Sneed-Reactivity/yara-Neo23x0/apt_oilrig.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

326 lines
15 KiB
Text

/*
Yara Rule Set
Author: Florian Roth
Date: 2016-10-12
Identifier: OilRig Malware Campaign
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
rule OilRig_Malware_Campaign_Gen1 {
meta:
description = "Detects malware from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34"
hash2 = "80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e"
hash3 = "662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f"
hash4 = "903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996"
hash5 = "c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da"
hash6 = "57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4"
hash7 = "1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1"
hash8 = "9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777"
hash9 = "0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e"
hash10 = "4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281"
hash11 = "4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353"
hash12 = "c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51"
hash13 = "f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2"
hash14 = "0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39"
hash15 = "d874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d"
hash16 = "8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9"
hash17 = "55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579"
hash18 = "528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b"
hash19 = "93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0"
hash20 = "e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa"
hash21 = "9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471"
hash22 = "a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064"
hash23 = "3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff"
hash24 = "3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4"
hash25 = "f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e"
id = "d291edf1-b086-5c61-b131-61c9f6e1267b"
strings:
$x1 = "Get-Content $env:Public\\Libraries\\update.vbs) -replace" ascii
$x2 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {waitfor haha /T 2}\" & Chr(34), 0" fullword ascii
$x3 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii
$s4 = "CreateObject(\"WScript.Shell\").Run cmd, 0o" fullword ascii
/* Base64 encode config */
/* $global:myhost = */
$b1 = "JGdsb2JhbDpteWhvc3QgP" ascii
/* HOME="%public%\Libraries\" */
$b2 = "SE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzX" ascii
/* Set wss = CreateObject("wScript.Shell") */
$b3 = "U2V0IHdzcyA9IENyZWF0ZU9iamVjdCgid1NjcmlwdC5TaGV" ascii
/* $scriptdir = Split-Path -Parent -Path $ */
$b4 = "JHNjcmlwdGRpciA9IFNwbGl0LVBhdGggLVBhcmVudCAtUGF0aCA" ascii
/* \x0aSet wss = CreateObject("wScript.Shell") */
$b5 = "DQpTZXQgd3NzID0gQ3JlYXRlT2JqZWN" ascii
/* whoami & hostname */
$b6 = "d2hvYW1pICYgaG9zdG5hb" ascii
condition:
( uint16(0) == 0xcfd0 and filesize < 700KB and 1 of them )
}
rule OilRig_Malware_Campaign_Mal1 {
meta:
description = "Detects malware from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "e17e1978563dc10b73fd54e7727cbbe95cc0b170a4e7bd0ab223e059f6c25fcc"
id = "c577f0ff-1a33-5d7f-93b2-27df8d414bce"
strings:
$x1 = "DownloadExecute=\"powershell \"\"&{$r=Get-Random;$wc=(new-object System.Net.WebClient);$wc.DownloadFile(" ascii
$x2 = "-ExecutionPolicy Bypass -File \"&HOME&\"dns.ps1\"" fullword ascii
$x3 = "CreateObject(\"WScript.Shell\").Run Replace(DownloadExecute,\"-_\",\"bat\")" fullword ascii
$x4 = "CreateObject(\"WScript.Shell\").Run DnsCmd,0" fullword ascii
$s1 = "http://winodwsupdates.me" ascii
condition:
( uint16(0) == 0x4f48 and filesize < 4KB and 1 of them ) or ( 2 of them )
}
rule OilRig_Malware_Campaign_Gen2 {
meta:
description = "Detects Oilrig malware samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
modified = "2023-01-07"
hash1 = "c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d"
