22 lines
795 B
Text
22 lines
795 B
Text
rule EzuriLoaderOSX : OSXMalware {
|
|
meta:
|
|
author = "AT&T Alien Labs"
|
|
type = "malware"
|
|
description = "Detects Ezuri Golang loader."
|
|
copyright = "AT&T Cybersecurity 2020"
|
|
reference = "da5ae0f2a4b6a52d483fb006bc9e9128"
|
|
report = "https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader"
|
|
strings:
|
|
$a1 = "ezuri/stub/main.go"
|
|
$a2 = "main.runFromMemory"
|
|
$a3 = "main.aesDec"
|
|
$Go = "go.buildid"
|
|
condition:
|
|
(uint32(0) == 0xfeedface or
|
|
uint32(0) == 0xcefaedfe or
|
|
uint32(0) == 0xfeedfacf or
|
|
uint32(0) == 0xcffaedfe or
|
|
uint32(0) == 0xcafebabe or
|
|
uint32(0) == 0xbebafeca)
|
|
and $Go and filesize < 5MB and all of ($a*)
|
|
}
|