08e8d462fe
RED PILL 🔴 💊
3788 lines
131 KiB
Text
3788 lines
131 KiB
Text
// Animal Farm yara rules
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2015, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
rule ramFS
|
|
{
|
|
meta:
|
|
Author = "Joan Calvet"
|
|
Date = "2015/07/14"
|
|
Description = "RamFS -- custom file system used by Animal Farm malware"
|
|
Reference = "http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
|
|
// Debug strings in RamFS
|
|
$s01 = "Check: Error in File_List"
|
|
$s02 = "Check: Error in FreeFileHeader_List"
|
|
$s03 = "CD-->[%s]"
|
|
$s04 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]"
|
|
// RamFS parameters stored in the configuration
|
|
$s05 = "tr4qa589" fullword
|
|
$s06 = "xT0rvwz" fullword
|
|
|
|
// RamFS commands
|
|
$c01 = "INSTALL" fullword
|
|
$c02 = "EXTRACT" fullword
|
|
$c03 = "DELETE" fullword
|
|
$c04 = "EXEC" fullword
|
|
$c05 = "INJECT" fullword
|
|
$c06 = "SLEEP" fullword
|
|
$c07 = "KILL" fullword
|
|
$c08 = "AUTODEL" fullword
|
|
$c09 = "CD" fullword
|
|
$c10 = "MD" fullword
|
|
|
|
condition:
|
|
( $mz at 0 ) and
|
|
((1 of ($s*)) or (all of ($c*)))
|
|
}
|
|
|
|
rule dino
|
|
{
|
|
meta:
|
|
Author = "Joan Calvet"
|
|
Date = "2015/07/14"
|
|
Description = "Dino backdoor"
|
|
Reference = "http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$ = "PsmIsANiceM0du1eWith0SugarInsideA"
|
|
$ = "destroyPSM"
|
|
$ = "FM_PENDING_DOWN_%X"
|
|
$ = "%s was canceled after %d try (reached MaxTry parameter)"
|
|
$ = "you forgot value name"
|
|
$ = "wakeup successfully scheduled in %d minutes"
|
|
$ = "BD started at %s"
|
|
$ = "decyphering failed on bd"
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
// Linux/Moose yara rules
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2015, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
private rule is_elf
|
|
{
|
|
strings:
|
|
$header = { 7F 45 4C 46 }
|
|
|
|
condition:
|
|
$header at 0
|
|
}
|
|
|
|
rule moose
|
|
{
|
|
meta:
|
|
Author = "Thomas Dupuy"
|
|
Date = "2015/04/21"
|
|
Description = "Linux/Moose malware"
|
|
Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s0 = "Status: OK"
|
|
$s1 = "--scrypt"
|
|
$s2 = "stratum+tcp://"
|
|
$s3 = "cmd.so"
|
|
$s4 = "/Challenge"
|
|
$s7 = "processor"
|
|
$s9 = "cpu model"
|
|
$s21 = "password is wrong"
|
|
$s22 = "password:"
|
|
$s23 = "uthentication failed"
|
|
$s24 = "sh"
|
|
$s25 = "ps"
|
|
$s26 = "echo -n -e "
|
|
$s27 = "chmod"
|
|
$s28 = "elan2"
|
|
$s29 = "elan3"
|
|
$s30 = "chmod: not found"
|
|
$s31 = "cat /proc/cpuinfo"
|
|
$s32 = "/proc/%s/cmdline"
|
|
$s33 = "kill %s"
|
|
|
|
condition:
|
|
is_elf and all of them
|
|
}
|
|
|
|
// Mumblehard packer yara rule
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2015, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
rule mumblehard_packer
|
|
{
|
|
meta:
|
|
description = "Mumblehard i386 assembly code responsible for decrypting Perl code"
|
|
author = "Marc-Etienne M. Leveille"
|
|
date = "2015-04-07"
|
|
reference = "http://www.welivesecurity.com"
|
|
version = "1"
|
|
|
|
strings:
|
|
$decrypt = { 31 db [1-10] ba ?? 00 00 00 [0-6] (56 5f | 89 F7)
|
|
39 d3 75 13 81 fa ?? 00 00 00 75 02 31 d2 81 c2 ?? 00 00
|
|
00 31 db 43 ac 30 d8 aa 43 e2 e2 }
|
|
condition:
|
|
$decrypt
|
|
}
|
|
|
|
// Operation Potao yara rules
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2015, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
private rule PotaoDecoy
|
|
{
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
$str1 = "eroqw11"
|
|
$str2 = "2sfsdf"
|
|
$str3 = "RtlDecompressBuffer"
|
|
$wiki_str = "spanned more than 100 years and ruined three consecutive" wide
|
|
|
|
$old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)}
|
|
$old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00}
|
|
condition:
|
|
($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str )
|
|
}
|
|
private rule PotaoDll
|
|
{
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
|
|
$dllstr1 = "?AVCncBuffer@@"
|
|
$dllstr2 = "?AVCncRequest@@"
|
|
$dllstr3 = "Petrozavodskaya, 11, 9"
|
|
$dllstr4 = "_Scan@0"
|
|
$dllstr5 = "\x00/sync/document/"
|
|
$dllstr6 = "\\temp.temp"
|
|
|
|
$dllname1 = "node69MainModule.dll"
|
|
$dllname2 = "node69-main.dll"
|
|
$dllname3 = "node69MainModuleD.dll"
|
|
$dllname4 = "task-diskscanner.dll"
|
|
$dllname5 = "\x00Screen.dll"
|
|
$dllname6 = "Poker2.dll"
|
|
$dllname7 = "PasswordStealer.dll"
|
|
$dllname8 = "KeyLog2Runner.dll"
|
|
$dllname9 = "GetAllSystemInfo.dll"
|
|
$dllname10 = "FilePathStealer.dll"
|
|
condition:
|
|
($mz at 0) and (any of ($dllstr*) and any of ($dllname*))
|
|
}
|
|
private rule PotaoUSB
|
|
{
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
|
|
$binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 }
|
|
$binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3}
|
|
condition:
|
|
($mz at 0) and any of ($binary*)
|
|
}
|
|
private rule PotaoSecondStage
|
|
{
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
// hash of CryptBinaryToStringA and CryptStringToBinaryA
|
|
$binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8}
|
|
// old hash of CryptBinaryToStringA and CryptStringToBinaryA
|
|
$binary2 = {5F 21 63 DD [10-30] EC FD 33 02}
|
|
$binary3 = {CA 77 67 57 [10-30] BA 08 20 7A}
|
|
|
|
$str1 = "?AVCrypt32Import@@"
|
|
$str2 = "%.5llx"
|
|
condition:
|
|
($mz at 0) and any of ($binary*) and any of ($str*)
|
|
}
|
|
rule Potao
|
|
{
|
|
meta:
|
|
Author = "Anton Cherepanov"
|
|
Date = "2015/07/29"
|
|
Description = "Operation Potao"
|
|
Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "threatintel@eset.com"
|
|
License = "BSD 2-Clause"
|
|
condition:
|
|
PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage
|
|
}
|
|
|
|
// Operation Windigo yara rules
|
|
// For feedback or questions contact us at: windigo@eset.sk
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2014, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
rule onimiki
|
|
{
|
|
meta:
|
|
description = "Linux/Onimiki malicious DNS server"
|
|
malware = "Linux/Onimiki"
|
|
operation = "Windigo"
|
|
author = "Olivier Bilodeau <bilodeau@eset.com>"
|
|
created = "2014-02-06"
|
|
reference = "http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf"
|
|
contact = "windigo@eset.sk"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
// code from offset: 0x46CBCD
|
|
$a1 = {43 0F B6 74 2A 0E 43 0F B6 0C 2A 8D 7C 3D 00 8D}
|
|
$a2 = {74 35 00 8D 4C 0D 00 89 F8 41 F7 E3 89 F8 29 D0}
|
|
$a3 = {D1 E8 01 C2 89 F0 C1 EA 04 44 8D 0C 92 46 8D 0C}
|
|
$a4 = {8A 41 F7 E3 89 F0 44 29 CF 29 D0 D1 E8 01 C2 89}
|
|
$a5 = {C8 C1 EA 04 44 8D 04 92 46 8D 04 82 41 F7 E3 89}
|
|
$a6 = {C8 44 29 C6 29 D0 D1 E8 01 C2 C1 EA 04 8D 04 92}
|
|
$a7 = {8D 04 82 29 C1 42 0F B6 04 21 42 88 84 14 C0 01}
|
|
$a8 = {00 00 42 0F B6 04 27 43 88 04 32 42 0F B6 04 26}
|
|
$a9 = {42 88 84 14 A0 01 00 00 49 83 C2 01 49 83 FA 07}
|
|
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
|
|
// Keydnap packer yara rule
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2016, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
|
|
rule keydnap_backdoor
|
|
{
|
|
meta:
|
|
description = "Unpacked OSX/Keydnap backdoor"
|
|
author = "Marc-Etienne M. Leveille"
|
|
date = "2016-07-06"
|
|
reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials"
|
|
version = "1"
|
|
|
|
strings:
|
|
$ = "api/osx/get_task"
|
|
$ = "api/osx/cmd_executed"
|
|
$ = "Loader-"
|
|
$ = "u2RLhh+!LGd9p8!ZtuKcN"
|
|
$ = "com.apple.iCloud.sync.daemon"
|
|
condition:
|
|
2 of them
|
|
}
|
|
rule keydnap_downloader
|
|
{
|
|
meta:
|
|
description = "OSX/Keydnap Downloader"
|
|
author = "Marc-Etienne M. Leveille"
|
|
date = "2016-07-06"
|
|
reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials"
|
|
version = "1"
|
|
|
|
strings:
|
|
$ = "icloudsyncd"
|
|
$ = "killall Terminal"
|
|
$ = "open %s"
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule keydnap_backdoor_packer
|
|
{
|
|
meta:
|
|
description = "OSX/Keydnap packed backdoor"
|
|
author = "Marc-Etienne M. Leveille"
|
|
date = "2016-07-06"
|
|
reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials"
|
|
version = "1"
|
|
|
|
strings:
|
|
$upx_string = "This file is packed with the UPX"
|
|
$packer_magic = "ASS7"
|
|
$upx_magic = "UPX!"
