Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-Neo23x0/apt_unc2891_mal_jan23.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK 
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

76 lines
3.2 KiB
Text
Raw Blame History

rule MAL_UNC2891_Caketap {
meta:
description = "Detects UNC2891 Rootkit Caketap"
author = "Frank Boldewin (@r3c0nst)"
date = "2022-03-30"
reference = "https://github.com/fboldewin/YARA-rules/tree/master"
id = "9c2ffe3d-69ca-5f93-bdb1-40e449139dec"
strings:
$str1 = ".caahGss187" ascii fullword // SyS_mkdir hook cmd ident
$str2 = "ipstat" ascii // rootkit lkm name
$code1 = {41 80 7E 06 4B 75 ?? 41 80 7E 07 57 75 ?? 41 0F B6 46 2B} // HSM cmd KW check
$code2 = {41 C6 46 01 3D 41 C6 46 08 32} // mode_flag switch
condition:
uint32 (0) == 0x464c457f and (all of ($code*) or (all of ($str*) and #str2 == 2))
}
rule MAL_UNC2891_Slapstick {
meta:
description = "Detects UNC2891 Slapstick pam backdoor"
author = "Frank Boldewin (@r3c0nst), slightly modifier by Florian Roth"
date = "2022-03-30"
modified = "2023-01-05"
reference = "https://github.com/fboldewin/YARA-rules/tree/master"
hash1 = "9d0165e0484c31bd4ea467650b2ae2f359f67ae1016af49326bb374cead5f789"
id = "eb5db507-ac12-5c11-9dd9-ec34b9a80e1c"
strings:
$code1 = {F6 50 04 48 FF C0 48 39 D0 75 F5} // string decrypter
$code2 = {88 01 48 FF C1 8A 11 89 C8 29 F8 84 D2 0F 85} // log buf crypter
$str1 = "/proc/self/exe" fullword ascii
$str2 = "%-23s %-23s %-23s %-23s %-23s %s" fullword ascii
$str3 = "pam_sm_authenticate" ascii
/* $str4 = "ACCESS GRANTED & WELCOME" xor // pam prompt message */
$str_fr1 = "HISTFILE=/dev/null" // replacement for XORED message for memory usage reasons
condition:
uint32 (0) == 0x464c457f and filesize < 100KB and (all of ($code*) or all of ($str*))
}
rule MAL_UNC2891_Steelcorgi {
meta:
description = "Detects UNC2891 Steelcorgi packed ELF binaries"
author = "Frank Boldewin (@r3c0nst)"
date = "2022-03-30"
reference = "https://github.com/fboldewin/YARA-rules/tree/master"
hash1 = "0760cd30d18517e87bf9fd8555513423db1cd80730b47f57167219ddbf91f170"
hash2 = "3560ed07aac67f73ef910d0b928db3c0bb5f106b5daee054666638b6575a89c5"
hash3 = "5b4bb50055b31dbd897172583c7046dd27cd03e1e3d84f7a23837e8df7943547"
id = "94da7da5-5fc3-5221-97d6-1854aa7b1959"
strings:
$pattern1 = {70 61 64 00 6C 63 6B 00} // padlck
$pattern2 = {FF 72 FF 6F FF 63 FF 2F FF 73 FF 65 FF 6C FF 66 FF 2F FF 65 FF 78 FF 65} // proc_self_exe
condition:
uint32(0) == 0x464c457f and all of them
}
rule MAL_UNC2891_Winghook {
meta:
description = "Detects UNC2891 Winghook Keylogger"
author = "Frank Boldewin (@r3c0nst)"
date = "2022-03-30"
reference = "https://github.com/fboldewin/YARA-rules/tree/master"
hash1 = "d071ee723982cf53e4bce89f3de5a8ef1853457b21bffdae387c4c2bd160a38e"
id = "e5955fa0-8204-58e3-88a6-de4b47756ede"
strings:
$code1 = {01 F9 81 E1 FF 00 00 00 41 89 CA [15] 44 01 CF 81 E7 FF 00 00 00} // crypt log file data
$code2 = {83 E2 0F 0F B6 14 1? 32 14 01 88 14 0? 48 83 ?? ?? 48 83 ?? ?? 75} // decrypt path+logfile name
$str1 = "fgets" ascii // hook function name
$str2 = "read" ascii // hook function name
condition:
uint32 (0) == 0x464c457f and filesize < 100KB and 1 of ($code*) and all of ($str*)
}
Reference in a new issue View git blame Copy permalink