08e8d462fe
RED PILL 🔴 💊
17 lines
770 B
Text
17 lines
770 B
Text
rule malware_windows_apt_whitebear_binary_loader_2
|
|
{
|
|
meta:
|
|
description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts"
|
|
reference = "https://securelist.com/introducing-whitebear/81638/"
|
|
author = "@fusionrace"
|
|
md5 = "06bd89448a10aa5c2f4ca46b4709a879"
|
|
strings:
|
|
// Non-native English-speaker debug messages
|
|
$b1 = "i cunt waiting anymore #%d" wide ascii
|
|
$b2 = "lights aint turnt off with #%d" wide ascii
|
|
$b3 = "Not find process" wide ascii
|
|
$b4 = "CMessageProcessingSystem::Receive_TAKE_NOP" wide ascii
|
|
$b5 = "CMessageProcessingSystem::Receive_TAKE_CAN_NOT_WORK" wide ascii
|
|
condition:
|
|
3 of ($b*)
|
|
}
|