25 lines
1.1 KiB
Text
25 lines
1.1 KiB
Text
|
|
rule WEBSHELL_APT_PHP_DEWMODE_UNC2546_Feb21_1 {
|
|
meta:
|
|
description = "Detects DEWMODE webshells"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html"
|
|
date = "2021-02-22"
|
|
hash1 = "2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7"
|
|
hash2 = "5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b"
|
|
id = "ea883f25-0e9b-5617-b05e-191a4a5c5a52"
|
|
strings:
|
|
$x1 = "<font size=4>Cleanup Shell</font></a>';" ascii fullword
|
|
$x2 = "$(sh /tmp/.scr)"
|
|
$x3 = "@system('sudo /usr/local/bin/admin.pl --mount_cifs=" ascii
|
|
|
|
$s1 = "target=\\\"_blank\\\">Download</a></td>\";" ascii
|
|
$s2 = ",PASSWORD 1>/dev/null 2>/dev/null');" ascii
|
|
$s3 = ",base64_decode('" ascii
|
|
$s4 = "include \"remote.inc\";" ascii
|
|
$s5 = "@system('sudo /usr/local" ascii
|
|
condition:
|
|
uint16(0) == 0x3f3c and
|
|
filesize < 9KB and
|
|
( 1 of ($x*) or 2 of them ) or 3 of them
|
|
}
|