellTea" reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware" version = "1.0" last_modified = "2017-06-27" strings: $hex1 = { 48 83 EC 28 E8 F7 03 00 00 [1015] 48 89 5C 24 18 48 89 4C 24 08 55 56 57 41 54 41 } // Binary registry value with variable content for ShellTea config condition: $hex1 } rule inMemPowerSniff : PowerSniff { meta: copyright = "root9b, LLC" authors = "Matt Weeks, Dax Morrow" description = "ShellTea + PoSlurp in Memory PowerSniff" reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware" version = "1.0" last_modified = "2017-06-27" strings: $wide_string = "/%s?user=%08x%08x%08x%08x&id=%u&ver=%u&os=%lu&os2=%lu&host=%u&k=%lu&type=%u" wide //PowerSniff URL Pattern $wide_string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)" wide // PowerSniff URL Pattern condition: all of them } rule inMemShellTea : ShellTea { meta: copyright = "root9b, LLC" authors = "Matt Weeks, Dax Morrow" description = "ShellTea + PoSlurp PoS Malware in Memory ShellTea" reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware" version = "1.0" last_modified = "2017-06-27" strings: $hex1 = { B9 1D C7 12 45 E8 } // opcodes for function hash $hex2 = { B9 52 7E 10 E1 E8 } // opcodes for function hash $hex3 = { B9 CC 11 67 D6 E8 } // opcodes for function hash condition: all of them } rule inMemPoSlurp : PoSlurp { meta: copyright = "root9b, LLC" authors = "Matt Weeks, Dax Morrow" description = "ShellTea + PoSlurp PoS Malware in Memory PoSlurp" reference = "https://www.root9b.com/newsroom/shelltea-poslurp-malware" version = "1.0" last_modified = "2017-06-27" strings: $hex1 = { C6 45 ED 65 C6 45 EE 72 C6 45 EF 6E C6 45 F0 65 } // Kernel32 obfuscated $hex2 = { E8 EE FD FF FF 68 88 13 00 00 FF D6 8D 44 24 18 50 FF D7 8D 44 24 10 50 8D 44 24 1C 50 FF D3 8B 44 24 10 2B 05 80 50 40 00 8B 4C 24 14 1B 0D 84 50 40 00 6A 00 68 80 96 98 00 51 50 E8 B7 05 00 00 6A 3C 33 D2 59 F7 F1 3B 05 2C 40 40 00 72 B0 } // opcodes f rom top-level scan memory basic block condition: all of them }