19 lines
818 B
Text
19 lines
818 B
Text
|
|
rule apt_win_flipflop_ldr : APT29
|
|
{
|
|
meta:
|
|
author = "threatintel@volexity.com"
|
|
date = "2021-05-25"
|
|
description = "A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload."
|
|
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
|
|
hash = "ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330"
|
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
|
|
|
strings:
|
|
$s1 = "irnjadle"
|
|
$s2 = "BADCFEHGJILKNMPORQTSVUXWZY"
|
|
$s3 = "iMrcsofo taBesC yrtpgoarhpciP orived r1v0."
|
|
|
|
condition:
|
|
all of ($s*)
|
|
}
|