08e8d462fe
RED PILL 🔴 💊
552 lines
19 KiB
Text
552 lines
19 KiB
Text
// For feedback or questions contact us at: github@eset.com
|
|
// https://github.com/eset/malware-ioc/
|
|
//
|
|
// These YARA rules are provided to the community under the two-clause BSD
|
|
// license as follows:
|
|
//
|
|
// Copyright (c) 2021, ESET
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
import "pe"
|
|
|
|
private rule IIS_Native_Module {
|
|
meta:
|
|
description = "Signature to match an IIS native module (clean or malicious)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$e1 = "This module subscribed to event"
|
|
$e2 = "CHttpModule::OnBeginRequest"
|
|
$e3 = "CHttpModule::OnPostBeginRequest"
|
|
$e4 = "CHttpModule::OnAuthenticateRequest"
|
|
$e5 = "CHttpModule::OnPostAuthenticateRequest"
|
|
$e6 = "CHttpModule::OnAuthorizeRequest"
|
|
$e7 = "CHttpModule::OnPostAuthorizeRequest"
|
|
$e8 = "CHttpModule::OnResolveRequestCache"
|
|
$e9 = "CHttpModule::OnPostResolveRequestCache"
|
|
$e10 = "CHttpModule::OnMapRequestHandler"
|
|
$e11 = "CHttpModule::OnPostMapRequestHandler"
|
|
$e12 = "CHttpModule::OnAcquireRequestState"
|
|
$e13 = "CHttpModule::OnPostAcquireRequestState"
|
|
$e14 = "CHttpModule::OnPreExecuteRequestHandler"
|
|
$e15 = "CHttpModule::OnPostPreExecuteRequestHandler"
|
|
$e16 = "CHttpModule::OnExecuteRequestHandler"
|
|
$e17 = "CHttpModule::OnPostExecuteRequestHandler"
|
|
$e18 = "CHttpModule::OnReleaseRequestState"
|
|
$e19 = "CHttpModule::OnPostReleaseRequestState"
|
|
$e20 = "CHttpModule::OnUpdateRequestCache"
|
|
$e21 = "CHttpModule::OnPostUpdateRequestCache"
|
|
$e22 = "CHttpModule::OnLogRequest"
|
|
$e23 = "CHttpModule::OnPostLogRequest"
|
|
$e24 = "CHttpModule::OnEndRequest"
|
|
$e25 = "CHttpModule::OnPostEndRequest"
|
|
$e26 = "CHttpModule::OnSendResponse"
|
|
$e27 = "CHttpModule::OnMapPath"
|
|
$e28 = "CHttpModule::OnReadEntity"
|
|
$e29 = "CHttpModule::OnCustomRequestNotification"
|
|
$e30 = "CHttpModule::OnAsyncCompletion"
|
|
$e31 = "CGlobalModule::OnGlobalStopListening"
|
|
$e32 = "CGlobalModule::OnGlobalCacheCleanup"
|
|
$e33 = "CGlobalModule::OnGlobalCacheOperation"
|
|
$e34 = "CGlobalModule::OnGlobalHealthCheck"
|
|
$e35 = "CGlobalModule::OnGlobalConfigurationChange"
|
|
$e36 = "CGlobalModule::OnGlobalFileChange"
|
|
$e37 = "CGlobalModule::OnGlobalApplicationStart"
|
|
$e38 = "CGlobalModule::OnGlobalApplicationResolveModules"
|
|
$e39 = "CGlobalModule::OnGlobalApplicationStop"
|
|
$e40 = "CGlobalModule::OnGlobalRSCAQuery"
|
|
$e41 = "CGlobalModule::OnGlobalTraceEvent"
|
|
