18 lines
671 B
Text
18 lines
671 B
Text
rule APT32_ActiveMime_Lure{
|
|
meta:
|
|
filetype = "MIME entity"
|
|
author = "Ian Ahl (@TekDefense) and Nick Carr (@ItsReallyNick)"
|
|
date = "2017-03-02"
|
|
description = "Developed to detect APT32 (OceanLotus Group phishing lures used to target Fireeye Customers in 2016 and 2017"
|
|
reference = "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
|
|
strings:
|
|
$a1 = "office_text" wide ascii
|
|
$a2 = "schtasks /create /tn" wide ascii
|
|
$a3 = "scrobj.dll" wide ascii
|
|
$a4 = "new-object net.webclient" wide ascii
|
|
$a5 = "GetUserName" wide ascii
|
|
$a6 = "WSHnet.UserDomain" wide ascii
|
|
$a7 = "WSHnet.UserName" wide ascii
|
|
condition:
|
|
4 of them
|
|
}
|