Sneed-Reactivity/yara-mikesxrs/Secuinfra/APT_Bitter_Maldoc_Verify.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

41 lines
1.4 KiB
Text

/*
Yara Rule Set
Author: SECUINFRA Falcon Team
Date: 2022-06-23
Identifier: 0x03-yara_win-Bitter_T-APT-17
Reference: "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
*/
/* Rule Set —————————————————————– */
rule APT_Bitter_Maldoc_Verify {
meta:
description = "Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)"
author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
tlp = "WHITE"
reference = "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
date = "2022-06-01"
hash0 = "0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450"
hash1 = "bd0d25194634b2c74188cfa3be6668590e564e6fe26a6fe3335f95cbc943ce1d"
hash2 = "3992d5a725126952f61b27d43bd4e03afa5fa4a694dca7cf8bbf555448795cd6"
strings:
// This rule is meant to be used for verification of a Bitter Maldoc
// rather than a hunting rule since the oleObject it is matching is
// compressed in the doc zip
$xor_string0 = "LoadLibraryA" xor
$xor_string1 = "urlmon.dll" xor
$xor_string2 = "Shell32.dll" xor
$xor_string3 = "ShellExecuteA" xor
$xor_string4 = "MoveFileA" xor
$xor_string5 = "CreateDirectoryA" xor
$xor_string6 = "C:\\Windows\\explorer" xor
$padding = {000001128341000001128341000001128342000001128342}
condition:
3 of ($xor_string*)
and $padding
}