Sneed-Group/Sneed-Reactivity
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-mikesxrs/one offs/OSX_Malware.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK 
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

112 lines
4.3 KiB
Text
Raw Blame History

rule OSX_backdoor_EvilOSX
{
meta:
description = "EvilOSX MacOS/OSX backdoor"
author = "John Lambert @JohnLaTwC"
reference = "https://github.com/Marten4n6/EvilOSX, https://twitter.com/JohnLaTwC/status/966139336436498432"
date = "2018-02-23"
hash = "89e5b8208daf85f549d9b7df8e2a062e47f15a5b08462a4224f73c0a6223972a"
strings:
$h1 = /#!\/usr\/bin\/env\s+python/
$s0 = "import base64" fullword ascii
$s1 = "b64decode" fullword ascii
//strings present in decoded python script:
$x0 = "EvilOSX" fullword ascii
$x1 = "get_launch_agent_directory" fullword ascii
//Base64 encoded versions of these strings
//EvilOSX
$enc_x0 = /(AHYAaQBsAE8AUwBYA|dmlsT1NY|RQB2AGkAbABPAFMAWA|RXZpbE9TW|UAdgBpAGwATwBTAFgA|V2aWxPU1)/ ascii
//get_launch_agent_directory
$enc_x1 = /(AGUAdABfAGwAYQB1AG4AYwBoAF8AYQBnAGUAbgB0AF8AZABpAHIAZQBjAHQAbwByAHkA|cAZQB0AF8AbABhAHUAbgBjAGgAXwBhAGcAZQBuAHQAXwBkAGkAcgBlAGMAdABvAHIAeQ|dldF9sYXVuY2hfYWdlbnRfZGlyZWN0b3J5|Z2V0X2xhdW5jaF9hZ2VudF9kaXJlY3Rvcn|ZwBlAHQAXwBsAGEAdQBuAGMAaABfAGEAZwBlAG4AdABfAGQAaQByAGUAYwB0AG8AcgB5A|ZXRfbGF1bmNoX2FnZW50X2RpcmVjdG9ye)/ ascii
condition:
$h1 at 0
and filesize < 30KB
and all of ($s*)
and
1 of ($x*)
or 1 of ($enc_x*)
}
rule OSX_backdoor_Bella
{
meta:
description = "Bella MacOS/OSX backdoor"
author = "John Lambert @JohnLaTwC"
reference = "https://twitter.com/JohnLaTwC/status/911998777182924801"
date = "2018-02-23"
hash = "4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be"
strings:
$h1 = /#!\/usr\/bin\/env\s+python/
//prereqs
$s0 = "subprocess" fullword ascii
$s1 = "import sys" fullword ascii
$s2 = "shutil" fullword ascii
$p0 = "create_bella_helpers" fullword ascii
$p1 = "is_there_SUID_shell" fullword ascii
$p2 = "BELLA IS NOW RUNNING" fullword ascii
$p3 = "SELECT * FROM bella WHERE id" fullword ascii
$subpart1_a = "inject_payloads" fullword ascii
$subpart1_b = "check_if_payloads" fullword ascii
$subpart1_c = "updateDB" fullword ascii
$subpart2_a = "appleIDPhishHelp" fullword ascii
$subpart2_b = "appleIDPhish" fullword ascii
$subpart2_c = "iTunes" fullword ascii
condition:
$h1 at 0
and filesize < 120KB
and @s0[1] < 100
and @s1[1] < 100
and @s2[1] < 100
and
1 of ($p*)
or all of ($subpart1_*)
or all of ($subpart2_*)
}
rule persistence_agent_macos
{
meta:
hash = "4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be"
strings:
$h1 = "#!/usr/bin/env python"
$s_1= "<plist" ascii fullword
$s_2= "ProgramArguments" ascii fullword
$s_3= "Library" ascii fullword
$sinterval_1= "StartInterval" ascii fullword
$sinterval_2= "RunAtLoad" ascii fullword
//<plist
$e_1 = /(AHAAbABpAHMAdA|cGxpc3|PABwAGwAaQBzAHQA|PHBsaXN0|wAcABsAGkAcwB0A|xwbGlzd)/ ascii
//ProgramArguments
$e_2 =/(AAcgBvAGcAcgBhAG0AQQByAGcAdQBtAGUAbgB0AHMA|AHIAbwBnAHIAYQBtAEEAcgBnAHUAbQBlAG4AdABzA|Byb2dyYW1Bcmd1bWVudH|cm9ncmFtQXJndW1lbnRz|UAByAG8AZwByAGEAbQBBAHIAZwB1AG0AZQBuAHQAcw|UHJvZ3JhbUFyZ3VtZW50c)/ ascii
//Library
$e_4 = /(AGkAYgByAGEAcgB5A|aWJyYXJ5|TABpAGIAcgBhAHIAeQ|TGlicmFye|wAaQBiAHIAYQByAHkA|xpYnJhcn)/ ascii
//StartInterval
$einterval_a = /(AHQAYQByAHQASQBuAHQAZQByAHYAYQBsA|dGFydEludGVydmFs|MAdABhAHIAdABJAG4AdABlAHIAdgBhAGwA|N0YXJ0SW50ZXJ2YW|U3RhcnRJbnRlcnZhb|UwB0AGEAcgB0AEkAbgB0AGUAcgB2AGEAbA)/ ascii
$einterval_b = /(AHUAbgBBAHQATABvAGEAZA|dW5BdExvYW|IAdQBuAEEAdABMAG8AYQBkA|J1bkF0TG9hZ|UgB1AG4AQQB0AEwAbwBhAGQA|UnVuQXRMb2Fk)/ ascii
condition:
$h1 at 0
and filesize < 120KB
and
(
(all of ($s_*) and 1 of ($sinterval*))
or
(all of ($e_*) and 1 of ($einterval*))
)
}
Reference in a new issue View git blame Copy permalink