|
|
|
|
condition:
|
|
$upx_string and $packer_magic and not $upx_magic
|
|
}
|
|
|
|
|
|
rule kobalos
|
|
{
|
|
meta:
|
|
description = "Kobalos malware"
|
|
author = "Marc-Etienne M.Léveillé"
|
|
date = "2020-11-02"
|
|
reference = "http://www.welivesecurity.com"
|
|
reference2 = "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$encrypted_strings_sizes = {
|
|
05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00
|
|
08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00
|
|
01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00
|
|
05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00
|
|
}
|
|
$password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C }
|
|
$rsa_512_mod_header = { 10 11 02 00 09 02 00 }
|
|
$strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE }
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule kobalos_ssh_credential_stealer {
|
|
meta:
|
|
description = "Kobalos SSH credential stealer seen in OpenSSH client"
|
|
author = "Marc-Etienne M.Léveillé"
|
|
date = "2020-11-02"
|
|
reference = "http://www.welivesecurity.com"
|
|
reference2 = "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$ = "user: %.128s host: %.128s port %05d user: %.128s password: %.128s"
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2018, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
import "pe"
|
|
|
|
private rule not_ms {
|
|
condition:
|
|
not for any i in (0..pe.number_of_signatures - 1):
|
|
(
|
|
pe.signatures[i].issuer contains "Microsoft Corporation"
|
|
)
|
|
}
|
|
|
|
rule turla_outlook_gen {
|
|
meta:
|
|
author = "ESET Research"
|
|
date = "05-09-2018"
|
|
description = "Turla Outlook malware"
|
|
version = 2
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
contact = "github@eset.com"
|
|
license = "BSD 2-Clause"
|
|
strings:
|
|
$s1 = "Outlook Express" ascii wide
|
|
$s2 = "Outlook watchdog" ascii wide
|
|
$s3 = "Software\\RIT\\The Bat!" ascii wide
|
|
$s4 = "Mail Event Window" ascii wide
|
|
$s5 = "Software\\Mozilla\\Mozilla Thunderbird\\Profiles" ascii wide
|
|
$s6 = "%%PDF-1.4\n%%%c%c\n" ascii wide
|
|
$s7 = "%Y-%m-%dT%H:%M:%S+0000" ascii wide
|
|
$s8 = "rctrl_renwnd32" ascii wide
|
|
$s9 = "NetUIHWND" ascii wide
|
|
$s10 = "homePostalAddress" ascii wide
|
|
$s11 = "/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=" ascii wide
|
|
$s12 = "Re:|FWD:|AW:|FYI:|NT|QUE:" ascii wide
|
|
$s13 = "IPM.Note" ascii wide
|
|
$s14 = "MAPILogonEx" ascii wide
|
|
$s15 = "pipe\\The Bat! %d CmdLine" ascii wide
|
|
$s16 = "PowerShellRunner.dll" ascii wide
|
|
$s17 = "cmd container" ascii wide
|
|
$s18 = "mapid.tlb" ascii wide nocase
|
|
$s19 = "Content-Type: F)*+" ascii wide fullword
|
|
condition:
|
|
not_ms and 5 of them
|
|
}
|
|
|
|
rule turla_outlook_filenames {
|
|
meta:
|
|
author = "ESET Research"
|
|
date = "22-08-2018"
|
|
description = "Turla Outlook filenames"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
contact = "github@eset.com"
|
|
license = "BSD 2-Clause"
|
|
strings:
|
|
$s1 = "mapid.tlb"
|
|
$s2 = "msmime.dll"
|
|
$s3 = "scawrdot.db"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule turla_outlook_log {
|
|
meta:
|
|
author = "ESET Research"
|
|
date = "22-08-2018"
|
|
description = "First bytes of the encrypted Turla Outlook logs"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
contact = "github@eset.com"
|
|
license = "BSD 2-Clause"
|
|
strings:
|
|
//Log begin: [...] TVer
|
|
$s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A}
|
|
condition:
|
|
$s1 at 0
|
|
}
|
|
|
|
rule turla_outlook_exports {
|
|
meta:
|
|
author = "ESET Research"
|
|
date = "22-08-2018"
|
|
description = "Export names of Turla Outlook Malware"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
contact = "github@eset.com"
|
|
license = "BSD 2-Clause"
|
|
condition:
|
|
(pe.exports("install") or pe.exports("Install")) and
|
|
pe.exports("TBP_Initialize") and
|
|
pe.exports("TBP_Finalize") and
|
|
pe.exports("TBP_GetName") and
|
|
pe.exports("DllRegisterServer") and
|
|
pe.exports("DllGetClassObject")
|
|
}
|
|
|
|
rule turla_outlook_pdf {
|
|
meta:
|
|
author = "ESET Research"
|
|
date = "22-08-2018"
|
|
description = "Detect PDF documents generated by Turla Outlook malware"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
contact = "github@eset.com"
|
|
license = "BSD 2-Clause"
|
|
strings:
|
|
$s1 = "Adobe PDF Library 9.0" ascii wide nocase
|
|
$s2 = "Acrobat PDFMaker 9.0" ascii wide nocase
|
|
$s3 = {FF D8 FF E0 00 10 4A 46 49 46}
|
|
$s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9}
|
|
$s5 = "W5M0MpCehiHzreSzNTczkc9d" ascii wide nocase
|
|
$s6 = "PDF-1.4" ascii wide nocase
|
|
condition:
|
|
5 of them
|
|
}
|
|
|
|
rule outlook_misty1 {
|
|
meta:
|
|
author = "ESET Research"
|
|
date = "22-08-2018"
|
|
description = "Detects the Turla MISTY1 implementation"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
contact = "github@eset.com"
|
|
license = "BSD 2-Clause"
|
|
strings:
|
|
//and edi, 1FFh
|
|
$o1 = {81 E7 FF 01 00 00}
|
|
//shl ecx, 9
|
|
$s1 = {C1 E1 09}
|
|
//xor ax, si
|
|
$s2 = {66 33 C6}
|
|
//shr eax, 7
|
|
$s3 = {C1 E8 07}
|
|
$o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4}
|
|
condition:
|
|
$o2 and for all i in (1..#o1):
|
|
(for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500)))
|
|
}
|
|
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2019, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
rule skip20_sqllang_hook
|
|
{
|
|
meta:
|
|
author = "Mathieu Tartare <mathieu.tartare@eset.com>"
|
|
date = "21-10-2019"
|
|
description = "YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
contact = "github@eset.com"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$1_0 = {ff f3 55 56 57 41 56 48 81 ec c0 01 00 00 48 c7 44 24 38 fe ff ff ff}
|
|
$1_1 = {48 8b c3 4c 8d 9c 24 a0 00 00 00 49 8b 5b 10 49 8b 6b 18 49 8b 73 20 49 8b 7b 28 49 8b e3 41 5e c3 90 90 90 90 90 90 90 ff 25}
|
|
$2_0 = {ff f3 55 57 41 55 48 83 ec 58 65 48 8b 04 25 30 00 00 00}
|
|
$2_1 = {48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ff 25}
|
|
$3_0 = {89 4c 24 08 4c 8b dc 49 89 53 10 4d 89 43 18 4d 89 4b 20 57 48 81 ec 90 00 00 00}
|
|
$3_1 = {4c 8d 9c 24 20 01 00 00 49 8b 5b 40 49 8b 73 48 49 8b e3 41 5f 41 5e 41 5c 5f 5d c3}
|
|
$4_0 = {ff f5 41 56 41 57 48 81 ec 90 00 00 00 48 8d 6c 24 50 48 c7 45 28 fe ff ff ff 48 89 5d 60 48 89 75 68 48 89 7d 70 4c 89 65 78}
|
|
$4_1 = {8b c1 48 8b 8c 24 30 02 00 00 48 33 cc}
|
|
$5_0 = {48 8b c4 57 41 54 41 55 41 56 41 57 48 81 ec 90 03 00 00 48 c7 80 68 fd ff ff fe ff ff ff 48 89 58 18 48 89 70 20}
|
|
$5_1 = {48 c7 80 68 fd ff ff fe ff ff ff 48 89 58 18 48 89 70 20}
|
|
$6_0 = {44 88 4c 24 20 44 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 53 56 57 41 54 41 55 41 56 41 57 48 81 ec 80 01 00 00}
|
|
$6_1 = {48 89 4c 24 08 53 56 57 41 54 41 55 41 56 41 57 48 81 ec 80 01 00 00 48 c7 84 24 e8 00 00 00 fe ff ff ff}
|
|
$7_0 = {08 48 89 74 24 10 57 48 83 ec 20 49 63 d8 48 8b f2 48 8b f9 45 85 c0}
|
|
$7_1 = {20 49 63 d8 48 8b f2 48 8b f9 45 85}
|
|
$8_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [11300-] ff f5 56 57 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 70}
|
|
$9_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [40050-] 48 8b c4 55 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 60}
|
|
$10_0 = {41 56 48 83 ec 50 48 c7 44 24 20 fe ff ff ff 48 89 5c 24 60 48 89 6c 24 68 48 89 74 24 70 48 89 7c 24 78 48 8b d9 33 ed 8b f5 89 6c}
|
|
$10_1 = {48 8b 42 18 4c 89 90 f0 00 00 00 44 89 90 f8 00 00 00 c7 80 fc 00 00 00 1b 00 00 00 48 8b c2 c3 90 90 90}
|
|
$11_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [40700-] 48 8b c4 55 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 60}
|
|
$12_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [10650-] 48 8b c4 55 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 60}
|
|
$13_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [41850-] ff f5 56 57 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 70}
|
|
$14_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [42600-] ff f7 48 83 ec 50 48 c7 44 24 20 fe ff ff ff}
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
|
|
// Operation Potao yara rules
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2015, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
private rule PotaoDecoy
|
|
{
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
$str1 = "eroqw11"
|
|
$str2 = "2sfsdf"
|
|
$str3 = "RtlDecompressBuffer"
|
|
$wiki_str = "spanned more than 100 years and ruined three consecutive" wide
|
|
|
|
$old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)}
|
|
$old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00}
|
|
condition:
|
|
($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str )
|
|
}
|
|
private rule PotaoDll
|
|
{
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
|
|
$dllstr1 = "?AVCncBuffer@@"
|
|
$dllstr2 = "?AVCncRequest@@"
|
|
$dllstr3 = "Petrozavodskaya, 11, 9"
|
|
$dllstr4 = "_Scan@0"
|
|
$dllstr5 = "\x00/sync/document/"
|
|
$dllstr6 = "\\temp.temp"
|
|
|
|
$dllname1 = "node69MainModule.dll"
|
|
$dllname2 = "node69-main.dll"
|
|
$dllname3 = "node69MainModuleD.dll"
|
|
$dllname4 = "task-diskscanner.dll"
|
|
$dllname5 = "\x00Screen.dll"
|
|
$dllname6 = "Poker2.dll"
|
|
$dllname7 = "PasswordStealer.dll"
|
|
$dllname8 = "KeyLog2Runner.dll"
|
|
$dllname9 = "GetAllSystemInfo.dll"
|
|
$dllname10 = "FilePathStealer.dll"
|
|
condition:
|
|
($mz at 0) and (any of ($dllstr*) and any of ($dllname*))
|
|
}
|
|
private rule PotaoUSB
|
|
{
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
|
|
$binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 }
|
|
$binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3}
|
|
condition:
|
|
($mz at 0) and any of ($binary*)
|
|
}
|
|
private rule PotaoSecondStage
|
|
{
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
// hash of CryptBinaryToStringA and CryptStringToBinaryA
|
|
$binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8}
|
|
// old hash of CryptBinaryToStringA and CryptStringToBinaryA
|
|
$binary2 = {5F 21 63 DD [10-30] EC FD 33 02}
|
|
$binary3 = {CA 77 67 57 [10-30] BA 08 20 7A}
|
|
|
|
$str1 = "?AVCrypt32Import@@"
|
|
$str2 = "%.5llx"
|
|
condition:
|
|
($mz at 0) and any of ($binary*) and any of ($str*)
|
|
}
|
|
rule Potao
|
|
{
|
|
meta:
|
|
Author = "Anton Cherepanov"
|
|
Date = "2015/07/29"
|
|
Description = "Operation Potao"
|
|
Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "threatintel@eset.com"
|
|
License = "BSD 2-Clause"
|
|
condition:
|
|
PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage
|
|
}
|
|
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These YARA rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2021, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
import "pe"
|
|
|
|
private rule InvisiMole_Blob {
|
|
meta:
|
|
description = "Detects InvisiMole blobs by magic values"
|
|
author = "ESET Research"
|
|
date = "2021-05-17"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$magic_old_32 = {F9 FF D0 DE}
|
|
$magic_old_64 = {64 FF D0 DE}
|
|
$magic_new_32 = {86 DA 11 CE}
|
|
$magic_new_64 = {64 DA 11 CE}
|
|
|
|
condition:
|
|
($magic_old_32 at 0) or ($magic_old_64 at 0) or ($magic_new_32 at 0) or ($magic_new_64 at 0)
|
|
}
|
|
|
|
rule apt_Windows_InvisiMole_Logs {
|
|
meta:
|
|
description = "Detects log files with collected created by InvisiMole's RC2CL backdoor"
|
|
author = "ESET Research"
