08e8d462fe
RED PILL 🔴 💊
138 lines
5.7 KiB
Text
138 lines
5.7 KiB
Text
|
|
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-07-08
|
|
Identifier: ZxShell Related Malware (same C2)
|
|
Reference: https://blogs.rsa.com/cat-phishing/
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule ZxShell_Related_Malware_CN_Group_Jul17_1 {
|
|
meta:
|
|
description = "Detects a ZxShell related sample from a CN threat group"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://blogs.rsa.com/cat-phishing/"
|
|
date = "2017-07-08"
|
|
hash1 = "ef56c2609bc1b90f3e04745890235e6052a4be94e35e38b6f69b64fb17a7064e"
|
|
id = "a91e39bb-1bb3-54a8-b684-d673c445375c"
|
|
strings:
|
|
$x1 = "CMD.EXE /C NET USER GUEST /ACTIVE:yes && NET USER GUEST ++++++" ascii
|
|
$x2 = "system\\cURRENTcONTROLSET\\sERVICES\\tERMSERVICE" fullword ascii
|
|
$x3 = "\\secivreS\\teSlortnoCtnerruC\\METSYS" ascii /* reversed goodware string 'SYSTEM\\CurrentControlSet\\Services\\' */
|
|
$x4 = "system\\cURRENTCONTROLSET\\cONTROL\\tERMINAL sERVER" fullword ascii
|
|
$x5 = "sOFTWARE\\mICROSOFT\\iNTERNET eXPLORER\\mAIN" fullword ascii
|
|
$x6 = "eNABLEaDMINtsREMOTE" fullword ascii
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them )
|
|
}
|
|
|
|
rule ZxShell_Related_Malware_CN_Group_Jul17_2 {
|
|
meta:
|
|
description = "Detects a ZxShell related sample from a CN threat group"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://blogs.rsa.com/cat-phishing/"
|
|
date = "2017-07-08"
|
|
hash1 = "204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e"
|
|
id = "37c1f26b-4b4f-510e-a7b7-b2afb17d6e71"
|
|
strings:
|
|
$u1 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)" fullword ascii
|
|
$u2 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)" fullword ascii
|
|
$u3 = "User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0" fullword ascii
|
|
$u4 = "User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii
|
|
|
|
$x1 = "\\\\%s\\admin$\\g1fd.exe" fullword ascii
|
|
$x2 = "C:\\g1fd.exe" fullword ascii
|
|
$x3 = "\\\\%s\\C$\\NewArean.exe" fullword ascii
|
|
|
|
$s0 = "at \\\\%s %d:%d %s" fullword ascii
|
|
$s1 = "%c%c%c%c%ccn.exe" fullword ascii
|
|
$s2 = "hra%u.dll" fullword ascii
|
|
$s3 = "Referer: http://%s:80/http://%s" fullword ascii
|
|
$s5 = "Accept-Language: zh-cn" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 3 of them )
|
|
}
|
|
|
|
rule ZxShell_Related_Malware_CN_Group_Jul17_3 {
|
|
meta:
|
|
description = "Detects a ZxShell related sample from a CN threat group"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://blogs.rsa.com/cat-phishing/"
|
|
date = "2017-07-08"
|
|
hash1 = "2e5cf8c785dc081e5c2b43a4a785713c0ae032c5f86ccbc7abf5c109b8854ed7"
|
|
id = "1900b861-b4a2-50b5-a639-3eb442072139"
|
|
strings:
|
|
$s1 = "%s\\nt%s.dll" fullword ascii
|
|
$s2 = "RegQueryValueEx(Svchost\\netsvcs)" fullword ascii
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 600KB and all of them )
|
|
}
|
|
|
|
rule ZxShell_Jul17 {
|
|
meta:
|
|
description = "Detects a ZxShell - CN threat group"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://blogs.rsa.com/cat-phishing/"
|
|
date = "2017-07-08"
|
|
hash1 = "5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16"
|
|
id = "1b009b20-5a19-5cac-aaaf-ca61310eab9f"
|
|
strings:
|
|
$x1 = "zxplug -add" fullword ascii
|
|
$x2 = "getxxx c:\\xyz.dll" fullword ascii
|
|
$x3 = "downfile -d c:\\windows\\update.exe" fullword ascii
|
|
$x4 = "-fromurl http://x.x.x/x.dll" fullword ascii
|
|
$x5 = "ping 127.0.0.1 -n 7&cmd.exe /c net start %s" fullword ascii
|
|
$x6 = "ZXNC -e cmd.exe x.x.x.x" fullword ascii
|
|
$x7 = "(bind a cmdshell)" fullword ascii
|
|
$x8 = "ZXFtpServer 21 20 zx" fullword ascii
|
|
$x9 = "ZXHttpServer" fullword ascii
|
|
$x10 = "c:\\error.htm,.exe|c:\\a.exe,.zip|c:\\b.zip\"" fullword ascii
|
|
$x11 = "c:\\windows\\clipboardlog.txt" fullword ascii
|
|
$x12 = "AntiSniff -a wireshark.exe" fullword ascii
|
|
$x13 = "c:\\windows\\keylog.txt" fullword ascii
|
|
condition:
|
|
( filesize < 10000KB and 1 of them ) or 3 of them
|
|
}
|
|
|
|
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-12-11
|
|
Identifier: ZxShell
|
|
Reference: https://goo.gl/snc85M
|
|
*/
|
|
|
|
import "pe"
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule ZXshell_20171211_chrsben {
|
|
meta:
|
|
description = "Detects ZxShell variant surfaced in Dec 17"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/snc85M"
|
|
date = "2017-12-11"
|
|
hash1 = "dd01e7a1c9b20d36ea2d961737780f2c0d56005c370e50247e38c5ca80dcaa4f"
|
|
id = "3bbfddb8-011a-52dd-b0c8-b35e6f740507"
|
|
strings:
|
|
$x1 = "ncProxyXll" fullword ascii
|
|
|
|
$s1 = "Uniscribe.dll" fullword ascii
|
|
$s2 = "GetModuleFileNameDll" fullword ascii
|
|
$s4 = "$Hangzhou Shunwang Technology Co.,Ltd0" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 2000KB and (
|
|
pe.imphash() == "de481441d675e9aca4f20bd8e16a5faa" or
|
|
pe.exports("PerfectWorld") or
|
|
pe.exports("ncProxyXll") or
|
|
1 of ($x*) or
|
|
2 of them
|
|
)
|
|
}
|