more Sandworm rules

2024-11-06 10:05:18 +00:00 · 2020-05-28 21:11:08 +02:00 · 2020-05-28 21:11:08 +02:00 · 10c7f912b2
commit 10c7f912b2
parent feb6649758
1 changed files with 36 additions and 0 deletions
--- a/yara/apt_sandworm_exim_expl.yar
+++ b/yara/apt_sandworm_exim_expl.yar
@ -120,3 +120,39 @@ rule APT_SH_Sandworm_Shell_Script_May20_1 {
      filesize < 20KB and
      1 of ($x*) or 4 of them
 }
+
+rule APT_RU_Sandworm_PY_May20_1 {
+   meta:
+      description = "Detects Sandworm Python loader"
+      author = "Florian Roth"
+      reference = "https://twitter.com/billyleonard/status/1266054881225236482"
+      date = "2020-05-28"
+      hash1 = "c025008463fdbf44b2f845f2d82702805d931771aea4b506573b83c8f58bccca"
+   strings:
+      $x1 = "o.addheaders=[('User-Agent','Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko')]" ascii fullword
+      
+      $s1 = "exec(o.open('http://" ascii
+      $s2 = "__import__({2:'urllib2',3:'urllib.request'}"
+   condition:
+      uint16(0) == 0x6d69 and
+      filesize < 1KB and
+      1 of ($x*) or 2 of them
+}
+
+rule APT_RU_Sandworm_PY_May20_2 {
+   meta:
+      description = "Detects Sandworm Python loader"
+      author = "Florian Roth"
+      reference = "https://twitter.com/billyleonard/status/1266054881225236482"
+      date = "2020-05-28"
+      hash1 = "abfa83cf54db8fa548942acd845b4f34acc94c46d4e1fb5ce7e97cc0c6596676"
+   strings:
+      $x1 = "import sys;import re, subprocess;cmd" ascii fullword
+      $x2 = "UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http"
+      $x3 = "';t='/admin/get.php';req" ascii
+      $x4 = "ps -ef | grep Little\\ Snitch | grep " ascii fullword
+   condition:
+      uint16(0) == 0x6d69 and
+      filesize < 2KB and
+      1 of them
+}