|
|
date = "2021-05-17"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
condition:
|
|
uint32(0) == 0x08F1CAA1 or
|
|
uint32(0) == 0x08F1CAA2 or
|
|
uint32(0) == 0x08F1CCC0 or
|
|
uint32(0) == 0x08F2AFC0 or
|
|
uint32(0) == 0x083AE4DF or
|
|
uint32(0) == 0x18F2CBB1 or
|
|
uint32(0) == 0x1900ABBA or
|
|
uint32(0) == 0x24F2CEA1 or
|
|
uint32(0) == 0xDA012193 or
|
|
uint32(0) == 0xDA018993 or
|
|
uint32(0) == 0xDA018995 or
|
|
uint32(0) == 0xDD018991
|
|
}
|
|
|
|
rule apt_Windows_InvisiMole_SFX_Dropper {
|
|
|
|
meta:
|
|
description = "Detects trojanized InvisiMole files: patched RAR SFX droppers with added InvisiMole blobs (config encrypted XOR 2A at the end of a file)"
|
|
author = "ESET Research"
|
|
date = "2021-05-17"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$encrypted_config = {5F 59 4F 58 19 18 04 4E 46 46 2A 5D 59 5A 58 43 44 5E 4C 7D 2A 0F 2A 59 2A 78 2A 4B 2A 58 2A 0E 2A 6F 2A 72 2A 4B 2A 0F 2A 4E 2A 04 2A 0F 2A 4E 2A 76 2A 0F 2A 79 2A 2A 2A 79 42 4F 46 46 6F 52 4F 49 5F 5E 4F 7D 2A 79 42 4F 46 46 19 18 04 4E 46 46 2A 7C 43 58 5E 5F 4B 46 6B 46 46 45 49 2A 66 45 4B 4E 66 43 48 58 4B 58 53 6B}
|
|
|
|
condition:
|
|
uint16(0) == 0x5A4D and $encrypted_config
|
|
}
|
|
|
|
rule apt_Windows_InvisiMole_CPL_Loader {
|
|
meta:
|
|
description = "CPL loader"
|
|
author = "ESET Research"
|
|
date = "2021-05-17"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "WScr%steObject(\"WScr%s.Run(\"::{20d04fe0-3a%s30309d}\\\\::{21EC%sDD-08002B3030%s\", 0);"
|
|
$s2 = "\\Control.js" wide
|
|
$s3 = "\\Control Panel.lnk" wide
|
|
$s4 = "FPC 3.0.4 [2019/04/13] for x86_64 - Win64"
|
|
$s5 = "FPC 3.0.4 [2019/04/13] for i386 - Win32"
|
|
$s6 = "imageapplet.dat" wide
|
|
$s7 = "wkssvmtx"
|
|
|
|
condition:
|
|
uint16(0) == 0x5A4D and (3 of them)
|
|
}
|
|
|
|
rule apt_Windows_InvisiMole_Wrapper_DLL {
|
|
meta:
|
|
description = "Detects InvisiMole wrapper DLL with embedded RC2CL and RC2FM backdoors, by export and resource names"
|
|
author = "ESET Research"
|
|
date = "2021-05-17"
|
|
reference = "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
condition:
|
|
pe.exports("GetDataLength") and
|
|
for any y in (0..pe.number_of_resources - 1): (
|
|
pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00C\x00L\x00"
|
|
) and
|
|
for any y in (0..pe.number_of_resources - 1): (
|
|
pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00F\x00M\x00"
|
|
)
|
|
}
|
|
|
|
rule apt_Windows_InvisiMole_DNS_Downloader {
|
|
|
|
meta:
|
|
description = "InvisiMole DNS downloader"
|
|
author = "ESET Research"
|
|
date = "2021-05-17"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$d = "DnsQuery_A"
|
|
|
|
$s1 = "Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B}" xor
|
|
$s2 = "AddIns\\" ascii wide xor
|
|
$s3 = "pcornomeex." xor
|
|
$s4 = "weriahsek.rxe" xor
|
|
$s5 = "dpmupaceex." xor
|
|
$s6 = "TCPViewClass" xor
|
|
$s7 = "PROCMON_WINDOW_CLASS" xor
|
|
$s8 = "Key%C"
|
|
$s9 = "AutoEx%C" xor
|
|
$s10 = "MSO~"
|
|
$s11 = "MDE~"
|
|
$s12 = "DNS PLUGIN, Step %d" xor
|
|
$s13 = "rundll32.exe \"%s\",StartUI"
|
|
|
|
condition:
|
|
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $d and 5 of ($s*)
|
|
}
|
|
|
|
rule apt_Windows_InvisiMole_RC2CL_Backdoor {
|
|
|
|
meta:
|
|
description = "InvisiMole RC2CL backdoor"
|
|
author = "ESET Research"
|
|
date = "2021-05-17"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "RC2CL" wide
|
|
|
|
$s2 = "hp12KsNh92Dwd" wide
|
|
$s3 = "ZLib package %s: files: %d, total size: %d" wide
|
|
$s4 = "\\Un4seen" wide
|
|
$s5 = {9E 01 3A AD} // encryption key
|
|
|
|
$s6 = "~mrc_" wide
|
|
$s7 = "~src_" wide
|
|
$s8 = "~wbc_" wide
|
|
$s9 = "zdf_" wide
|
|
$s10 = "~S0PM" wide
|
|
$s11 = "~A0FM" wide
|
|
$s12 = "~70Z63\\" wide
|
|
$s13 = "~E070C" wide
|
|
$s14 = "~N031E" wide
|
|
|
|
$s15 = "%szdf_%s.data" wide
|
|
$s16 = "%spicture.crd" wide
|
|
$s17 = "%s70zf_%s.cab" wide
|
|
$s18 = "%spreview.crd" wide
|
|
|
|
$s19 = "Value_Bck" wide
|
|
$s20 = "Value_WSFX_ZC" wide
|
|
$s21 = "MachineAccessStateData" wide
|
|
$s22 = "SettingsSR2" wide
|
|
|
|
condition:
|
|
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and 5 of ($s*)
|
|
}
|
|
|
|
rule apt_Windows_InvisiMole {
|
|
|
|
meta:
|
|
description = "InvisiMole magic values, keys and strings"
|
|
author = "ESET Research"
|
|
date = "2021-05-17"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "CryptProtectData"
|
|
$s2 = "CryptUnprotectData"
|
|
$s3 = {9E 01 3A AD}
|
|
$s4 = "GET /getversion2a/%d%.2X%.2X/U%sN HTTP/1.1"
|
|
$s5 = "PULSAR_LOADER.dll"
|
|
|
|
/*
|
|
cmp reg, 0DED0FFF9h
|
|
*/
|
|
$check_magic_old_32 = {3? F9 FF D0 DE}
|
|
|
|
/*
|
|
cmp reg, 0DED0FF64h
|
|
*/
|
|
$check_magic_old_64 = {3? 64 FF D0 DE}
|
|
|
|
/*
|
|
cmp dword ptr [reg], 0CE11DA86h
|
|
*/
|
|
$check_magic_new_32 = {81 3? 86 DA 11 CE}
|
|
|
|
/*
|
|
cmp dword ptr [reg], 0CE11DA64h
|
|
*/
|
|
$check_magic_new_64 = {81 3? 64 DA 11 CE}
|
|
|
|
condition:
|
|
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and (any of ($check_magic*)) and (2 of ($s*))
|
|
}
|
|
|
|
rule apt_Windows_InvisiMole_C2 {
|
|
|
|
meta:
|
|
description = "InvisiMole C&C servers"
|
|
author = "ESET Research"
|
|
date = "2021-05-17"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "46.165.220.228" ascii wide
|
|
$s2 = "80.255.3.66" ascii wide
|
|
$s3 = "85.17.26.174" ascii wide
|
|
$s4 = "185.193.38.55" ascii wide
|
|
$s5 = "194.187.249.157" ascii wide
|
|
$s6 = "195.154.255.211" ascii wide
|
|
$s7 = "153.re" ascii wide fullword
|
|
$s8 = "adstat.red" ascii wide
|
|
$s9 = "adtrax.net" ascii wide
|
|
$s10 = "akamai.sytes.net" ascii wide
|
|
$s11 = "amz-eu401.com" ascii wide
|
|
$s12 = "blabla234342.sytes.net" ascii wide
|
|
$s13 = "mx1.be" ascii wide fullword
|
|
$s14 = "statad.de" ascii wide
|
|
$s15 = "time.servehttp.com" ascii wide
|
|
$s16 = "upd.re" ascii wide fullword
|
|
$s17 = "update.xn--6frz82g" ascii wide
|
|
$s18 = "updatecloud.sytes.net" ascii wide
|
|
$s19 = "updchecking.sytes.net" ascii wide
|
|
$s20 = "wlsts.net" ascii wide
|
|
$s21 = "ro2.host" ascii wide fullword
|
|
$s22 = "2ld.xyz" ascii wide fullword
|
|
$s23 = "the-haba.com" ascii wide
|
|
$s24 = "82.202.172.134" ascii wide
|
|
$s25 = "update.xn--6frz82g" ascii wide
|
|
|
|
condition:
|
|
((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $s21 and any of them
|
|
}
|
|
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2021, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
import "pe"
|
|
rule SparklingGoblin_ChaCha20Loader_RichHeader
|
|
{
|
|
meta:
|
|
author = "ESET Research"
|
|
copyright = "ESET Research"
|
|
description = "Rule matching ChaCha20 loaders rich header"
|
|
date = "2021-03-30"
|
|
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
|
|
hash = "09FFE37A54BC4EBEBD8D56098E4C76232F35D821"
|
|
hash = "29B147B76BB0D9E09F7297487CB972E6A2905586"
|
|
hash = "33F2C3DE2457B758FC5824A2B253AD7C7C2E9E37"
|
|
hash = "45BEF297CE78521EAC6EE39E7603E18360E67C5A"
|
|
hash = "4CEC7CDC78D95C70555A153963064F216DAE8799"
|
|
hash = "4D4C1A062A0390B20732BA4D65317827F2339B80"
|
|
hash = "4F6949A4906B834E83FF951E135E0850FE49D5E4"
|
|
|
|
condition:
|
|
pe.rich_signature.length >= 104 and pe.rich_signature.length <= 112 and
|
|
pe.rich_signature.toolid(241, 40116) >= 5 and pe.rich_signature.toolid(241, 40116) <= 10 and
|
|
pe.rich_signature.toolid(147, 30729) == 11 and
|
|
pe.rich_signature.toolid(264, 24215) >= 15 and pe.rich_signature.toolid(264, 24215) <= 16
|
|
}
|
|
|
|
rule SparklingGoblin_ChaCha20
|
|
{
|
|
meta:
|
|
author = "ESET Research"
|
|
copyright = "ESET Research"
|
|
description = "SparklingGoblin ChaCha20 implementations"
|
|
date = "2021-05-20"
|
|
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
|
|
hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B"
|
|
hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F"
|
|
hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF"
|
|
hash = "4668302969FE122874FB2447A80378DCB671C86B"
|
|
hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B"
|
|
hash = "9CE7650F2C08C391A35D69956E171932D116B8BD"
|
|
hash = "91B32E030A1F286E7D502CA17E107D4BFBD7394A"
|
|
|
|
strings:
|
|
// 32-bits version
|
|
$chunk_1 = {
|
|
8B 4D ??
|
|
56
|
|
8B 75 ??
|
|
57
|
|
8B 7D ??
|
|
8B 04 BB
|
|
01 04 93
|
|
8B 04 B3
|
|
33 04 93
|
|
C1 C0 10
|
|
89 04 B3
|
|
01 04 8B
|
|
8B 04 BB
|
|
33 04 8B
|
|
C1 C0 0C
|
|
89 04 BB
|
|
01 04 93
|
|
8B 04 B3
|
|
33 04 93
|
|
C1 C0 08
|
|
89 04 B3
|
|
01 04 8B
|
|
8B 04 BB
|
|
33 04 8B
|
|
C1 C0 07
|
|
89 04 BB
|
|
}
|
|
// 64-bits version
|
|
$chunk_2 = {
|
|
03 4D ??
|
|
44 03 C0
|
|
03 55 ??
|
|
33 F1
|
|
45 33 D8
|
|
C1 C6 10
|
|
44 33 F2
|
|
41 C1 C3 10
|
|
41 03 FB
|
|
41 C1 C6 10
|
|
45 03 E6
|
|
41 03 DA
|
|
44 33 CB
|
|
44 03 EE
|
|
41 C1 C1 10
|
|
8B C7
|
|
33 45 ??
|
|
45 03 F9
|
|
C1 C0 0C
|
|
44 03 C0
|
|
45 33 D8
|
|
44 89 45 ??
|
|
41 C1 C3 08
|
|
41 03 FB
|
|
44 8B C7
|
|
44 33 C0
|
|
41 8B C5
|
|
33 45 ??
|
|
C1 C0 0C
|
|
03 C8
|
|
41 C1 C0 07
|
|
33 F1
|
|
89 4D ??
|
|
C1 C6 08
|
|
44 03 EE
|
|
41 8B CD
|
|
33 C8
|
|
41 8B C4
|
|
33 45 ??
|
|
C1 C0 0C
|
|
03 D0
|
|
C1 C1 07
|
|
44 33 F2
|
|
89 55 ??
|
|
41 C1 C6 08
|
|
45 03 E6
|
|
41 8B D4
|
|
33 D0
|
|
41 8B C7
|
|
41 33 C2
|
|
C1 C2 07
|
|
C1 C0 0C
|
|
03 D8
|
|
44 33 CB
|
|
41 C1 C1 08
|
|
45 03 F9
|
|
45 8B D7
|
|
44 33 D0
|
|
8B 45 ??
|
|
03 C1
|
|
41 C1 C2 07
|
|
44 33 C8
|
|
89 45 ??
|
|
41 C1 C1 10
|
|
45 03 E1
|
|
41 8B C4
|
|
33 C1
|
|
8B 4D ??
|
|
C1 C0 0C
|
|
03 C8
|
|
44 33 C9
|
|
89 4D ??
|
|
89 4D ??
|
|
41 C1 C1 08
|
|
45 03 E1
|
|
41 8B CC
|
|
33 C8
|
|
8B 45 ??
|
|
C1 C1 07
|
|
89 4D ??
|
|
89 4D ??
|
|
03 C2
|
|
41 03 D8
|
|
89 45 ??
|
|
41 33 C3
|
|
C1 C0 10
|
|
44 03 F8
|
|
41 8B CF
|
|
33 CA
|
|
8B 55 ??
|
|
}
|
|
$chunk_3 = {
|
|
C7 45 ?? 65 78 70 61
|
|
4C 8D 45 ??
|
|
C7 45 ?? 6E 64 20 33
|
|
4D 8B F9
|
|
C7 45 ?? 32 2D 62 79
|
|
4C 2B C1
|
|
C7 45 ?? 74 65 20 6B
|
|
}
|
|
$chunk_4 = {
|
|
0F B6 02
|
|
0F B6 4A ??
|
|
C1 E1 08
|
|
0B C8
|
|
0F B6 42 ??
|
|
C1 E1 08
|
|
0B C8
|
|
0F B6 42 ??
|
|
C1 E1 08
|
|
0B C8
|
|
41 89 0C 10
|
|
48 8D 52 ??
|
|
49 83 E9 01
|
|
}
|
|
// 64-bits version
|
|
$chunk_5 = {
|
|
03 4D ??
|
|
44 03 C0
|
|
03 55 ??
|
|
33 F1
|
|
41 33 F8
|
|
C1 C6 10
|
|
44 33 F2
|
|
C1 C7 10
|
|
44 03 DF
|
|
41 C1 C6 10
|
|
45 03 E6
|
|
44 03 CB
|
|
45 33 D1
|
|
44 03 EE
|
|
41 C1 C2 10
|
|
41 8B C3
|
|
33 45 ??
|
|
45 03 FA
|
|
C1 C0 0C
|
|
44 03 C0
|
|
41 33 F8
|
|
44 89 45 ??
|
|
C1 C7 08
|
|
44 03 DF
|
|
45 8B C3
|
|
44 33 C0
|
|
41 8B C5
|
|
33 45 ??
|
|
C1 C0 0C
|
|
03 C8
|
|
41 C1 C0 07
|
|
33 F1
|
|
89 4D ??
|
|
C1 C6 08
|
|
44 03 EE
|
|
41 8B CD
|
|
33 C8
|
|
41 8B C4
|
|
33 45 ??
|
|
C1 C0 0C
|
|
03 D0
|
|
C1 C1 07
|
|
44 33 F2
|
|
89 55 ??
|
|
41 C1 C6 08
|
|
45 03 E6
|
|
41 8B D4
|
|
33 D0
|
|
41 8B C7
|
|
33 C3
|
|
C1 C2 07
|
|
C1 C0 0C
|
|
44 03 C8
|
|
45 33 D1
|
|
41 C1 C2 08
|
|
45 03 FA
|
|
41 8B DF
|
|
33 D8
|
|
8B 45 ??
|
|
03 C1
|
|
C1 C3 07
|
|
44 33 D0
|
|
89 45 ??
|
|
41 C1 C2 10
|
|
45 03 E2
|
|
41 8B C4
|
|
33 C1
|
|
8B 4D ??
|
|
C1 C0 0C
|
|
03 C8
|
|
44 33 D1
|
|
89 4D ??
|
|
89 4D ??
|
|
41 C1 C2 08
|
|
45 03 E2
|
|
41 8B CC
|
|
33 C8
|
|
8B 45 ??
|
|
C1 C1 07
|
|
89 4D ??
|
|
89 4D ??
|
|
03 C2
|
|
45 03 C8
|
|
89 45 ??
|
|
33 C7
|
|
C1 C0 10
|
|
44 03 F8
|
|
41 8B CF
|
|
33 CA
|
|
8B 55 ??
|
|
C1 C1 0C
|
|
03 D1
|
|
8B FA
|
|
89 55 ??
|
|
33 F8
|
|
89 55 ??
|
|
8B 55 ??
|
|
03 D3
|
|
C1 C7 08
|
|
44 03 FF
|
|
41 8B C7
|
|
33 C1
|
|
C1 C0 07
|
|
89 45 ??
|
|
89 45 ??
