54 lines
1.6 KiB
Text
54 lines
1.6 KiB
Text
/*
|
|
Yara Rule Set
|
|
Author: ESET
|
|
Date: 2017-08-30
|
|
Identifier: Turla Gazer
|
|
Reference: https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
|
|
*/
|
|
|
|
|
|
import "pe"
|
|
|
|
rule Gazer_certificate_subject {
|
|
meta:
|
|
description = "Detects Tura's Gazer malware"
|
|
author = "ESET"
|
|
reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/"
|
|
date = "30.08.2017"
|
|
id = "4eace653-003e-5cae-9db8-f26502f35fc4"
|
|
condition:
|
|
for any i in (0..pe.number_of_signatures - 1):
|
|
(
|
|
pe.signatures[i].subject contains "Solid Loop" or
|
|
pe.signatures[i].subject contains "Ultimate Computer Support"
|
|
)
|
|
}
|
|
|
|
rule Gazer_certificate {
|
|
meta:
|
|
description = "Detects Tura's Gazer malware"
|
|
author = "ESET"
|
|
reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/"
|
|
date = "30.08.2017"
|
|
id = "4eace653-003e-5cae-9db8-f26502f35fc4"
|
|
strings:
|
|
$certif1 = { 52 76 a4 53 cd 70 9c 18 da 65 15 7e 5f 1f de 02 }
|
|
$certif2 = { 12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c }
|
|
condition:
|
|
uint16(0) == 0x5a4d and 1 of them and filesize < 2MB
|
|
}
|
|
|
|
rule Gazer_logfile_name {
|
|
meta:
|
|
description = "Detects Tura's Gazer malware"
|
|
author = "ESET"
|
|
reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/"
|
|
date = "30.08.2017"
|
|
id = "c10d440f-dc9e-54c8-b329-9f22cba05e86"
|
|
strings:
|
|
$s1 = "CVRG72B5.tmp.cvr"
|
|
$s2 = "CVRG1A6B.tmp.cvr"
|
|
$s3 = "CVRG38D9.tmp.cvr"
|
|
condition:
|
|
uint16(0) == 0x5a4d and 1 of them
|
|
}
|