hash2 = "293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb"
id = "2ca0aadf-c5a8-5c89-ab1e-0c06d2ab8516"
strings:
$s1 = "%userprofile%\\AppData\\Local\\Microsoft\\" ascii
$s2 = "$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('" fullword ascii
$s3 = "&{$rn = Get-Random; $id = 'TR" fullword ascii
$s4 = "') -replace '__',('DNS'+$id) | " fullword ascii
$s5 = "\\upd.vbs" ascii
$s6 = "schtasks /create /F /sc minute /mo " fullword ascii
$s7 = "') -replace '__',('HTP'+$id) | " fullword ascii
$s8 = "&{$rn = Get-Random -minimum 1 -maximum 10000; $id = 'AZ" fullword ascii
$s9 = "http://www.israirairlines.com/?mode=page&page=14635&lang=eng<" fullword ascii
condition:
( uint16(0) == 0xcfd0 and filesize < 4000KB and 2 of ($s*) ) or ( 4 of them )
}
rule OilRig_Malware_Campaign_Gen3 {
meta:
description = "Detects Oilrig malware samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
modified = "2023-01-07"
hash1 = "5e9ddb25bde3719c392d08c13a295db418d7accd25d82d020b425052e7ba6dc9"
hash2 = "bd0920c8836541f58e0778b4b64527e5a5f2084405f73ee33110f7bc189da7a9"
hash3 = "90639c7423a329e304087428a01662cc06e2e9153299e37b1b1c90f6d0a195ed"
id = "1cd5f7ea-4ae6-5642-b8b3-050cfe724e69"
strings:
$x1 = "source code from https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlrrrr" fullword ascii
$x2 = "\\Libraries\\fireueye.vbs" ascii
$x3 = "\\Libraries\\fireeye.vbs&" wide
condition:
( uint16(0) == 0xcfd0 and filesize < 100KB and 1 of them )
}
rule OilRig_Malware_Campaign_Mal2 {
meta:
description = "Detects malware from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "65920eaea00764a245acb58a3565941477b78a7bcc9efaec5bf811573084b6cf"
id = "7a6c38e7-bed9-524b-b4a5-c6c895b9c049"
strings:
$x1 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {(Get-Content $env:Public\\Libraries\\update.vbs) -replace '__',(Get-Random) | Set-C" ascii
$x2 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii
$x3 = "mailto:Mohammed.sarah@gratner.com" fullword wide
$x4 = "mailto:Tarik.Imam@gartner.com" fullword wide
$x5 = "Call Extract(DnsPs1, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\dns.ps1\")" fullword ascii
$x6 = "2dy53My5vcmcvMjAw" fullword wide /* base64 encoded string 'w.w3.org/200' */
condition:
( uint16(0) == 0xcfd0 and filesize < 200KB and 1 of them )
}
rule OilRig_Campaign_Reconnaissance {
meta:
description = "Detects Windows discovery commands - known from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "5893eae26df8e15c1e0fa763bf88a1ae79484cdb488ba2fc382700ff2cfab80c"
id = "a4fe24b8-290a-5a4a-9f81-bbbd9aae6c6e"
strings:
$s1 = "whoami & hostname & ipconfig /all" ascii
$s2 = "net user /domain 2>&1 & net group /domain 2>&1" ascii
$s3 = "net group \"domain admins\" /domain 2>&1 & " ascii
condition:
( filesize < 1KB and 1 of them )
}
rule OilRig_Malware_Campaign_Mal3 {
meta:
description = "Detects malware from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "02226181f27dbf59af5377e39cf583db15200100eea712fcb6f55c0a2245a378"
id = "e5967b39-5d21-5a6a-a1b5-2ec122f16444"
strings:
$x1 = "(Get-Content $env:Public\\Libraries\\dns.ps1) -replace ('#'+'##'),$botid | Set-Content $env:Public\\Libraries\\dns.ps1" fullword ascii
$x2 = "Invoke-Expression ($global:myhome+'tp\\'+$global:filename+'.bat > '+$global:myhome+'tp\\'+$global:filename+'.txt')" fullword ascii
$x3 = "('00000000'+(convertTo-Base36(Get-Random -Maximum 46655)))" fullword ascii
condition:
( filesize < 10KB and 1 of them )
}
rule OilRig_Malware_Nov17_13 {
meta:
description = ""
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/ClearskySec/status/933280188733018113"
date = "2017-11-22"
hash1 = "4f1e2df85c538875a7da877719555e21c33a558ac121eb715cf4e779d77ab445"
id = "c45b8d30-6a5f-5dac-a202-6748ba7b7bd2"
strings:
$x1 = "\\Release\\dnscat2.pdb" ascii
$x2 = "cscript.exe //T:20 //Nologo " fullword ascii
$a1 = "taskkill /F /IM cscript.exe" fullword ascii
$a2 = "cmd.exe /c " fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
pe.imphash() == "0160250adfc97f9d4a12dd067323ec61" or