|
|
8B C2
|
|
33 C6
|
|
C1 C0 10
|
|
44 03 D8
|
|
41 33 DB
|
|
C1 C3 0C
|
|
03 D3
|
|
8B F2
|
|
89 55 ??
|
|
33 F0
|
|
41 8B C1
|
|
41 33 C6
|
|
C1 C6 08
|
|
C1 C0 10
|
|
44 03 DE
|
|
44 03 E8
|
|
41 33 DB
|
|
41 8B CD
|
|
C1 C3 07
|
|
41 33 C8
|
|
44 8B 45 ??
|
|
C1 C1 0C
|
|
44 03 C9
|
|
45 8B F1
|
|
44 33 F0
|
|
41 C1 C6 08
|
|
45 03 EE
|
|
41 8B C5
|
|
33 C1
|
|
8B 4D ??
|
|
C1 C0 07
|
|
}
|
|
|
|
condition:
|
|
any of them and filesize < 450KB
|
|
|
|
}
|
|
|
|
rule SparklingGoblin_EtwEventWrite
|
|
{
|
|
meta:
|
|
author = "ESET Research"
|
|
copyright = "ESET Research"
|
|
description = "SparklingGoblin EtwEventWrite patching"
|
|
date = "2021-05-20"
|
|
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
|
|
hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B"
|
|
hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F"
|
|
hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF"
|
|
hash = "4668302969FE122874FB2447A80378DCB671C86B"
|
|
hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B"
|
|
hash = "9CE7650F2C08C391A35D69956E171932D116B8BD"
|
|
|
|
strings:
|
|
// 64-bits version
|
|
$chunk_1 = {
|
|
48 8D 0D ?? ?? ?? ??
|
|
C7 44 24 ?? 48 31 C0 C3
|
|
FF 15 ?? ?? ?? ??
|
|
48 8B C8
|
|
48 8D 15 ?? ?? ?? ??
|
|
FF 15 ?? ?? ?? ??
|
|
83 64 24 ?? 00
|
|
4C 8D 4C 24 ??
|
|
BF 04 00 00 00
|
|
48 8B C8
|
|
8B D7
|
|
48 8B D8
|
|
44 8D 47 ??
|
|
FF 15 ?? ?? ?? ??
|
|
44 8B C7
|
|
48 8D 54 24 ??
|
|
48 8B CB
|
|
E8 ?? ?? ?? ??
|
|
44 8B 44 24 ??
|
|
4C 8D 4C 24 ??
|
|
8B D7
|
|
48 8B CB
|
|
FF 15 ?? ?? ?? ??
|
|
48 8B 05 ?? ?? ?? ??
|
|
}
|
|
// 32-bits version
|
|
$chunk_2 = {
|
|
55
|
|
8B EC
|
|
51
|
|
51
|
|
57
|
|
68 08 1A 41 00
|
|
66 C7 45 ?? C2 14
|
|
C6 45 ?? 00
|
|
FF 15 ?? ?? ?? ??
|
|
68 10 1A 41 00
|
|
50
|
|
FF 15 ?? ?? ?? ??
|
|
83 65 ?? 00
|
|
8B F8
|
|
8D 45 ??
|
|
50
|
|
6A 40
|
|
6A 03
|
|
57
|
|
FF 15 ?? ?? ?? ??
|
|
6A 03
|
|
8D 45 ??
|
|
50
|
|
57
|
|
E8 ?? ?? ?? ??
|
|
83 C4 0C
|
|
8D 45 ??
|
|
50
|
|
FF 75 ??
|
|
6A 03
|
|
57
|
|
FF 15 ?? ?? ?? ??
|
|
}
|
|
// 64-bits version
|
|
$chunk_3 = {
|
|
48 8D 0D ?? ?? ?? ??
|
|
C7 44 24 ?? 48 31 C0 C3
|
|
FF 15 ?? ?? ?? ??
|
|
48 8B C8
|
|
48 8D 15 ?? ?? ?? ??
|
|
FF 15 ?? ?? ?? ??
|
|
}
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule SparklingGoblin_Mutex
|
|
{
|
|
meta:
|
|
author = "ESET Research"
|
|
copyright = "ESET Research"
|
|
description = "SparklingGoblin ChaCha20 loaders mutexes"
|
|
date = "2021-05-20"
|
|
reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
|
|
hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B"
|
|
hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F"
|
|
hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF"
|
|
hash = "4668302969FE122874FB2447A80378DCB671C86B"
|
|
hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B"
|
|
hash = "9CE7650F2C08C391A35D69956E171932D116B8BD"
|
|
|
|
strings:
|
|
$mutex_1 = "kREwdFrOlvASgP4zWZyV89m6T2K0bIno"
|
|
$mutex_2 = "v5EPQFOImpTLaGZes3Nl1JSKHku8AyCw"
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2018, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
private rule ssh_client : sshdoor {
|
|
meta:
|
|
description = "Signature to match the clean (or not) OpenSSH client (ssh)"
|
|
author = "Marc-Etienne M.Leveille"
|
|
email = "leveille@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$usage = "usage: ssh ["
|
|
$old_version = "-L listen-port:host:port"
|
|
|
|
condition:
|
|
$usage or $old_version
|
|
}
|
|
|
|
private rule ssh_daemon : sshdoor {
|
|
meta:
|
|
description = "Signature to match the clean (or not) OpenSSH daemon (sshd)"
|
|
author = "Marc-Etienne M.Leveille"
|
|
email = "leveille@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$usage = "usage: sshd ["
|
|
$old_version = "Listen on the specified port (default: 22)"
|
|
|
|
condition:
|
|
$usage or $old_version
|
|
}
|
|
|
|
private rule ssh_add : sshdoor {
|
|
meta:
|
|
description = "Signature to match the clean (or not) OpenSSH add (ssh-add)"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$usage = "usage: %s [options] [file ...]\n"
|
|
$log = "Could not open a connection to your authentication agent.\n"
|
|
|
|
condition:
|
|
$usage and $log
|
|
}
|
|
|
|
private rule ssh_agent : sshdoor {
|
|
meta:
|
|
description = "Signature to match the clean (or not) OpenSSH agent (ssh-agent)"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$usage = "usage: %s [options] [command [arg ...]]"
|
|
|
|
condition:
|
|
$usage
|
|
}
|
|
|
|
private rule ssh_askpass : sshdoor {
|
|
meta:
|
|
description = "Signature to match the clean (or not) OpenSSH daemon (sshd)"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$pass = "Enter your OpenSSH passphrase:"
|
|
$log = "Could not grab %s. A malicious client may be eavesdropping on you"
|
|
|
|
condition:
|
|
$pass and $log
|
|
}
|
|
|
|
private rule ssh_keygen : sshdoor {
|
|
meta:
|
|
description = "Signature to match the clean (or not) OpenSSH keygen (ssh-keygen)"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$pass = "Enter new passphrase (empty for no passphrase):"
|
|
$log = "revoking certificates by key ID requires specification of a CA key"
|
|
|
|
condition:
|
|
$pass and $log
|
|
}
|
|
|
|
private rule ssh_keyscan : sshdoor {
|
|
meta:
|
|
description = "Signature to match the clean (or not) OpenSSH keyscan (ssh-keyscan)"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$usage = "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]"
|
|
|
|
condition:
|
|
$usage
|
|
}
|
|
|
|
private rule ssh_binary : sshdoor {
|
|
meta:
|
|
description = "Signature to match any clean (or not) SSH binary"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
|
|
condition:
|
|
ssh_client or ssh_daemon or ssh_add or ssh_askpass or ssh_keygen or ssh_keyscan
|
|
}
|
|
|
|
private rule stack_string {
|
|
meta:
|
|
description = "Rule to detect use of string-stacking"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
// single byte offset from base pointer
|
|
$bp = /(\xC6\x45.{2}){25}/
|
|
// dword ss with single byte offset from base pointer
|
|
$bp_dw = /(\xC7\x45.{5}){20}/
|
|
// 4-bytes offset from base pointer
|
|
$bp_off = /(\xC6\x85.{5}){25}/
|
|
// single byte offset from stack pointer
|
|
$sp = /(\xC6\x44\x24.{2}){25}/
|
|
// 4-bytes offset from stack pointer
|
|
$sp_off = /(\xC6\x84\x24.{5}){25}/
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule abafar {
|
|
meta:
|
|
description = "Rule to detect Abafar family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$log_c = "%s:%s@%s"
|
|
$log_d = "%s:%s from %s"
|
|
|
|
condition:
|
|
ssh_binary and any of them
|
|
}
|
|
|
|
rule akiva {
|
|
meta:
|
|
description = "Rule to detect Akiva family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$log = /(To|From):\s(%s\s\-\s)?%s:%s\n/
|
|
|
|
condition:
|
|
ssh_binary and $log
|
|
}
|
|
|
|
rule alderaan {
|
|
meta:
|
|
description = "Rule to detect Alderaan family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$log = /login\s(in|at):\s(%s\s)?%s:%s\n/
|
|
|
|
condition:
|
|
ssh_binary and $log
|
|
}
|
|
|
|
rule ando {
|
|
meta:
|
|
description = "Rule to detect Ando family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "%s:%s\n"
|
|
$s2 = "HISTFILE"
|
|
$i = "fopen64"
|
|
$m1 = "cat "
|
|
$m2 = "mail -s"
|
|
|
|
condition:
|
|
ssh_binary and all of ($s*) and ($i or all of ($m*))
|
|
}
|
|
|
|
rule anoat {
|
|
meta:
|
|
description = "Rule to detect Anoat family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$log = "%s at: %s | user: %s, pass: %s\n"
|
|
|
|
condition:
|
|
ssh_binary and $log
|
|
}
|
|
|
|
rule atollon {
|
|
meta:
|
|
description = "Rule to detect Atollon family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$f1 = "PEM_read_RSA_PUBKEY"
|
|
$f2 = "RAND_add"
|
|
$log = "%s:%s"
|
|
$rand = "/dev/urandom"
|
|
|
|
condition:
|
|
ssh_binary and stack_string and all of them
|
|
}
|
|
|
|
rule batuu {
|
|
meta:
|
|
description = "Rule to detect Batuu family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$args = "ssh: ~(av[%d]: %s\n)"
|
|
$log = "readpass: %s\n"
|
|
|
|
condition:
|
|
ssh_binary and any of them
|
|
}
|
|
|
|
rule bespin {
|
|
meta:
|
|
description = "Rule to detect Bespin family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$log1 = "%Y-%m-%d %H:%M:%S"
|
|
$log2 = "%s %s%s"
|
|
$log3 = "[%s]"
|
|
|
|
condition:
|
|
ssh_binary and all of them
|
|
}
|
|
|
|
rule bonadan {
|
|
meta:
|
|
description = "Rule to detect Bonadan family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "g_server"
|
|
$s2 = "mine.sock"
|
|
$s3 = "tspeed"
|
|
$e1 = "6106#x=%d#%s#%s#speed=%s"
|
|
$e2 = "usmars.mynetgear.com"
|
|
$e3 = "user=%s#os=%s#eip=%s#cpu=%s#mem=%s"
|
|
|
|
condition:
|
|
ssh_binary and any of them
|
|
}
|
|
|
|
rule borleias {
|
|
meta:
|
|
description = "Rule to detect Borleias family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$log = "%Y-%m-%d %H:%M:%S [%s]"
|
|
|
|
condition:
|
|
ssh_binary and all of them
|
|
}
|
|
|
|
rule chandrila {
|
|
meta:
|
|
description = "Rule to detect Chandrila family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$log = "S%s %s:%s"
|
|
$magic = { 05 71 92 7D }
|
|
|
|
condition:
|
|
ssh_binary and all of them
|
|
}
|
|
|
|
rule coruscant {
|
|
meta:
|
|
description = "Rule to detect Coruscant family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "%s:%s@%s\n"
|
|
$s2 = "POST"
|
|
$s3 = "HTTP/1.1"
|
|
|
|
condition:
|
|
ssh_binary and all of them
|
|
}
|
|
|
|
rule crait {
|
|
meta:
|
|
description = "Signature to detect Crait family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$i1 = "flock"
|
|
$i2 = "fchmod"
|
|
$i3 = "sendto"
|
|
|
|
condition:
|
|
ssh_binary and 2 of them
|
|
}
|
|
|
|
rule endor {
|
|
meta:
|
|
description = "Rule to detect Endor family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$u = "user: %s"
|
|
$p = "password: %s"
|
|
|
|
condition:
|
|
ssh_binary and $u and $p in (@u..@u+20)
|
|
}
|
|
|
|
rule jakuu {
|
|
meta:
|
|
description = "Rule to detect Jakuu family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
notes = "Strings can be encrypted"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$dec = /GET\s\/\?(s|c)id=/
|
|