$e42 = "CGlobalModule::OnGlobalCustomNotification"
|
|
$e43 = "CGlobalModule::OnGlobalThreadCleanup"
|
|
$e44 = "CGlobalModule::OnGlobalApplicationPreload"
|
|
|
|
condition:
|
|
uint16(0) == 0x5A4D and pe.exports("RegisterModule") and any of ($e*)
|
|
}
|
|
|
|
rule IIS_Group01_IISRaid {
|
|
|
|
meta:
|
|
description = "Detects Group 1 native IIS malware family (IIS-Raid derivates)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "cmd.exe" ascii wide
|
|
$s2 = "CMD"
|
|
$s3 = "PIN"
|
|
$s4 = "INJ"
|
|
$s5 = "DMP"
|
|
$s6 = "UPL"
|
|
$s7 = "DOW"
|
|
$s8 = "C:\\Windows\\System32\\credwiz.exe" ascii wide
|
|
|
|
$p1 = "C:\\Windows\\Temp\\creds.db"
|
|
$p2 = "C:\\Windows\\Temp\\thumbs.db"
|
|
$p3 = "C:\\Windows\\Temp\\AAD30E0F.tmp"
|
|
$p4 = "X-Chrome-Variations"
|
|
$p5 = "X-Cache"
|
|
$p6 = "X-Via"
|
|
$p7 = "COM_InterProt"
|
|
$p8 = "X-FFEServer"
|
|
$p9 = "X-Content-Type-Options"
|
|
$p10 = "Strict-Transport-Security"
|
|
$p11 = "X-Password"
|
|
$p12 = "XXXYYY-Ref"
|
|
$p13 = "X-BLOG"
|
|
$p14 = "X-BlogEngine"
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*) and any of ($p*)
|
|
}
|
|
|
|
rule IIS_Group02 {
|
|
|
|
meta:
|
|
description = "Detects Group 2 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "HttpModule.pdb" ascii wide
|
|
$s2 = "([\\w+%]+)=([^&]*)"
|
|
$s3 = "([\\w+%]+)=([^!]*)"
|
|
$s4 = "cmd.exe"
|
|
$s5 = "C:\\Users\\Iso\\Documents\\Visual Studio 2013\\Projects\\IIS 5\\x64\\Release\\Vi.pdb" ascii wide
|
|
$s6 = "AVRSAFunction"
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group03 {
|
|
|
|
meta:
|
|
description = "Detects Group 3 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "IIS-Backdoor.dll"
|
|
$s2 = "CryptStringToBinaryA"
|
|
$s3 = "CreateProcessA"
|
|
$s4 = "X-Cookie"
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group04_RGDoor {
|
|
|
|
meta:
|
|
description = "Detects Group 4 native IIS malware family (RGDoor)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
reference = "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$i1 = "RGSESSIONID="
|
|
$s2 = "upload$"
|
|
$s3 = "download$"
|
|
$s4 = "cmd$"
|
|
$s5 = "cmd.exe"
|
|
|
|
condition:
|
|
IIS_Native_Module and ($i1 or all of ($s*))
|
|
}
|
|
|
|
rule IIS_Group05_IIStealer {
|
|
|
|
meta:
|
|
description = "Detects Group 5 native IIS malware family (IIStealer)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "tojLrGzFMbcDTKcH" ascii wide
|
|
$s2 = "4vUOj3IutgtrpVwh" ascii wide
|
|
$s3 = "SoUnRCxgREXMu9bM" ascii wide
|
|
$s4 = "9Zr1Z78OkgaXj1Xr" ascii wide
|
|
$s5 = "cache.txt" ascii wide
|
|
$s6 = "/checkout/checkout.aspx" ascii wide