1 of ($x*) or
all of ($a*)
)
}
rule Oilrig_IntelSecurityManager_macro {
meta:
description = "Detects OilRig malware"
author = "Eyal Sela (slightly modified by Florian Roth)"
reference = "Internal Research"
date = "2018-01-19"
id = "4cccc0df-a225-5500-be55-f4ae346e066e"
strings:
$one1 = "$c$m$$d$.$$" ascii wide
$one2 = "$C$$e$r$$t$u$$t$i$$l$" ascii wide
$one3 = "$$%$a$$p$p$$d$a$" ascii wide
$one4 = ".$t$$x$t$$" ascii wide
$one5 = "cu = Replace(cu, \"$\", \"\")" ascii wide
$one6 = "Shell Environ$(\"COMSPEC\") & \" /c"
$one7 = "echo \" & Chr(32) & cmd & Chr(32) & \" > \" & Chr(34)" ascii wide
$two1 = "& SchTasks /Delete /F /TN " ascii wide
$two2 = "SecurityAssist" ascii wide
$two3 = "vbs = \"cmd.exe /c SchTasks" ascii wide
$two4 = "/Delete /F /TN Conhost & del" ascii wide
$two5 = "NullRefrencedException" ascii wide
$two6 = "error has occurred in user32.dll by" ascii wide
$two7 = "NullRefrencedException" ascii wide
condition:
filesize < 300KB and 1 of ($one*) or 2 of ($two*)
}
rule Oilrig_IntelSecurityManager {
meta:
description = "Detects OilRig malware"
author = "Eyal Sela"
reference = "Internal Research"
date = "2018-01-19"
id = "4cccc0df-a225-5500-be55-f4ae346e066e"
strings:
$one1 = "srvResesponded" ascii wide fullword
$one2 = "InetlSecurityAssistManager" ascii wide fullword
$one3 = "srvCheckresponded" ascii wide fullword
$one4 = "IntelSecurityManager" ascii wide
$one5 = "msoffice365cdn.com" ascii wide
$one6 = "\\tmpCa.vbs" ascii wide
$one7 = "AAZFinish" ascii wide fullword
$one8 = "AAZUploaded" ascii wide fullword
$one9 = "ABZFinish" ascii wide fullword
$one10 = "\\tmpCa.vbs" ascii wide
condition:
filesize < 300KB and any of them
}
/*
YARA Rule Set
Author: Florian Roth
Date: 2019-04-17
Identifier: Leaked APT34 / OilRig tools
Reference: https://twitter.com/0xffff0800/status/1118406371165126656
*/
/* Rule Set ----------------------------------------------------------------- */
rule APT_APT34_PS_Malware_Apr19_1 {
meta:
description = "Detects APT34 PowerShell malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/0xffff0800/status/1118406371165126656"
date = "2019-04-17"
hash1 = "b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768"
id = "6a082c5a-ee5b-5002-9148-61bbcfedfe68"
strings:
$x1 = "= get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID" ascii
$x2 = "Write-Host \"excepton occured!\"" ascii /* :) */
$s1 = "Start-Sleep -s 1;" fullword ascii
$s2 = "Start-Sleep -m 100;" fullword ascii
condition:
1 of ($x*) or 2 of them
}
rule APT_APT34_PS_Malware_Apr19_2 {
meta:
description = "Detects APT34 PowerShell malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/0xffff0800/status/1118406371165126656"
date = "2019-04-17"
hash1 = "2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459"
id = "c3bdadfd-2164-5e33-be84-d5d5de8eb048"
strings:
$x1 = "= \"http://\" + [System.Net.Dns]::GetHostAddresses(\"" ascii
$x2 = "$t = get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID" fullword ascii
$x3 = "| Where { $_ -notmatch '^\\s+$' }" ascii
$s1 = "= new-object System.Net.WebProxy($u, $true);" fullword ascii
$s2 = " -eq \"dom\"){$" ascii
$s3 = " -eq \"srv\"){$" ascii
$s4 = "+\"<>\" | Set-Content" ascii
condition:
1 of ($x*) and 3 of them
}
rule APT_APT34_PS_Malware_Apr19_3 {
meta:
description = "Detects APT34 PowerShell malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/0xffff0800/status/1118406371165126656"
date = "2019-04-17"
modified = "2023-01-06"
hash1 = "27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed"
id = "361582e7-94e3-5608-9ba9-31fa20c37cf0"
strings:
$x1 = "Powershell.exe -exec bypass -file ${global:$address1}"
$x2 = "schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn"
$x3 = "\"\\UpdateTasks\\UpdateTaskHosts\""
$x4 = "wscript /b \\`\"${global:$address1" ascii
$x5 = "::FromBase64String([string]${global:$http_ag}))" ascii
$x6 = ".run command1, 0, false\" | Out-File " ascii
$x7 = "\\UpdateTask.vbs" ascii
$x8 = "hUpdater.ps1" fullword ascii
condition:
1 of them
}