$enc1 = "getifaddrs"
|
|
$enc2 = "usleep"
|
|
$ns = "gethostbyname"
|
|
$log = "%s:%s"
|
|
$rc4 = { A1 71 31 17 11 1A 22 27 55 00 66 A3 10 FE C2 10 22 32 6E 95 90 84 F9 11 73 62 95 5F 4D 3B DB DC }
|
|
|
|
condition:
|
|
ssh_binary and $log and $ns and ($dec or all of ($enc*) or $rc4)
|
|
}
|
|
|
|
rule kamino {
|
|
meta:
|
|
description = "Rule to detect Kamino family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "/var/log/wtmp"
|
|
$s2 = "/var/log/secure"
|
|
$s3 = "/var/log/auth.log"
|
|
$s4 = "/var/log/messages"
|
|
$s5 = "/var/log/audit/audit.log"
|
|
$s6 = "/var/log/httpd-access.log"
|
|
$s7 = "/var/log/httpd-error.log"
|
|
$s8 = "/var/log/xferlog"
|
|
$i1 = "BIO_f_base64"
|
|
$i2 = "PEM_read_bio_RSA_PUBKEY"
|
|
$i3 = "srand"
|
|
$i4 = "gethostbyname"
|
|
|
|
condition:
|
|
ssh_binary and 5 of ($s*) and 3 of ($i*)
|
|
}
|
|
|
|
rule kessel {
|
|
meta:
|
|
description = "Rule to detect Kessel family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$rc4 = "Xee5chu1Ohshasheed1u"
|
|
$s1 = "ssh:%s:%s:%s:%s"
|
|
$s2 = "sshkey:%s:%s:%s:%s:%s"
|
|
$s3 = "sshd:%s:%s"
|
|
$i1 = "spy_report"
|
|
$i2 = "protoShellCMD"
|
|
$i3 = "protoUploadFile"
|
|
$i4 = "protoSendReport"
|
|
$i5 = "tunRecvDNS"
|
|
$i6 = "tunPackMSG"
|
|
|
|
condition:
|
|
ssh_binary and (2 of ($s*) or 2 of ($i*) or $rc4)
|
|
}
|
|
|
|
rule mimban {
|
|
meta:
|
|
description = "Rule to detect Mimban family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "<|||%s|||%s|||%d|||>"
|
|
$s2 = />\|\|\|%s\|\|\|%s\|\|\|\d\|\|\|%s\|\|\|%s\|\|\|%s\|\|\|%s\|\|\|</
|
|
$s3 = "-----BEGIN PUBLIC KEY-----"
|
|
$i1 = "BIO_f_base64"
|
|
$i2 = "PEM_read_bio_RSA_PUBKEY"
|
|
$i3 = "gethostbyname"
|
|
|
|
condition:
|
|
ssh_binary and 2 of ($s*) and 2 of ($i*)
|
|
}
|
|
|
|
rule ondaron {
|
|
meta:
|
|
description = "Rule to detect Ondaron family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$daemon = "user:password --> %s:%s\n"
|
|
$client = /user(,|:)(a,)?password@host \-\-> %s(,|:)(b,)?%s@%s\n/
|
|
|
|
condition:
|
|
ssh_binary and ($daemon or $client)
|
|
}
|
|
|
|
rule polis_massa {
|
|
meta:
|
|
description = "Rule to detect Polis Massa family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$log = /\b\w+(:|\s-+>)\s%s(:%d)?\s\t(\w+)?:\s%s\s\t(\w+)?:\s%s/
|
|
|
|
condition:
|
|
ssh_binary and $log
|
|
}
|
|
|
|
rule quarren {
|
|
meta:
|
|
description = "Rule to detect Quarren family"
|
|
author = "Hugo Porcher"
|
|
email = "hugo.porcher@eset.com"
|
|
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
date = "2018-12-05"
|
|
license = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$log = "h: %s, u: %s, p: %s\n"
|
|
|
|
condition:
|
|
ssh_binary and $log
|
|
}
|
|
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These YARA rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2021, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
import "pe"
|
|
|
|
private rule IIS_Native_Module {
|
|
meta:
|
|
description = "Signature to match an IIS native module (clean or malicious)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$e1 = "This module subscribed to event"
|
|
$e2 = "CHttpModule::OnBeginRequest"
|
|
$e3 = "CHttpModule::OnPostBeginRequest"
|
|
$e4 = "CHttpModule::OnAuthenticateRequest"
|
|
$e5 = "CHttpModule::OnPostAuthenticateRequest"
|
|
$e6 = "CHttpModule::OnAuthorizeRequest"
|
|
$e7 = "CHttpModule::OnPostAuthorizeRequest"
|
|
$e8 = "CHttpModule::OnResolveRequestCache"
|
|
$e9 = "CHttpModule::OnPostResolveRequestCache"
|
|
$e10 = "CHttpModule::OnMapRequestHandler"
|
|
$e11 = "CHttpModule::OnPostMapRequestHandler"
|
|
$e12 = "CHttpModule::OnAcquireRequestState"
|
|
$e13 = "CHttpModule::OnPostAcquireRequestState"
|
|
$e14 = "CHttpModule::OnPreExecuteRequestHandler"
|
|
$e15 = "CHttpModule::OnPostPreExecuteRequestHandler"
|
|
$e16 = "CHttpModule::OnExecuteRequestHandler"
|
|
$e17 = "CHttpModule::OnPostExecuteRequestHandler"
|
|
$e18 = "CHttpModule::OnReleaseRequestState"
|
|
$e19 = "CHttpModule::OnPostReleaseRequestState"
|
|
$e20 = "CHttpModule::OnUpdateRequestCache"
|
|
$e21 = "CHttpModule::OnPostUpdateRequestCache"
|
|
$e22 = "CHttpModule::OnLogRequest"
|
|
$e23 = "CHttpModule::OnPostLogRequest"
|
|
$e24 = "CHttpModule::OnEndRequest"
|
|
$e25 = "CHttpModule::OnPostEndRequest"
|
|
$e26 = "CHttpModule::OnSendResponse"
|
|
$e27 = "CHttpModule::OnMapPath"
|
|
$e28 = "CHttpModule::OnReadEntity"
|
|
$e29 = "CHttpModule::OnCustomRequestNotification"
|
|
$e30 = "CHttpModule::OnAsyncCompletion"
|
|
$e31 = "CGlobalModule::OnGlobalStopListening"
|
|
$e32 = "CGlobalModule::OnGlobalCacheCleanup"
|
|
$e33 = "CGlobalModule::OnGlobalCacheOperation"
|
|
$e34 = "CGlobalModule::OnGlobalHealthCheck"
|
|
$e35 = "CGlobalModule::OnGlobalConfigurationChange"
|
|
$e36 = "CGlobalModule::OnGlobalFileChange"
|
|
$e37 = "CGlobalModule::OnGlobalApplicationStart"
|
|
$e38 = "CGlobalModule::OnGlobalApplicationResolveModules"
|
|
$e39 = "CGlobalModule::OnGlobalApplicationStop"
|
|
$e40 = "CGlobalModule::OnGlobalRSCAQuery"
|
|
$e41 = "CGlobalModule::OnGlobalTraceEvent"
|
|
$e42 = "CGlobalModule::OnGlobalCustomNotification"
|
|
$e43 = "CGlobalModule::OnGlobalThreadCleanup"
|
|
$e44 = "CGlobalModule::OnGlobalApplicationPreload"
|
|
|
|
condition:
|
|
uint16(0) == 0x5A4D and pe.exports("RegisterModule") and any of ($e*)
|
|
}
|
|
|
|
rule IIS_Group01_IISRaid {
|
|
|
|
meta:
|
|
description = "Detects Group 1 native IIS malware family (IIS-Raid derivates)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "cmd.exe" ascii wide
|
|
$s2 = "CMD"
|
|
$s3 = "PIN"
|
|
$s4 = "INJ"
|
|
$s5 = "DMP"
|
|
$s6 = "UPL"
|
|
$s7 = "DOW"
|
|
$s8 = "C:\\Windows\\System32\\credwiz.exe" ascii wide
|
|
|
|
$p1 = "C:\\Windows\\Temp\\creds.db"
|
|
$p2 = "C:\\Windows\\Temp\\thumbs.db"
|
|
$p3 = "C:\\Windows\\Temp\\AAD30E0F.tmp"
|
|
$p4 = "X-Chrome-Variations"
|
|
$p5 = "X-Cache"
|
|
$p6 = "X-Via"
|
|
$p7 = "COM_InterProt"
|
|
$p8 = "X-FFEServer"
|
|
$p9 = "X-Content-Type-Options"
|
|
$p10 = "Strict-Transport-Security"
|
|
$p11 = "X-Password"
|
|
$p12 = "XXXYYY-Ref"
|
|
$p13 = "X-BLOG"
|
|
$p14 = "X-BlogEngine"
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*) and any of ($p*)
|
|
}
|
|
|
|
rule IIS_Group02 {
|
|
|
|
meta:
|
|
description = "Detects Group 2 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "HttpModule.pdb" ascii wide
|
|
$s2 = "([\\w+%]+)=([^&]*)"
|
|
$s3 = "([\\w+%]+)=([^!]*)"
|
|
$s4 = "cmd.exe"
|
|
$s5 = "C:\\Users\\Iso\\Documents\\Visual Studio 2013\\Projects\\IIS 5\\x64\\Release\\Vi.pdb" ascii wide
|
|
$s6 = "AVRSAFunction"
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group03 {
|
|
|
|
meta:
|
|
description = "Detects Group 3 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "IIS-Backdoor.dll"
|
|
$s2 = "CryptStringToBinaryA"
|
|
$s3 = "CreateProcessA"
|
|
$s4 = "X-Cookie"
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group04_RGDoor {
|
|
|
|
meta:
|
|
description = "Detects Group 4 native IIS malware family (RGDoor)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
reference = "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$i1 = "RGSESSIONID="
|
|
$s2 = "upload$"
|
|
$s3 = "download$"
|
|
$s4 = "cmd$"
|
|
$s5 = "cmd.exe"
|
|
|
|
condition:
|
|
IIS_Native_Module and ($i1 or all of ($s*))
|
|
}
|
|
|
|
rule IIS_Group05_IIStealer {
|
|
|
|
meta:
|
|
description = "Detects Group 5 native IIS malware family (IIStealer)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "tojLrGzFMbcDTKcH" ascii wide
|
|
$s2 = "4vUOj3IutgtrpVwh" ascii wide
|
|
$s3 = "SoUnRCxgREXMu9bM" ascii wide
|
|
$s4 = "9Zr1Z78OkgaXj1Xr" ascii wide
|
|
$s5 = "cache.txt" ascii wide
|
|
$s6 = "/checkout/checkout.aspx" ascii wide
|
|
$s7 = "/checkout/Payment.aspx" ascii wide
|
|
$s8 = "/privacy.aspx"
|
|
$s9 = "X-IIS-Data"
|
|
$s10 = "POST"
|
|
|
|
// string stacking of "/checkout/checkout.aspx"
|
|
$s11 = {C7 ?? CF 2F 00 63 00 C7 ?? D3 68 00 65 00 C7 ?? D7 63 00 6B 00 C7 ?? DB 6F 00 75 00 C7 ?? DF 74 00 2F 00 C7 ?? E3 63 00 68 00 C7 ?? E7 65 00 63 00 C7 ?? EB 6B 00 6F 00 C7 ?? EF 75 00 74 00 C7 ?? F3 2E 00 61 00 C7 ?? F7 73 00 70 00 C7 ?? FB 78 00 00 00}
|
|
|
|
// string stacking of "/privacy.aspx"
|
|
$s12 = {C7 ?? AF 2F 00 70 00 C7 ?? B3 72 00 69 00 C7 ?? B7 76 00 61 00 C7 ?? BB 63 00 79 00 C7 ?? BF 2E 00 61 00 C7 ?? C3 73 00 70 00 C7 ?? C7 78 00 00 00}
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group06_ISN {
|
|
|
|
meta:
|
|
description = "Detects Group 6 native IIS malware family (ISN)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
reference = "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "isn7 config reloaded"
|
|
$s2 = "isn7 config NOT reloaded, not found or empty"
|
|
$s3 = "isn7 log deleted"
|
|
$s4 = "isn7 log not deleted, ERROR 0x%X"
|
|
$s5 = "isn7 log NOT found"
|
|
$s6 = "isn_reloadconfig"
|
|
$s7 = "D:\\soft\\Programming\\C++\\projects\\isapi\\isn7"
|
|
$s8 = "get POST failed %d"
|
|
$s9 = "isn7.dll"
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group07_IISpy {
|
|
|
|
meta:
|
|
description = "Detects Group 7 native IIS malware family (IISpy)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "/credential/username"
|
|
$s2 = "/credential/password"
|
|
$s3 = "/computer/domain"
|
|
$s4 = "/computer/name"
|
|
$s5 = "/password"
|
|
$s6 = "/cmd"
|
|
$s7 = "%.8s%.8s=%.8s%.16s%.8s%.16s"
|
|
$s8 = "ImpersonateLoggedOnUser"
|
|
$s9 = "WNetAddConnection2W"
|
|
|
|
$t1 = "X-Forwarded-Proto"
|
|
$t2 = "Sec-Fetch-Mode"
|
|
$t3 = "Sec-Fetch-Site"
|
|
$t4 = "Cookie"
|
|
|
|
// PNG IEND
|
|
$t5 = {49 45 4E 44 AE 42 60 82}
|
|
|
|
// PNG HEADER
|
|
$t6 = {89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52}
|
|
|
|
condition:
|
|
IIS_Native_Module and 2 of ($s*) and any of ($t*)
|
|
}
|
|
|
|
rule IIS_Group08 {
|
|
|
|
meta:
|
|
description = "Detects Group 8 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$i1 = "FliterSecurity.dll"
|
|
$i2 = "IIS7NativeModule.dll"
|
|
$i3 = "Ver1.0."
|
|
|
|
$s1 = "Cmd"
|
|
$s2 = "Realy path : %s"
|
|
$s3 = "Logged On Users : %d"
|
|
$s4 = "Connect OK!"
|
|
$s5 = "You are fucked!"
|
|
$s6 = "Shit!Error"
|
|
$s7 = "Where is the God!!"
|
|
$s8 = "Shit!Download False!"
|
|
$s9 = "Good!Run OK!"
|
|
$s10 = "Shit!Run False!"
|
|
$s11 = "Good!Download OK!"