|
|
$s7 = "/checkout/Payment.aspx" ascii wide
|
|
$s8 = "/privacy.aspx"
|
|
$s9 = "X-IIS-Data"
|
|
$s10 = "POST"
|
|
|
|
// string stacking of "/checkout/checkout.aspx"
|
|
$s11 = {C7 ?? CF 2F 00 63 00 C7 ?? D3 68 00 65 00 C7 ?? D7 63 00 6B 00 C7 ?? DB 6F 00 75 00 C7 ?? DF 74 00 2F 00 C7 ?? E3 63 00 68 00 C7 ?? E7 65 00 63 00 C7 ?? EB 6B 00 6F 00 C7 ?? EF 75 00 74 00 C7 ?? F3 2E 00 61 00 C7 ?? F7 73 00 70 00 C7 ?? FB 78 00 00 00}
|
|
|
|
// string stacking of "/privacy.aspx"
|
|
$s12 = {C7 ?? AF 2F 00 70 00 C7 ?? B3 72 00 69 00 C7 ?? B7 76 00 61 00 C7 ?? BB 63 00 79 00 C7 ?? BF 2E 00 61 00 C7 ?? C3 73 00 70 00 C7 ?? C7 78 00 00 00}
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group06_ISN {
|
|
|
|
meta:
|
|
description = "Detects Group 6 native IIS malware family (ISN)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
reference = "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "isn7 config reloaded"
|
|
$s2 = "isn7 config NOT reloaded, not found or empty"
|
|
$s3 = "isn7 log deleted"
|
|
$s4 = "isn7 log not deleted, ERROR 0x%X"
|
|
$s5 = "isn7 log NOT found"
|
|
$s6 = "isn_reloadconfig"
|
|
$s7 = "D:\\soft\\Programming\\C++\\projects\\isapi\\isn7"
|
|
$s8 = "get POST failed %d"
|
|
$s9 = "isn7.dll"
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group07_IISpy {
|
|
|
|
meta:
|
|
description = "Detects Group 7 native IIS malware family (IISpy)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "/credential/username"
|
|
$s2 = "/credential/password"
|
|
$s3 = "/computer/domain"
|
|
$s4 = "/computer/name"
|
|
$s5 = "/password"
|
|
$s6 = "/cmd"
|
|
$s7 = "%.8s%.8s=%.8s%.16s%.8s%.16s"
|
|
$s8 = "ImpersonateLoggedOnUser"
|
|
$s9 = "WNetAddConnection2W"
|
|
|
|
$t1 = "X-Forwarded-Proto"
|
|
$t2 = "Sec-Fetch-Mode"
|
|
$t3 = "Sec-Fetch-Site"
|
|
$t4 = "Cookie"
|
|
|
|
// PNG IEND
|
|
$t5 = {49 45 4E 44 AE 42 60 82}
|
|
|
|
// PNG HEADER
|
|
$t6 = {89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52}
|
|
|
|
condition:
|
|
IIS_Native_Module and 2 of ($s*) and any of ($t*)
|
|
}
|
|
|
|
rule IIS_Group08 {
|
|
|
|
meta:
|
|
description = "Detects Group 8 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$i1 = "FliterSecurity.dll"
|
|
$i2 = "IIS7NativeModule.dll"
|
|
$i3 = "Ver1.0."
|
|
|
|
$s1 = "Cmd"
|
|
$s2 = "Realy path : %s"
|
|
$s3 = "Logged On Users : %d"
|
|
$s4 = "Connect OK!"
|
|
$s5 = "You are fucked!"
|
|
$s6 = "Shit!Error"
|
|
$s7 = "Where is the God!!"
|
|
$s8 = "Shit!Download False!"
|
|
$s9 = "Good!Run OK!"
|
|
$s10 = "Shit!Run False!"
|
|
$s11 = "Good!Download OK!"
