08e8d462fe
RED PILL 🔴 💊
34 lines
2 KiB
Text
34 lines
2 KiB
Text
rule apt_CN_TwistedPanda_64bit_Loader {
|
|
meta:
|
|
author = "Check Point Research"
|
|
description = "Detect the 64bit Loader DLL used by TwistedPanda"
|
|
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
|
|
date = "2022-04-14"
|
|
hash = "e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f"
|
|
|
|
strings:
|
|
// 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2]
|
|
// 48 8B C1 mov rax, rcx
|
|
// 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h
|
|
// 72 ?? jb short loc_7FFDF0BA1B48
|
|
$path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 }
|
|
// 48 8B D0 mov rdx, rax ; lpBuffer
|
|
// 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead
|
|
// 48 8B CF mov rcx, rdi ; hFile
|
|
// 48 8B D8 mov rbx, rax
|
|
// FF ?? ?? ?? ?? call cs:ReadFile
|
|
$shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF}
|
|
// BA F0 16 00 00 mov edx, 16F0h ; dwSize
|
|
// 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect
|
|
// 33 C9 xor ecx, ecx ; lpAddress
|
|
// 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType
|
|
// FF ?? ?? ?? ?? ?? call cs:VirtualAlloc
|
|
$shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF }
|
|
condition:
|
|
// MZ signature at offset 0 and ...
|
|
uint16(0) == 0x5A4D and
|
|
|
|
// ... PE signature at offset stored in MZ header at 0x3C
|
|
uint32(uint32(0x3C)) == 0x00004550 and
|
|
filesize < 3000KB and $path_check and $shellcode_allocate and $shellcode_read
|
|
}
|