08e8d462fe
RED PILL 🔴 💊
329 lines
8 KiB
Text
329 lines
8 KiB
Text
/* Op Cleaver -------------------------------------------------------------- */
|
||
|
||
rule OPCLEAVER_BackDoorLogger
|
||
{
|
||
meta:
|
||
description = "Keylogger used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "BackDoorLogger"
|
||
$s2 = "zhuAddress"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_Jasus
|
||
{
|
||
meta:
|
||
description = "ARP cache poisoner used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "pcap_dump_open"
|
||
$s2 = "Resolving IPs to poison..."
|
||
$s3 = "WARNNING: Gateway IP can not be found"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_LoggerModule
|
||
{
|
||
meta:
|
||
description = "Keylogger used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "%s-%02d%02d%02d%02d%02d.r"
|
||
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_NetC
|
||
{
|
||
meta:
|
||
description = "Net Crawler used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "NetC.exe" wide
|
||
$s2 = "Net Service"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_ShellCreator2
|
||
{
|
||
meta:
|
||
description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "ShellCreator2.Properties"
|
||
$s2 = "set_IV"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_SmartCopy2
|
||
{
|
||
meta:
|
||
description = "Malware or hack tool used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "SmartCopy2.Properties"
|
||
$s2 = "ZhuFrameWork"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_SynFlooder
|
||
{
|
||
meta:
|
||
description = "Malware or hack tool used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
|
||
$s2 = "your target’s IP is : %s"
|
||
$s3 = "Raw TCP Socket Created successfully."
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_TinyZBot
|
||
{
|
||
meta:
|
||
description = "Tiny Bot used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "NetScp" wide
|
||
$s2 = "TinyZBot.Properties.Resources.resources"
|
||
$s3 = "Aoao WaterMark"
|
||
$s4 = "Run_a_exe"
|
||
$s5 = "netscp.exe"
|
||
$s6 = "get_MainModule_WebReference_DefaultWS"
|
||
$s7 = "remove_CheckFileMD5Completed"
|
||
$s8 = "http://tempuri.org/"
|
||
$s9 = "Zhoupin_Cleaver"
|
||
condition:
|
||
(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
|
||
}
|
||
|
||
rule OPCLEAVER_ZhoupinExploitCrew
|
||
{
|
||
meta:
|
||
description = "Keywords used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "zhoupin exploit crew" nocase
|
||
$s2 = "zhopin exploit crew" nocase
|
||
condition:
|
||
1 of them
|
||
}
|
||
|
||
rule OPCLEAVER_antivirusdetector
|
||
{
|
||
meta:
|
||
description = "Hack tool used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "getShadyProcess"
|
||
$s2 = "getSystemAntiviruses"
|
||
$s3 = "AntiVirusDetector"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_csext
|
||
{
|
||
meta:
|
||
description = "Backdoor used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "COM+ System Extentions"
|
||
$s2 = "csext.exe"
|
||
$s3 = "COM_Extentions_bin"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_kagent
|
||
{
|
||
meta:
|
||
description = "Backdoor used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "kill command is in last machine, going back"
|
||
$s2 = "message data length in B64: %d Bytes"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_mimikatzWrapper
|
||
{
|
||
meta:
|
||
description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "mimikatzWrapper"
|
||
$s2 = "get_mimikatz"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_pvz_in
|
||
{
|
||
meta:
|
||
description = "Parviz tool used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "LAST_TIME=00/00/0000:00:00PM$"
|
||
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_pvz_out
|
||
{
|
||
meta:
|
||
description = "Parviz tool used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "Network Connectivity Module" wide
|
||
$s2 = "OSPPSVC" wide
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_wndTest
|
||
{
|
||
meta:
|
||
description = "Backdoor used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "[Alt]" wide
|
||
$s2 = "<< %s >>:" wide
|
||
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_zhCat
|
||
{
|
||
meta:
|
||
description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
|
||
$s2 = "ABC ( A Big Company )" wide fullword
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_zhLookUp
|
||
{
|
||
meta:
|
||
description = "Hack tool used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "zhLookUp.Properties"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_zhmimikatz
|
||
{
|
||
meta:
|
||
description = "Mimikatz wrapper used by attackers in Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Cylance Inc."
|
||
score = 70
|
||
strings:
|
||
$s1 = "MimikatzRunner"
|
||
$s2 = "zhmimikatz"
|
||
condition:
|
||
all of them
|
||
}
|
||
|
||
rule OPCLEAVER_Parviz_Developer
|
||
{
|
||
meta:
|
||
description = "Parviz developer known from Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Florian Roth"
|
||
score = 70
|
||
strings:
|
||
$s1 = "Users\\parviz\\documents\\" nocase
|
||
condition:
|
||
$s1
|
||
}
|
||
|
||
rule OPCLEAVER_CCProxy_Config
|
||
{
|
||
meta:
|
||
description = "CCProxy config known from Operation Cleaver"
|
||
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
||
date = "2014/12/02"
|
||
author = "Florian Roth"
|
||
score = 70
|
||
strings:
|
||
$s1 = "UserName=User-001" fullword ascii
|
||
$s2 = "Web=1" fullword ascii
|
||
$s3 = "Mail=1" fullword ascii
|
||
$s4 = "FTP=0" fullword ascii
|
||
$x1 = "IPAddressLow=78.109.194.114" fullword ascii
|
||
condition:
|
||
all of ($s*) or $x1
|
||
}
|