16 lines
730 B
Text
16 lines
730 B
Text
rule malware_windows_apt_whitebear_binary_loader_3
|
|
{
|
|
meta:
|
|
description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts"
|
|
reference = "https://securelist.com/introducing-whitebear/81638/"
|
|
author = "@fusionrace"
|
|
md5 = "b099b82acb860d9a9a571515024b35f0"
|
|
strings:
|
|
// Loader runtime flow
|
|
$c1 = "{531511FA-190D-5D85-8A4A-279F2F592CC7}" wide ascii
|
|
$c2 = "IsLoaderAlreadyWork" wide ascii
|
|
$c3 = "\\\\.\\pipe\\Winsock2\\CatalogChangeListener-%03x%01x-%01x" wide ascii
|
|
$c4 = "\\\\.\\pipe\\Winsock2\\CatalogChangeListener-%02x%02x-%01x" wide ascii
|
|
condition:
|
|
all of ($c*)
|
|
}
|