Sneed-Reactivity/yara-mikesxrs/Cado Security/Linux_Worm_ORCSHRED.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

19 lines
590 B
Text

rule Linux_Worm_ORCSHRED {
meta:
description = "Detects ORCSHRED worm used in attacks on Ukrainian ICS"
reference = "https://github.com/cado-security/DFIR_Resources_Industroyer2"
author = "mmuir@cadosecurity.com"
date = "2022-04-12"
license = "Apache License 2.0"
hash = "43d07f28b7b699f43abd4f695596c15a90d772bfbd6029c8ee7bc5859c2b0861"
strings:
$a = "is_owner" ascii
$b = "Start most security mode!" ascii
$c = "check_solaris" ascii
$d = "wsol.sh" ascii
$e = "wobf.sh" ascii
$f = "disown" ascii
$g = "/var/log/tasks" ascii
condition:
4 of them
}