|
|
$s12 = "[%d]safedog"
|
|
$s13 = "ed81bfc09d069121"
|
|
$s14 = "a9478ef01967d190"
|
|
$s15 = "af964b7479e5aea2"
|
|
$s16 = "1f9e6526bea65b59"
|
|
$s17 = "2b9e9de34f782d31"
|
|
$s18 = "33cc5da72ac9d7bb"
|
|
$s19 = "b1d71f4c2596cd55"
|
|
$s20 = "101fb9d9e86d9e6c"
|
|
|
|
condition:
|
|
IIS_Native_Module and 1 of ($i*) and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group09 {
|
|
|
|
meta:
|
|
description = "Detects Group 9 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$i1 = "FliterSecurity.dll"
|
|
$i2 = {56565656565656565656565656565656}
|
|
$i3 = "app|hot|alp|svf|fkj|mry|poc|doc|20" xor
|
|
$i4 = "yisouspider|yisou|soso|sogou|m.sogou|sogo|sogou|so.com|baidu|bing|360" xor
|
|
$i5 = "baidu|m.baidu|soso|sogou|m.sogou|sogo|sogou|so.com|google|youdao" xor
|
|
$i6 = "118|abc|1go|evk" xor
|
|
|
|
$s1 = "AVCFuckHttpModuleFactory"
|
|
$s2 = "X-Forward"
|
|
$s3 = "fuck32.dat"
|
|
$s4 = "fuck64.dat"
|
|
$s5 = "&ipzz1="
|
|
$s6 = "&ipzz2="
|
|
$s7 = "&uuu="
|
|
|
|
$s8 = "http://20.3323sf.c" xor
|
|
$s9 = "http://bj.whtjz.c" xor
|
|
$s10 = "http://bj2.wzrpx.c" xor
|
|
$s11 = "http://cs.whtjz.c" xor
|
|
$s12 = "http://df.e652.c" xor
|
|
$s13 = "http://dfcp.yyphw.c" xor
|
|
$s14 = "http://es.csdsx.c" xor
|
|
$s15 = "http://hz.wzrpx.c" xor
|
|
$s16 = "http://id.3323sf.c" xor
|
|
$s17 = "http://qp.008php.c" xor
|
|
$s18 = "http://qp.nmnsw.c" xor
|
|
$s19 = "http://sc.300bt.c" xor
|
|
$s20 = "http://sc.wzrpx.c" xor
|
|
$s21 = "http://sf2223.c" xor
|
|
$s22 = "http://sx.cmdxb.c" xor
|
|
$s23 = "http://sz.ycfhx.c" xor
|
|
$s24 = "http://xpq.0660sf.c" xor
|
|
$s25 = "http://xsc.b1174.c" xor
|
|
|
|
condition:
|
|
IIS_Native_Module and any of ($i*) and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group10 {
|
|
|
|
meta:
|
|
description = "Detects Group 10 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "IIS7.dll"
|
|
$s2 = "<title>(.*?)title(.*?)>"
|
|
$s3 = "<meta(.*?)name(.*?)=(.*?)keywords(.*?)>"
|
|
$s4 = "<meta(.*?)name(.*?)=(.*?)description(.*?)>"
|
|
$s5 = "js.breakavs.co"
|
|
$s6 = "微信群-赛车PK10群【进群微信fun57644】_幸运飞艇_幸运28群"
|
|
$s7 = "北京赛车微信群,北京微信赛车群,北京赛车微信群,PK10群,北京赛车pk10微信群,PK10微信群,赛车微信群,北京赛车群,"
|
|
$s8 = "北京赛车微信群,北京微信赛车群【进群微信号fun57644】北京微信赛车群,北京微信赛车"
|
|
|
|
$e1 = "Baiduspider"
|
|
$e2 = "Sosospider"
|
|
$e3 = "Sogou web spider"
|
|
$e4 = "360Spider"
|
|
$e5 = "YisouSpider"
|
|
$e6 = "sogou.com"
|
|
$e7 = "soso.com"
|
|
$e8 = "uc.cn"
|
|
$e9 = "baidu.com"
|
|
$e10 = "sm.cn"
|
|
|
|
condition:
|
|
IIS_Native_Module and 2 of ($e*) and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group11 {
|
|
|
|
meta:
|
|
description = "Detects Group 11 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "DnsQuery_A"
|
|
$s2 = "&reurl="
|
|
$s3 = "&jump=1"
|
|
|
|
// encrypted "HTTP_cmd" (SUB 2)
|
|
$s4 = "JVVRaeof"
|
|
|
|
// encrypted "lanke88" (SUB 2)
|
|
$s5 = "ncpmg::0"
|
|
|
|
// encrypted "xinxx.allsoulu[.]com" (SUB 2)
|
|
$s6 = "zkpzz0cnnuqwnw0eqo"
|
|
|
|
// encrypted "http://www.allsoulu[.]com/1.php?cmdout=" (SUB 2)
|
|
$s7 = "jvvr<11yyy0cnnuqwnw0eqo130rjrAeofqwv?"
