08e8d462fe
RED PILL 🔴 💊
107 lines
4.3 KiB
Text
107 lines
4.3 KiB
Text
/*
|
|
Yara Rule Set
|
|
Author: Markus Neis, Florian Roth
|
|
Date: 2018-03-21
|
|
Identifier: OilRig / Chafer activity
|
|
Reference: https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule Chafer_Mimikatz_Custom {
|
|
meta:
|
|
description = "Detects Custom Mimikatz Version"
|
|
author = "Florian Roth (Nextron Systems) / Markus Neis"
|
|
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
|
|
date = "2018-03-22"
|
|
hash1 = "9709afeb76532566ee3029ecffc76df970a60813bcac863080cc952ad512b023"
|
|
id = "80f751c3-d7ca-5ff6-a905-38650e1c4ec5"
|
|
strings:
|
|
$x1 = "C:\\Users\\win7p\\Documents\\mi-back\\" ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them
|
|
}
|
|
|
|
rule Chafer_Exploit_Copyright_2017 {
|
|
meta:
|
|
description = "Detects Oilrig Internet Server Extension with Copyright (C) 2017 Exploit"
|
|
author = "Markus Neis"
|
|
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
|
|
date = "2018-03-22"
|
|
hash1 = "cdac69caad8891c5e1b8eabe598c869674dee30af448ce4e801a90eb79973c66"
|
|
id = "f78ae4f5-0569-5fc8-ab25-ebe38afd9f3c"
|
|
strings:
|
|
$x1 = "test3 Internet Server Extension" fullword wide
|
|
$x2 = "Copyright (C) 2017 Exploit" fullword wide
|
|
|
|
$a1 = "popen() failed!" fullword ascii
|
|
$a2 = "cmd2cmd=" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 700KB and (
|
|
1 of ($x*) or all of ($a*)
|
|
)
|
|
}
|
|
|
|
rule Chafer_Portscanner {
|
|
meta:
|
|
description = "Detects Custom Portscanner used by Oilrig"
|
|
author = "Markus Neis"
|
|
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
|
|
date = "2018-03-22"
|
|
hash1 = "88274a68a6e07bdc53171641e7349d6d0c71670bd347f11dcc83306fe06656e9"
|
|
id = "8db934c3-fb0d-5c87-9096-1ee8fb16f9a5"
|
|
strings:
|
|
$x1 = "C:\\Users\\RS01204N\\Documents\\" ascii
|
|
$x2 = "PortScanner /ip:google.com /port:80 /t:500 /tout:2" fullword ascii
|
|
$x3 = "open ports of host/hosts" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them
|
|
}
|
|
|
|
rule Oilrig_Myrtille {
|
|
meta:
|
|
description = "Detects Oilrig Myrtille RDP Browser"
|
|
author = "Markus Neis"
|
|
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
|
|
date = "2018-03-22"
|
|
modified = "2022-12-21"
|
|
hash1 = "67945f2e65a4a53e2339bd361652c6663fe25060888f18e681418e313d1292ca"
|
|
id = "e742ab0c-0e21-569e-a100-e5082dc1d372"
|
|
strings:
|
|
$x1 = "\\obj\\Release\\Myrtille.Services.pdb" ascii
|
|
$x2 = "Failed to notify rdp client process exit (MyrtilleAppPool down?), remote session {0} ({1})" fullword wide
|
|
$x3 = "Started rdp client process, remote session {0}" fullword wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 50KB and 1 of them
|
|
}
|
|
|
|
rule Chafer_Packed_Mimikatz {
|
|
meta:
|
|
description = "Detects Oilrig Packed Mimikatz also detected as Chafer_WSC_x64 by FR"
|
|
author = "Florian Roth (Nextron Systems) / Markus Neis"
|
|
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
|
|
date = "2018-03-22"
|
|
hash1 = "5f2c3b5a08bda50cca6385ba7d84875973843885efebaff6a482a38b3cb23a7c"
|
|
id = "abd34c6a-7d99-5f52-be8e-a7d634d61255"
|
|
strings:
|
|
$s1 = "Windows Security Credentials" fullword wide
|
|
$s2 = "Minisoft" fullword wide
|
|
$x1 = "Copyright (c) 2014 - 2015 Minisoft" fullword wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 300KB and ( all of ($s*) or $x1 )
|
|
}
|
|
|
|
rule Oilrig_PS_CnC {
|
|
meta:
|
|
description = "Powershell CnC using DNS queries"
|
|
author = "Markus Neis"
|
|
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
|
|
date = "2018-03-22"
|
|
hash1 = "9198c29a26f9c55317b4a7a722bf084036e93a41ba4466cbb61ea23d21289cfa"
|
|
id = "cbc5689c-37ff-59b6-9e3a-7d8577021f70"
|
|
strings:
|
|
$x1 = "(-join $base32filedata[$uploadedCompleteSize..$($uploadedCompleteSize" fullword ascii
|
|
$s2 = "$hostname = \"D\" + $fileID + (-join ((65..90) + (48..57) + (97..122)|" ascii
|
|
condition:
|
|
filesize < 40KB and 1 of them
|
|
}
|