08e8d462fe
RED PILL 🔴 💊
37 lines
1.4 KiB
Text
37 lines
1.4 KiB
Text
rule lyceum_golang_backdoor
|
|
{
|
|
meta:
|
|
author = "CPR"
|
|
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
|
|
hash1 = "a437f997d45bc14e76d0f2482f572a34"
|
|
hash2 = "23d174e6a0905fd59b2613d5ac106261"
|
|
hash3 = "bcb465cc2257e5777bab431690ca5039"
|
|
strings:
|
|
$func1 = "main.Ase256"
|
|
$func2 = "main.DecryptAse256"
|
|
$func3 = "main.IsServerUp"
|
|
$func4 = "main.register"
|
|
$func5 = "main.commandforrun"
|
|
$func6 = "main.UPLOAD"
|
|
$func7 = "main.commandforanswer"
|
|
$func8 = "main.GetMD5Hash"
|
|
$func9 = "main.get_uid"
|
|
$func10 = "main.commandrun"
|
|
$func11 = "main.download"
|
|
$func12 = "main.postFile"
|
|
$func13 = "main.sendAns"
|
|
$func14 = "main.comRun"
|
|
$cnc_uri1 = "/GO/1.php"
|
|
$cnc_uri2 = "/GO/2.php"
|
|
$cnc_uri3 = "/GO/3.php"
|
|
$auth_token = "auth_token=\"XXXXXXX\""
|
|
$log1 = "client registred"
|
|
$log2 = "no command"
|
|
$log3 = "can not create file"
|
|
$log4 = "errorGettingUserName"
|
|
$log5 = "New record created successfully"
|
|
$log6 = "SERVER_IS_DOWN"
|
|
$dga = "trailers.apple.com."
|
|
condition:
|
|
uint16(0)==0x5a4d and ((10 of ($func*) or any of ($cnc_uri*) or $auth_token or 3 of ($log*)) or ($dga and 4 of them))
|
|
}
|