|
|
|
|
condition:
|
|
IIS_Native_Module and 3 of ($s*)
|
|
}
|
|
|
|
rule IIS_Group12 {
|
|
|
|
meta:
|
|
description = "Detects Group 12 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "C:\\inetpub\\temp\\IIS Temporary Compressed Files\\"
|
|
$s2 = "F5XFFHttpModule.dll"
|
|
$s3 = "gtest_redir"
|
|
$s4 = "\\cmd.exe" nocase
|
|
$s5 = "iuuq;00" // encrypted "http://" (ADD 1)
|
|
$s6 = "?xhost="
|
|
$s7 = "&reurl="
|
|
$s8 = "?jump=1"
|
|
$s9 = "app|zqb"
|
|
$s10 = "ifeng|ivc|sogou|so.com|baidu|google|youdao|yahoo|bing|118114|biso|gougou|sooule|360|sm|uc"
|
|
$s11 = "sogou|so.com|baidu|google|youdao|yahoo|bing|gougou|sooule|360|sm.cn|uc"
|
|
$s12 = "Hotcss/|Hotjs/"
|
|
$s13 = "HotImg/|HotPic/"
|
|
$s14 = "msf connect error !!"
|
|
$s15 = "download ok !!"
|
|
$s16 = "download error !! "
|
|
$s17 = "param error !!"
|
|
$s18 = "Real Path: "
|
|
$s19 = "unknown cmd !"
|
|
|
|
// hardcoded hash values
|
|
$b1 = {15 BD 01 2E [-] 5E 40 08 97 [-] CF 8C BE 30 [-] 28 42 C6 3B}
|
|
$b2 = {E1 0A DC 39 [-] 49 BA 59 AB [-] BE 56 E0 57 [-] F2 0F 88 3E}
|
|
|
|
condition:
|
|
IIS_Native_Module and 5 of them
|
|
}
|
|
|
|
rule IIS_Group13_IISerpent {
|
|
|
|
meta:
|
|
description = "Detects Group 13 native IIS malware family (IISerpent)"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$s1 = "/mconfig/lunlian.txt"
|
|
$s2 = "http://sb.qrfy.ne"
|
|
$s3 = "folderlinkpath"
|
|
$s4 = "folderlinkcount"
|
|
$s5 = "onlymobilespider"
|
|
$s6 = "redirectreferer"
|
|
$s7 = "loadSuccessfull : "
|
|
$s8 = "spider"
|
|
$s9 = "<a href="
|
|
$s11 = "?ReloadModuleConfig=1"
|
|
$s12 = "?DisplayModuleConfig=1"
|
|
|
|
condition:
|
|
IIS_Native_Module and 5 of them
|
|
}
|
|
|
|
rule IIS_Group14 {
|
|
|
|
meta:
|
|
description = "Detects Group 14 native IIS malware family"
|
|
author = "ESET Research"
|
|
date = "2021-08-04"
|
|
reference = "https://www.welivesecurity.com/"
|
|
source = "https://github.com/eset/malware-ioc/"
|
|
license = "BSD 2-Clause"
|
|
version = "1"
|
|
|
|
strings:
|
|
$i1 = "agent-self: %s"
|
|
$i2 = "/utf.php?key="
|
|
$i3 = "/self.php?v="
|
|
$i4 = "<script type=\"text/javascript\" src=\"//speed.wlaspsd.co"
|
|
$i5 = "now.asmkpo.co"
|
|
|
|
$s1 = "Baiduspider"
|
|
$s2 = "360Spider"
|
|
$s3 = "Sogou"
|
|
$s4 = "YisouSpider"
|
|
$s6 = "HTTP_X_FORWARDED_FOR"
|
|
|
|
|
|
condition:
|
|
IIS_Native_Module and 2 of ($i*) or 5 of them
|
|
}
|