|
|
$s12 = "[%d]safedog"
|
|
$s13 = "ed81bfc09d069121"
|
|
$s14 = "a9478ef01967d190"
|
|
$s15 = "af964b7479e5aea2"
|
|
$s16 = "1f9e6526bea65b59"
|
|
$s17 = "2b9e9de34f782d31"
|
|
$s18 = "33cc5da72ac9d7bb"
|
|
$s19 = "b1d71f4c2596cd55"
|
|
$s20 = "101fb9d9e86d9e6c"
|
|
|
|
condition:
|
|
IIS_Native_Module and 1 of ($i*) and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group09 {
|
|
|
|
meta:
|
|
description = "Detects Group 9 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$i1 = "FliterSecurity.dll"
|
|
$i2 = {56565656565656565656565656565656}
|
|
$i3 = "app|hot|alp|svf|fkj|mry|poc|doc|20" xor
|
|
$i4 = "yisouspider|yisou|soso|sogou|m.sogou|sogo|sogou|so.com|baidu|bing|360" xor
|
|
$i5 = "baidu|m.baidu|soso|sogou|m.sogou|sogo|sogou|so.com|google|youdao" xor
|
|
$i6 = "118|abc|1go|evk" xor
|
|
|
|
$s1 = "AVCFuckHttpModuleFactory"
|
|
$s2 = "X-Forward"
|
|
$s3 = "fuck32.dat"
|
|
$s4 = "fuck64.dat"
|
|
$s5 = "&ipzz1="
|
|
$s6 = "&ipzz2="
|
|
$s7 = "&uuu="
|
|
|
|
$s8 = "http://20.3323sf.c" xor
|
|
$s9 = "http://bj.whtjz.c" xor
|
|
$s10 = "http://bj2.wzrpx.c" xor
|
|
$s11 = "http://cs.whtjz.c" xor
|
|
$s12 = "http://df.e652.c" xor
|
|
$s13 = "http://dfcp.yyphw.c" xor
|
|
$s14 = "http://es.csdsx.c" xor
|
|
$s15 = "http://hz.wzrpx.c" xor
|
|
$s16 = "http://id.3323sf.c" xor
|
|
$s17 = "http://qp.008php.c" xor
|
|
$s18 = "http://qp.nmnsw.c" xor
|
|
$s19 = "http://sc.300bt.c" xor
|
|
$s20 = "http://sc.wzrpx.c" xor
|
|
$s21 = "http://sf2223.c" xor
|
|
$s22 = "http://sx.cmdxb.c" xor
|
|
$s23 = "http://sz.ycfhx.c" xor
|
|
$s24 = "http://xpq.0660sf.c" xor
|
|
$s25 = "http://xsc.b1174.c" xor
|
|
|
|
condition:
|
|
IIS_Native_Module and any of ($i*) and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group10 {
|
|
|
|
meta:
|
|
description = "Detects Group 10 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "IIS7.dll"
|
|
$s2 = "<title>(.*?)title(.*?)>"
|
|
$s3 = "<meta(.*?)name(.*?)=(.*?)keywords(.*?)>"
|
|
$s4 = "<meta(.*?)name(.*?)=(.*?)description(.*?)>"
|
|
$s5 = "js.breakavs.co"
|
|
$s6 = "微信群-赛车PK10群【进群微信fun57644】_幸运飞艇_幸运28群"
|
|
$s7 = "北京赛车微信群,北京微信赛车群,北京赛车微信群,PK10群,北京赛车pk10微信群,PK10微信群,赛车微信群,北京赛车群,"
|
|
$s8 = "北京赛车微信群,北京微信赛车群【进群微信号fun57644】北京微信赛车群,北京微信赛车"
|
|
|
|
$e1 = "Baiduspider"
|
|
$e2 = "Sosospider"
|
|
$e3 = "Sogou web spider"
|
|
$e4 = "360Spider"
|
|
$e5 = "YisouSpider"
|
|
$e6 = "sogou.com"
|
|
$e7 = "soso.com"
|
|
$e8 = "uc.cn"
|
|
$e9 = "baidu.com"
|
|
$e10 = "sm.cn"
|
|
|
|
condition:
|
|
IIS_Native_Module and 2 of ($e*) and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group11 {
|
|
|
|
meta:
|
|
description = "Detects Group 11 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "DnsQuery_A"
|
|
$s2 = "&reurl="
|
|
$s3 = "&jump=1"
|
|
|
|
// encrypted "HTTP_cmd" (SUB 2)
|
|
$s4 = "JVVRaeof"
|
|
|
|
// encrypted "lanke88" (SUB 2)
|
|
$s5 = "ncpmg::0"
|
|
|
|
// encrypted "xinxx.allsoulu[.]com" (SUB 2)
|
|
$s6 = "zkpzz0cnnuqwnw0eqo"
|
|
|
|
// encrypted "http://www.allsoulu[.]com/1.php?cmdout=" (SUB 2)
|
|
$s7 = "jvvr<11yyy0cnnuqwnw0eqo130rjrAeofqwv?"
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group12 {
|
|
|
|
meta:
|
|
description = "Detects Group 12 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "C:\\inetpub\\temp\\IIS Temporary Compressed Files\\"
|
|
$s2 = "F5XFFHttpModule.dll"
|
|
$s3 = "gtest_redir"
|
|
$s4 = "\\cmd.exe" nocase
|
|
$s5 = "iuuq;00" // encrypted "http://" (ADD 1)
|
|
$s6 = "?xhost="
|
|
$s7 = "&reurl="
|
|
$s8 = "?jump=1"
|
|
$s9 = "app|zqb"
|
|
$s10 = "ifeng|ivc|sogou|so.com|baidu|google|youdao|yahoo|bing|118114|biso|gougou|sooule|360|sm|uc"
|
|
$s11 = "sogou|so.com|baidu|google|youdao|yahoo|bing|gougou|sooule|360|sm.cn|uc"
|
|
$s12 = "Hotcss/|Hotjs/"
|
|
$s13 = "HotImg/|HotPic/"
|
|
$s14 = "msf connect error !!"
|
|
$s15 = "download ok !!"
|
|
$s16 = "download error !! "
|
|
$s17 = "param error !!"
|
|
$s18 = "Real Path: "
|
|
$s19 = "unknown cmd !"
|
|
|
|
// hardcoded hash values
|
|
$b1 = {15 BD 01 2E [-] 5E 40 08 97 [-] CF 8C BE 30 [-] 28 42 C6 3B}
|
|
$b2 = {E1 0A DC 39 [-] 49 BA 59 AB [-] BE 56 E0 57 [-] F2 0F 88 3E}
|
|
|
|
condition:
|
|
IIS_Native_Module and 5 of them
|
|
}
|
|
|
|
rule IIS_Group13_IISerpent {
|
|
|
|
meta:
|
|
description = "Detects Group 13 native IIS malware family (IISerpent)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "/mconfig/lunlian.txt"
|
|
$s2 = "http://sb.qrfy.ne"
|
|
$s3 = "folderlinkpath"
|
|
$s4 = "folderlinkcount"
|
|
$s5 = "onlymobilespider"
|
|
$s6 = "redirectreferer"
|
|
$s7 = "loadSuccessfull : "
|
|
$s8 = "spider"
|
|
$s9 = "<a href="
|
|
$s11 = "?ReloadModuleConfig=1"
|
|
$s12 = "?DisplayModuleConfig=1"
|
|
|
|
condition:
|
|
IIS_Native_Module and 5 of them
|
|
}
|
|
|
|
rule IIS_Group14 {
|
|
|
|
meta:
|
|
description = "Detects Group 14 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$i1 = "agent-self: %s"
|
|
$i2 = "/utf.php?key="
|
|
$i3 = "/self.php?v="
|
|
$i4 = "<script type=\"text/javascript\" src=\"//speed.wlaspsd.co"
|
|
$i5 = "now.asmkpo.co"
|
|
|
|
$s1 = "Baiduspider"
|
|
$s2 = "360Spider"
|
|
$s3 = "Sogou"
|
|
$s4 = "YisouSpider"
|
|
$s6 = "HTTP_X_FORWARDED_FOR"
|
|
|
|
|
|
condition:
|
|
IIS_Native_Module and 2 of ($i*) or 5 of them
|
|
}
|
|
|
|
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2022, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
import "pe"
|
|
|
|
rule apt_Windows_TA410_Tendyron_dropper
|
|
{
|
|
meta:
|
|
description = "TA410 Tendyron Dropper"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2020-12-09"
|
|
strings:
|
|
$s1 = "Global\\{F473B3BE-08EE-4710-A727-9E248F804F4A}" wide
|
|
$s2 = "Global\\8D32CCB321B2" wide
|
|
$s3 = "Global\\E4FE94F75490" wide
|
|
$s4 = "Program Files (x86)\\Internet Explorer\\iexplore.exe" wide
|
|
$s5 = "\\RPC Control\\OLE" wide
|
|
$s6 = "ALPC Port" wide
|
|
condition:
|
|
int16(0) == 0x5A4D and 4 of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_Tendyron_installer
|
|
{
|
|
meta:
|
|
description = "TA410 Tendyron Installer"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2020-12-09"
|
|
strings:
|
|
$s1 = "Tendyron" wide
|
|
$s2 = "OnKeyToken_KEB.dll" wide
|
|
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
|
|
$s4 = "Global\\8D32CCB321B2"
|
|
$s5 = "\\RTFExploit\\"
|
|
condition:
|
|
int16(0) == 0x5A4D and 3 of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_Tendyron_Downloader
|
|
{
|
|
meta:
|
|
description = "TA410 Tendyron Downloader"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2020-12-09"
|
|
strings:
|
|
/*
|
|
0x401250 8A10 mov dl, byte ptr [eax]
|
|
0x401252 80F25C xor dl, 0x5c
|
|
0x401255 80C25C add dl, 0x5c
|
|
0x401258 8810 mov byte ptr [eax], dl
|
|
0x40125a 40 inc eax
|
|
0x40125b 83E901 sub ecx, 1
|
|
0x40125e 75F0 jne 0x401250
|
|
*/
|
|
$chunk_1 = {
|
|
8A 10
|
|
80 F2 5C
|
|
80 C2 5C
|
|
88 10
|
|
40
|
|
83 E9 01
|
|
75 ??
|
|
}
|
|
$s1 = "startModule" fullword
|
|
condition:
|
|
int16(0) == 0x5A4D and all of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_X4_strings
|
|
{
|
|
meta:
|
|
description = "Matches various strings found in TA410 X4"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2020-10-09"
|
|
strings:
|
|
$s1 = "[X]InLoadSC" ascii wide nocase
|
|
$s3 = "MachineKeys\\Log\\rsa.txt" ascii wide nocase
|
|
$s4 = "MachineKeys\\Log\\output.log" ascii wide nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_X4_hash_values
|
|
{
|
|
meta:
|
|
description = "Matches X4 hash function found in TA410 X4"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2020-10-09"
|
|
strings:
|
|
$s1 = {D1 10 76 C2 B6 03}
|
|
$s2 = {71 3E A8 0D}
|
|
$s3 = {DC 78 94 0E}
|
|
$s4 = {40 0D E7 D6 06}
|
|
$s5 = {83 BB FD E8 06}
|
|
$s6 = {92 9D 9B FF EC 03}
|
|
$s7 = {DD 0E FC FA F5 03}
|
|
$s8 = {15 60 1E FB F5 03}
|
|
condition:
|
|
uint16(0) == 0x5a4d and 4 of them
|
|
|
|
}
|
|
|
|
rule apt_Windows_TA410_X4_hash_fct
|
|
{
|
|
meta:
|
|
description = "Matches X4 hash function found in TA410 X4"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2020-10-09"
|
|
|
|
/*
|
|
0x6056cc2150 0FB601 movzx eax, byte ptr [rcx]
|
|
0x6056cc2153 84C0 test al, al
|
|
0x6056cc2155 7416 je 0x6056cc216d
|
|
0x6056cc2157 4869D283000000 imul rdx, rdx, 0x83
|
|
0x6056cc215e 480FBEC0 movsx rax, al
|
|
0x6056cc2162 4803D0 add rdx, rax
|
|
0x6056cc2165 48FFC1 inc rcx
|
|
0x6056cc2168 E9E3FFFFFF jmp 0x6056cc2150
|
|
*/
|
|
strings:
|
|
$chunk_1 = {
|
|
0F B6 01
|
|
84 C0
|
|
74 ??
|
|
48 69 D2 83 00 00 00
|
|
48 0F BE C0
|
|
48 03 D0
|
|
48 FF C1
|
|
E9 ?? ?? ?? ??
|
|
}
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and any of them
|
|
|
|
}
|
|
|
|
rule apt_Windows_TA410_LookBack_decryption
|
|
{
|
|
meta:
|
|
description = "Matches encryption/decryption function used by LookBack."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
$initialize = {
|
|
8B C6 //mov eax, esi
|
|
99 //cdq
|
|
83 E2 03 //and edx, 3
|
|
03 C2 //add eax, edx
|
|
C1 F8 02 //sar eax, 2
|
|
8A C8 //mov cl, al
|
|
02 C0 //add al, al
|
|
02 C8 //add cl, al
|
|
88 4C 34 10 //mov byte ptr [esp + esi + 0x10], cl
|
|
46 //inc esi
|
|
81 FE 00 01 00 00 //cmp esi, 0x100
|
|
72 ??
