25 lines
1.1 KiB
Text
25 lines
1.1 KiB
Text
rule Mal_Backdoor_ChaChi_RAT
|
|
{
|
|
meta:
|
|
description = "ChaChi RAT used in PYSA Ransomware Campaigns"
|
|
reference = "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat"
|
|
author = "BlackBerry Threat Research & Intelligence"
|
|
|
|
strings:
|
|
// "Go build ID:"
|
|
$go = { 47 6F 20 62 75 69 6C 64 20 49 44 3A }
|
|
// dnsStream
|
|
$dnsStream = { 64 6E 73 53 74 72 65 61 6D }
|
|
// SOCKS5
|
|
$socks5 = { 53 4F 43 4B 53 35 }
|
|
// chisel
|
|
$chisel = { 63 68 69 73 65 6C }
|
|
|
|
condition:
|
|
// MZ signature at offset 0
|
|
uint16(0) == 0x5A4D and
|
|
// PE signature at offset stored in MZ header at 0x3C
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
// ChaChi Strings
|
|
all of them
|
|
}
|