|
|
}
|
|
$generate = {
|
|
8A 94 1C 10 01 ?? ?? //mov dl, byte ptr [esp + ebx + 0x110]
|
|
8D 8C 24 10 01 ?? ?? //lea ecx, [esp + 0x110]
|
|
0F B6 C3 //movzx eax, bl
|
|
0F B6 44 04 10 //movzx eax, byte ptr [esp + eax + 0x10]
|
|
32 C2 //xor al, dl
|
|
02 F0 //add dh, al
|
|
0F B6 C6 //movzx eax, dh
|
|
03 C8 //add ecx, eax
|
|
0F B6 01 //movzx eax, byte ptr [ecx]
|
|
88 84 1C 10 01 ?? ?? //mov byte ptr [esp + ebx + 0x110], al
|
|
43 //inc ebx
|
|
88 11 //mov byte ptr [ecx], dl
|
|
81 FB 00 06 00 00 //cmp ebx, 0x600
|
|
72 ?? //jb 0x10025930
|
|
}
|
|
$decrypt = {
|
|
0F B6 C6 //movzx eax, dh
|
|
8D 8C 24 10 01 ?? ?? //lea ecx, [esp + 0x110]
|
|
03 C8 //add ecx, eax
|
|
8A 19 //mov bl, byte ptr [ecx]
|
|
8A C3 //mov al, bl
|
|
02 C6 //add al, dh
|
|
FE C6 //inc dh
|
|
02 F8 //add bh, al
|
|
0F B6 C7 //movzx eax, bh
|
|
8A 94 04 10 01 ?? ?? //mov dl, byte ptr [esp + eax + 0x110]
|
|
88 9C 04 10 01 ?? ?? //mov byte ptr [esp + eax + 0x110], bl
|
|
88 11 //mov byte ptr [ecx], dl
|
|
0F B6 C2 //movzx eax, dl
|
|
0F B6 CB //movzx ecx, bl
|
|
33 C8 //xor ecx, eax
|
|
8A 84 0C 10 01 ?? ?? //mov al, byte ptr [esp + ecx + 0x110]
|
|
30 04 2E //xor byte ptr [esi + ebp], al
|
|
46 //inc esi
|
|
3B F7 //cmp esi, edi
|
|
7C ?? //jl 0x10025980
|
|
}
|
|
condition:
|
|
uint16(0) == 0x5a4d and all of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_LookBack_loader
|
|
{
|
|
meta:
|
|
description = "Matches the modified function in LookBack libcurl loader."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
$chunk_1 = {
|
|
FF 15 ?? ?? ?? ?? //call dword ptr [0x100530e0]
|
|
6A 40 //push 0x40
|
|
68 00 10 00 00 //push 0x1000
|
|
68 F0 04 00 00 //push 0x4f0
|
|
6A 00 //push 0
|
|
FF 15 ?? ?? ?? ?? //call dword ptr [0x100530d4]
|
|
8B E8 //mov ebp, eax
|
|
B9 3C 01 00 00 //mov ecx, 0x13c
|
|
BE 60 30 06 10 //mov esi, 0x10063060
|
|
8B FD //mov edi, ebp
|
|
68 F0 04 00 00 //push 0x4f0
|
|
F3 A5 //rep movsd dword ptr es:[edi], dword ptr [esi]
|
|
55 //push ebp
|
|
E8 ?? ?? ?? ?? //call 0x100258d0
|
|
8B 0D ?? ?? ?? ?? //mov ecx, dword ptr [0x100530e4]
|
|
A1 ?? ?? ?? ?? //mov eax, dword ptr [0x100530c8]
|
|
68 6C 02 00 00 //push 0x26c
|
|
89 4C 24 ?? //mov dword ptr [esp + 0x1c], ecx
|
|
89 44 24 ?? //mov dword ptr [esp + 0x20], eax
|
|
FF 15 ?? ?? ?? ?? //call dword ptr [0x10063038]
|
|
8B D8 //mov ebx, eax
|
|
B9 9B 00 00 00 //mov ecx, 0x9b
|
|
BE 50 35 06 10 //mov esi, 0x10063550
|
|
8B FB //mov edi, ebx
|
|
68 6C 02 00 00 //push 0x26c
|
|
F3 A5 //rep movsd dword ptr es:[edi], dword ptr [esi]
|
|
53 //push ebx
|
|
E8 ?? ?? ?? ?? //call 0x100258d0
|
|
83 C4 14 //add esp, 0x14
|
|
8D 44 24 ?? //lea eax, [esp + 0x10]
|
|
50 //push eax
|
|
53 //push ebx
|
|
8D 44 24 ?? //lea eax, [esp + 0x3c]
|
|
50 //push eax
|
|
A1 ?? ?? ?? ?? //mov eax, dword ptr [0x10063058]
|
|
FF 74 24 ?? //push dword ptr [esp + 0x28]
|
|
03 C5 //add eax, ebp
|
|
FF D0 //call eax
|
|
}
|
|
condition:
|
|
uint16(0) == 0x5a4d and all of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_LookBack_strings
|
|
{
|
|
meta:
|
|
description = "Matches multiple strings and export names in TA410 LookBack."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
$s1 = "SodomMainFree" ascii wide
|
|
$s2 = "SodomMainInit" ascii wide
|
|
$s3 = "SodomNormal.bin" ascii wide
|
|
$s4 = "SodomHttp.bin" ascii wide
|
|
$s5 = "sodom.ini" ascii wide
|
|
$s6 = "SodomMainProc" ascii wide
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and (2 of them or pe.exports("SodomBodyLoad") or pe.exports("SodomBodyLoadTest"))
|
|
}
|
|
|
|
rule apt_Windows_TA410_LookBack_HTTP
|
|
{
|
|
meta:
|
|
description = "Matches LookBack's hardcoded HTTP request"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
$s1 = "POST http://%s/status.php?r=%d%d HTTP/1.1\x0d\nAccept: text/html, application/xhtml+xml, */*\x0d\nAccept-Language: en-us\x0d\nUser-Agent: %s\x0d\nContent-Type: application/x-www-form-urlencoded\x0d\nAccept-Encoding: gzip, deflate\x0d\nHost: %s\x0d\nContent-Length: %d\x0d\nConnection: Keep-Alive\x0d\nCache-Control: no-cache\x0d\n\x0d\n" ascii wide
|
|
$s2 = "id=1&op=report&status="
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and all of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_LookBack_magic
|
|
{
|
|
meta:
|
|
description = "Matches message header creation in LookBack."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
$s1 = {
|
|
C7 03 C2 2E AB 48 //mov dword ptr [ebx], 0x48ab2ec2
|
|
( A1 | 8B 15 ) ?? ?? ?? ?? //mov (eax | edx), x
|
|
[0-1] //push ebp
|
|
89 ?3 04 //mov dword ptr [ebc + 4], reg
|
|
8B 4? 24 ?? //mov reg, dword ptr [esp + X]
|
|
89 4? 08 //mov dword ptr [ebx + 8], ??
|
|
89 ?? 0C //mov dword ptr [ebx + 0xc], ??
|
|
8B 4? 24 ?? //mov reg, dword ptr [esp + X]
|
|
[1-2] //push 1 or 2 args
|
|
E8 ?? ?? ?? ?? //call
|
|
}
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and all of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_FlowCloud_loader_strings
|
|
{
|
|
meta:
|
|
description = "Matches various strings found in TA410 FlowCloud first stage."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
$key = "y983nfdicu3j2dcn09wur9*^&initialize(y4r3inf;'fdskaf'SKF"
|
|
$s2 = "startModule" fullword
|
|
$s4 = "auto_start_module" wide
|
|
$s5 = "load_main_module_after_install" wide
|
|
$s6 = "terminate_if_fail" wide
|
|
$s7 = "clear_run_mru" wide
|
|
$s8 = "install_to_vista" wide
|
|
$s9 = "load_ext_module" wide
|
|
$s10= "sll_only" wide
|
|
$s11= "fail_if_already_installed" wide
|
|
$s12= "clear_hardware_info" wide
|
|
$s13= "av_check" wide fullword
|
|
$s14= "check_rs" wide
|
|
$s15= "check_360" wide
|
|
$s16= "responsor.dat" wide ascii
|
|
$s17= "auto_start_after_install_check_anti" wide fullword
|
|
$s18= "auto_start_after_install" wide fullword
|
|
$s19= "extern_config.dat" wide fullword
|
|
$s20= "is_hhw" wide fullword
|
|
$s21= "SYSTEM\\Setup\\PrintResponsor" wide
|
|
$event= "Global\\Event_{201a283f-e52b-450e-bf44-7dc436037e56}" wide ascii
|
|
$s23= "invalid encrypto hdr while decrypting"
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and ($key or $event or 5 of ($s*))
|
|
}
|
|
|
|
rule apt_Windows_TA410_FlowCloud_header_decryption
|
|
{
|
|
meta:
|
|
description = "Matches the function used to decrypt resources headers in TA410 FlowCloud"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
/*
|
|
0x416a70 8B1E mov ebx, dword ptr [esi]
|
|
0x416a72 8BCF mov ecx, edi
|
|
0x416a74 D3CB ror ebx, cl
|
|
0x416a76 8D0C28 lea ecx, [eax + ebp]
|
|
0x416a79 83C706 add edi, 6
|
|
0x416a7c 3018 xor byte ptr [eax], bl
|
|
0x416a7e 8B1E mov ebx, dword ptr [esi]
|
|
0x416a80 D3CB ror ebx, cl
|
|
0x416a82 8D0C02 lea ecx, [edx + eax]
|
|
0x416a85 305801 xor byte ptr [eax + 1], bl
|
|
0x416a88 8B1E mov ebx, dword ptr [esi]
|
|
0x416a8a D3CB ror ebx, cl
|
|
0x416a8c 8B4C240C mov ecx, dword ptr [esp + 0xc]
|
|
0x416a90 03C8 add ecx, eax
|
|
0x416a92 305802 xor byte ptr [eax + 2], bl
|
|
0x416a95 8B1E mov ebx, dword ptr [esi]
|
|
0x416a97 D3CB ror ebx, cl
|
|
0x416a99 8B4C2410 mov ecx, dword ptr [esp + 0x10]
|
|
0x416a9d 03C8 add ecx, eax
|
|
0x416a9f 305803 xor byte ptr [eax + 3], bl
|
|
0x416aa2 8B1E mov ebx, dword ptr [esi]
|
|
0x416aa4 D3CB ror ebx, cl
|
|
0x416aa6 8B4C2414 mov ecx, dword ptr [esp + 0x14]
|
|
0x416aaa 03C8 add ecx, eax
|
|
0x416aac 83C006 add eax, 6
|
|
0x416aaf 3058FE xor byte ptr [eax - 2], bl
|
|
0x416ab2 8B1E mov ebx, dword ptr [esi]
|
|
0x416ab4 D3CB ror ebx, cl
|
|
0x416ab6 3058FF xor byte ptr [eax - 1], bl
|
|
0x416ab9 83FF10 cmp edi, 0x10
|
|
0x416abc 72B2 jb 0x416a70
|
|
*/
|
|
strings:
|
|
$chunk_1 = {
|
|
8B 1E
|
|
8B CF
|
|
D3 CB
|
|
8D 0C 28
|
|
83 C7 06
|
|
30 18
|
|
8B 1E
|
|
D3 CB
|
|
8D 0C 02
|
|
30 58 ??
|
|
8B 1E
|
|
D3 CB
|
|
8B 4C 24 ??
|
|
03 C8
|
|
30 58 ??
|
|
8B 1E
|
|
D3 CB
|
|
8B 4C 24 ??
|
|
03 C8
|
|
30 58 ??
|
|
8B 1E
|
|
D3 CB
|
|
8B 4C 24 ??
|
|
03 C8
|
|
83 C0 06
|
|
30 58 ??
|
|
8B 1E
|
|
D3 CB
|
|
30 58 ??
|
|
83 FF 10
|
|
72 ??
|
|
}
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and all of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_FlowCloud_dll_hijacking_strings
|
|
{
|
|
meta:
|
|
description = "Matches filenames inside TA410 FlowCloud malicious DLL."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
$dat1 = "emedres.dat" wide
|
|
$dat2 = "vviewres.dat" wide
|
|
$dat3 = "setlangloc.dat" wide
|
|
$dll1 = "emedres.dll" wide
|
|
$dll2 = "vviewres.dll" wide
|
|
$dll3 = "setlangloc.dll" wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and (all of ($dat*) or all of ($dll*))
|
|
}
|
|
|
|
rule apt_Windows_TA410_FlowCloud_malicious_dll_antianalysis
|
|
{
|
|
meta:
|
|
description = "Matches anti-analysis techniques used in TA410 FlowCloud hijacking DLL."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
/*
|
|
33C0 xor eax, eax
|
|
E8320C0000 call 0x10001d30
|
|
83C010 add eax, 0x10
|
|
3D00000080 cmp eax, 0x80000000
|
|
7D01 jge +3
|
|
EBFF jmp +1 / jmp eax
|
|
E050 loopne 0x1000115c / push eax
|
|
C3 ret
|
|
*/
|
|
$chunk_1 = {
|
|
33 C0
|
|
E8 ?? ?? ?? ??
|
|
83 C0 10
|
|
3D 00 00 00 80
|
|
7D 01
|
|
EB FF
|
|
E0 50
|
|
C3
|
|
}
|
|
condition:
|
|
uint16(0) == 0x5a4d and all of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_FlowCloud_pdb
|
|
{
|
|
meta:
|
|
description = "Matches PDB paths found in TA410 FlowCloud."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and (pe.pdb_path contains "\\FlowCloud\\trunk\\" or pe.pdb_path contains "\\flowcloud\\trunk\\")
|
|
}
|
|
|
|
rule apt_Windows_TA410_FlowCloud_shellcode_decryption
|
|
{
|
|
meta:
|
|
description = "Matches the decryption function used in TA410 FlowCloud self-decrypting DLL"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
/*
|
|
0x211 33D2 xor edx, edx
|
|
0x213 8B4510 mov eax, dword ptr [ebp + 0x10]
|
|
0x216 BB6B040000 mov ebx, 0x46b
|
|
0x21b F7F3 div ebx
|
|
0x21d 81C2A8010000 add edx, 0x1a8
|
|
0x223 81E2FF000000 and edx, 0xff
|
|
0x229 8B7D08 mov edi, dword ptr [ebp + 8]
|
|
0x22c 33C9 xor ecx, ecx
|
|
0x22e EB07 jmp 0x237
|
|
0x230 301439 xor byte ptr [ecx + edi], dl
|
|
0x233 001439 add byte ptr [ecx + edi], dl
|
|
0x236 41 inc ecx
|
|
0x237 3B4D0C cmp ecx, dword ptr [ebp + 0xc]
|
|
0x23a 72F4 jb 0x230
|
|
*/
|
|
strings:
|
|
$chunk_1 = {
|
|
33 D2
|
|
8B 45 ??
|
|
BB 6B 04 00 00
|
|
F7 F3
|
|
81 C2 A8 01 00 00
|
|
81 E2 FF 00 00 00
|
|
8B 7D ??
|
|
33 C9
|
|
EB ??
|
|
30 14 39
|
|
00 14 39
|
|
41
|
|
3B 4D ??
|
|
72 ??
|
|
}
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and all of them
|
|
}
|
|
|
|
rule apt_Windows_TA410_FlowCloud_fcClient_strings
|
|
{
|
|
meta:
|
|
description = "Strings found in fcClient/rescure.dat module."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
$s1 = "df257bdd-847c-490e-9ef9-1d7dc883d3c0"
|
|
$s2 = "\\{2AFF264E-B722-4359-8E0F-947B85594A9A}"
|
|
$s3 = "Global\\{26C96B51-2B5D-4D7B-BED1-3DCA4848EDD1}" wide
|
|
$s4 = "{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" wide
|
|
$s5 = "{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" wide
|
|
$s6 = "XXXModule_func.dll"
|
|
$driver1 = "\\drivers\\hidmouse.sys" wide fullword
|
|
$driver2 = "\\drivers\\hidusb.sys" wide fullword
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and (any of ($s*) or all of ($driver*))
|
|
}
|
|
|
|
rule apt_Windows_TA410_FlowCloud_fcClientDll_strings
|
|
{
|
|
meta:
|
|
description = "Strings found in fcClientDll/responsor.dat module."
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
$s1 = "http://%s/html/portlet/ext/draco/resources/draco_manager.swf/[[DYNAMIC]]/1"
|
|
$s2 = "Cookie: COOKIE_SUPPORT=true; JSESSIONID=5C7E7A60D01D2891F40648DAB6CB3DF4.jvm1; COMPANY_ID=10301; ID=666e7375545678695645673d; PASSWORD=7a4b48574d746470447a303d; LOGIN=6863303130; SCREEN_NAME=4a2b455377766b657451493d; GUEST_LANGUAGE_ID=en-US"
|
|
$fc_msg = ".fc_net.msg"
|
|
$s4 = "\\pipe\\namedpipe_keymousespy_english" wide
|
|
$s5 = "8932910381748^&*^$58876$%^ghjfgsa413901280dfjslajflsdka&*(^7867=89^&*F(^&*5678f5ds765f76%&*%&*5"
|
|
$s6 = "cls_{CACB140B-0B82-4340-9B05-7983017BA3A4}" wide
|
|
$s7 = "HTTP/1.1 200 OK\x0d\nServer: Apache-Coyote/1.1\x0d\nPragma: No-cache\x0d\nCache-Control: no-cache\x0d\nExpires: Thu, 01 Jan 1970 08:00:00 CST\x0d\nLast-Modified: Fri, 27 Apr 2012 08:11:04 GMT\x0d\nContent-Type: application/xml\x0d\nContent-Length: %d\x0d\nDate: %s GMT"
|
|
$sql1 = "create table if not exists table_filed_space"
|
|
$sql2 = "create table if not exists clipboard"
|
|
$sql3 = "create trigger if not exists file_after_delete after delete on file"
|
|
$sql4 = "create trigger if not exists file_data_after_insert after insert on file_data"
|
|
$sql5 = "create trigger if not exists file_data_after_delete after delete on file_data"
|
|
$sql6 = "create trigger if not exists file_data_after_update after update on file_data"
|
|
$sql7 = "insert into file_data(file_id, ofs, data, status)"
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and (any of ($s*) or #fc_msg >= 8 or 4 of ($sql*))
|
|
}
|
|
|
|
rule apt_Windows_TA410_Rootkit_strings
|
|
{
|
|
meta:
|
|
description = "Strings found in TA410's Rootkit"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
strings:
|
|
$driver1 = "\\Driver\\kbdclass" wide
|
|
$driver2 = "\\Driver\\mouclass" wide
|
|
$device1 = "\\Device\\KeyboardClass0" wide
|
|
$device2 = "\\Device\\PointerClass0" wide
|
|
$driver3 = "\\Driver\\tcpip" wide
|
|
$device3 = "\\Device\\tcp" wide
|
|
$driver4 = "\\Driver\\nsiproxy" wide
|
|
$device4 = "\\Device\\Nsi" wide
|
|
$reg1 = "\\Registry\\Machine\\SYSTEM\\Setup\\AllowStart\\ceipCommon" wide
|
|
$reg2 = "RHH%d" wide
|
|
$reg3 = "RHP%d" wide
|
|
$s1 = "\\SystemRoot\\System32\\drivers\\hidmouse.sys" wide
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and all of ($s1,$reg*) and (all of ($driver*) or all of ($device*))
|
|
}
|
|
|
|
rule apt_Windows_TA410_FlowCloud_v5_resources
|
|
{
|
|
meta:
|
|
description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 5.0.2"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
condition:
|
|
uint16(0) == 0x5a4d and pe.number_of_resources >= 13 and
|
|
for 12 resource in pe.resources:
|
|
( resource.type == 10 and resource.language == 1033 and
|
|
//resource name is one of 100, 1000, 10000, 1001, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 2000, 2001 as widestring
|
|
(resource.name_string == "1\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x000\x00" or
|
|
resource.name_string == "1\x000\x000\x001\x00" or resource.name_string == "1\x000\x001\x00" or resource.name_string == "1\x000\x002\x00" or
|
|
resource.name_string == "1\x000\x003\x00" or resource.name_string == "1\x000\x004\x00" or resource.name_string == "1\x000\x005\x00" or
|
|
resource.name_string == "1\x000\x006\x00" or resource.name_string == "1\x000\x007\x00" or resource.name_string == "1\x000\x008\x00" or
|
|
resource.name_string == "1\x000\x009\x00" or resource.name_string == "1\x001\x000\x00" or resource.name_string == "2\x000\x000\x000\x00" or resource.name_string == "2\x000\x000\x001\x00")
|
|
)
|
|
}
|
|
|
|
rule apt_Windows_TA410_FlowCloud_v4_resources
|
|
{
|
|
meta:
|
|
description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 4.1.3"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
author = "ESET Research"
|
|
date = "2021-10-12"
|
|
condition:
|
|
uint16(0) == 0x5a4d and pe.number_of_resources >= 6 and
|
|
for 5 resource in pe.resources:
|
|
( resource.type == 10 and resource.language == 1033 and
|
|
// resource name is one of 10000, 10001, 10002, 10003, 10004, 10005, 10100 as wide string
|
|
(resource.name_string == "1\x000\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x001\x00" or
|
|
resource.name_string == "1\x000\x000\x000\x002\x00" or resource.name_string == "1\x000\x000\x000\x003\x00" or
|
|
resource.name_string == "1\x000\x000\x000\x004\x00" or resource.name_string == "1\x000\x000\x000\x005\x00" or resource.name_string == "1\x000\x001\x000\x000\x00")
|
|
)
|
|
}
|
|
|
|
|
|
|
|
// Stantinko yara rules
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These yara rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2017, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
import "pe"
|
|
|
|
rule beds_plugin {
|
|
|
|
meta:
|
|
Author = "Frédéric Vachon"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko BEDS' plugins"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
condition:
|
|
pe.exports("CheckDLLStatus") and
|
|
pe.exports("GetPluginData") and
|
|
pe.exports("InitializePlugin") and
|
|
pe.exports("IsReleased") and
|
|
pe.exports("ReleaseDLL")
|
|
}
|
|
|
|
rule beds_dropper {
|
|
|
|
meta:
|
|
Author = "Frédéric Vachon"
|
|
Date = "2017-07-17"
|
|
Description = "BEDS dropper"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
condition:
|
|
pe.imphash() == "a7ead4ef90d9981e25728e824a1ba3ef"
|
|
|
|
}
|
|
|
|
rule facebook_bot {
|
|
|
|
meta:
|
|
Author = "Frédéric Vachon"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko's Facebook bot"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "m_upload_pic&return_uri=https%3A%2F%2Fm.facebook.com%2Fprofile.php" fullword ascii
|
|
$s2 = "D:\\work\\brut\\cms\\facebook\\facebookbot\\Release\\facebookbot.pdb" fullword ascii
|
|
$s3 = "https%3A%2F%2Fm.facebook.com%2Fcomment%2Freplies%2F%3Fctoken%3D" fullword ascii
|
|
$s4 = "reg_fb_gate=https%3A%2F%2Fm.facebook.com%2Freg" fullword ascii
|
|
$s5 = "reg_fb_ref=https%3A%2F%2Fm.facebook.com%2Freg%2F" fullword ascii
|
|
$s6 = "&return_uri_error=https%3A%2F%2Fm.facebook.com%2Fprofile.php" fullword ascii
|
|
|
|
$x1 = "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" fullword ascii
|
|
$x2 = "registration@facebookmail.com" fullword ascii
|
|
$x3 = "https://m.facebook.com/profile.php?mds=" fullword ascii
|
|
$x4 = "https://upload.facebook.com/_mupload_/composer/?profile&domain=" fullword ascii
|
|
$x5 = "http://staticxx.facebook.com/connect/xd_arbiter.php?version=42#cb=ff43b202c" fullword ascii
|
|
$x6 = "https://upload.facebook.com/_mupload_/photo/x/saveunpublished/" fullword ascii
|
|
$x7 = "m.facebook.com&ref=m_upload_pic&waterfall_source=" fullword ascii
|
|
$x8 = "payload.commentID" fullword ascii
|
|
$x9 = "profile.login" fullword ascii
|
|
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($s*) or 3 of ($x*) ) ) or ( all of them )
|
|
}
|
|
|
|
rule pds_plugins {
|
|
|
|
meta:
|
|
Author = "Frédéric Vachon"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko PDS' plugins"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "std::_Vector_val<CHTTPPostItem *,std::allocator<CHTTPPostItem *> >" fullword ascii
|
|
$s2 = "std::_Vector_val<CHTTPHeader *,std::allocator<CHTTPHeader *> >" fullword ascii
|
|
$s3 = "std::vector<CHTTPHeader *,std::allocator<CHTTPHeader *> >" fullword ascii
|
|
$s4 = "std::vector<CHTTPPostItem *,std::allocator<CHTTPPostItem *> >" fullword ascii
|
|
$s5 = "CHTTPHeaderManager" fullword ascii
|
|
$s6 = "CHTTPPostItemManager *" fullword ascii
|
|
$s7 = "CHTTPHeaderManager *" fullword ascii
|
|
$s8 = "CHTTPPostItemManager" fullword ascii
|
|
$s9 = "CHTTPHeader" fullword ascii
|
|
$s10 = "CHTTPPostItem" fullword ascii
|
|
$s11 = "std::vector<CCookie *,std::allocator<CCookie *> >" fullword ascii
|
|
$s12 = "std::_Vector_val<CCookie *,std::allocator<CCookie *> >" fullword ascii
|
|
$s13 = "CCookieManager *" fullword ascii
|
|
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 1000KB and ( 2 of ($s*) ) )
|
|
}
|
|
|
|
rule stantinko_pdb {
|
|
|
|
meta:
|
|
Author = "Frédéric Vachon"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko malware family PDB path"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "D:\\work\\service\\service\\" ascii
|
|
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule stantinko_droppers {
|
|
|
|
meta:
|
|
Author = "Marc-Etienne M.Léveillé"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko droppers"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
// Bytes from the encrypted payload
|
|
$s1 = {55 8B EC 83 EC 08 53 56 BE 80 F4 45 00 57 81 EE 80 0E 41 00 56 E8 6D 23 00 00 56 8B D8 68 80 0E 41 00 53 89 5D F8 E8 65 73 00 00 8B 0D FC F5 45}
|
|
|
|
// Keys to decrypt payload
|
|
$s2 = {7E 5E 7F 8C 08 46 00 00 AB 57 1A BB 91 5C 00 00 FA CC FD 76 90 3A 00 00}
|
|
|
|
condition:
|
|
uint16(0) == 0x5A4D and 1 of them
|
|
}
|
|
|
|
rule stantinko_d3d {
|
|
|
|
meta:
|
|
Author = "Marc-Etienne M.Léveillé"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko d3dadapter component"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
condition:
|
|
pe.exports("EntryPoint") and
|
|
pe.exports("ServiceMain") and
|
|
pe.imports("WININET.DLL", "HttpAddRequestHeadersA")
|
|
}
|
|
|
|
rule stantinko_ihctrl32 {
|
|
|
|
meta:
|
|
Author = "Marc-Etienne M.Léveillé"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko ihctrl32 component"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "ihctrl32.dll"
|
|
$s2 = "win32_hlp"
|
|
$s3 = "Ihctrl32Main"
|
|
$s4 = "I%citi%c%size%s%c%ci%s"
|
|
$s5 = "Global\\Intel_hctrl32"
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule stantinko_wsaudio {
|
|
|
|
meta:
|
|
Author = "Marc-Etienne M.Léveillé"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko wsaudio component"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
// Export
|
|
$s1 = "GetInterface"
|
|
$s2 = "wsaudio.dll"
|
|
|
|
// Event name
|
|
$s3 = "Global\\Wsaudio_Initialize"
|
|
$s4 = "SOFTWARE\\Classes\\%s.FieldListCtrl.1\\"
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule stantinko_ghstore {
|
|
|
|
meta:
|
|
Author = "Marc-Etienne M.Léveillé"
|
|
Date = "2017-07-17"
|
|
Description = "Stantinko ghstore component"
|
|
Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf"
|
|
Source = "https://github.com/eset/malware-ioc/"
|
|
Contact = "github@eset.com"
|
|
License = "BSD 2-Clause"
|
|
|
|
strings:
|
|
$s1 = "G%cost%sSt%c%s%s%ce%sr" wide
|
|
$s2 = "%cho%ct%sS%sa%c%s%crve%c" wide
|
|
$s3 = "Par%c%ce%c%c%s" wide
|
|
$s4 = "S%c%curity%c%s%c%s" wide
|
|
$s5 = "Sys%c%s%c%c%su%c%s%clS%c%s%serv%s%ces" wide
|
|
|
|
condition:
|
|
3 of them
|
|
}
|