mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-07 02:25:19 +00:00
APT41 YARA rules
https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html
This commit is contained in:
Florian Roth
parent
3b9fe70f7e
commit
28b0cd7ca3
221
yara/apt_apt41.yar
Normal file
221
yara/apt_apt41.yar
Normal file
@ -0,0 +1,221 @@
|
||||
/*
|
||||
Yara Rule Set
|
||||
Author: Florian Roth
|
||||
Date: 2019-08-07
|
||||
Identifier: APT41
|
||||
Reference: https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html
|
||||
License: https://creativecommons.org/licenses/by-nc/4.0/
|
||||
*/
|
||||
|
||||
/* Rule Set ----------------------------------------------------------------- */
|
||||
|
||||
import "pe"
|
||||
|
||||
rule APT_APT41_POISONPLUG_3 {
|
||||
meta:
|
||||
description = "Detects APT41 malware POISONPLUG"
|
||||
author = "Florian Roth"
|
||||
reference = "Internal Research"
|
||||
date = "2019-08-07"
|
||||
score = 80
|
||||
hash1 = "70c03ce5c80aca2d35a5555b0532eedede24d4cc6bdb32a2c8f7e630bba5f26e"
|
||||
strings:
|
||||
$s1 = "Rundll32.exe \"%s\", DisPlay 64" fullword ascii
|
||||
$s2 = "tcpview.exe" fullword ascii
|
||||
$s3 = "nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" fullword ascii /* reversed goodware string 'Software\\Microsoft\\Windows\\CurrentVersion\\Run' */
|
||||
$s4 = "AxEeulaVteSgeR" fullword ascii /* reversed goodware string 'RegSetValueExA' */
|
||||
$s5 = "%04d-%02d-%02d_%02d-%02d-%02d.dmp" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 900KB and 3 of them
|
||||
}
|
||||
|
||||
rule APT_APT41_POISONPLUG_SHADOW {
|
||||
meta:
|
||||
description = "Detects APT41 malware POISONPLUG SHADOW"
|
||||
author = "Florian Roth"
|
||||
reference = "Internal Research"
|
||||
date = "2019-08-07"
|
||||
score = 85
|
||||
hash1 = "462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 500KB and pe.imphash() == "c67de089f2009b21715744762fc484e8"
|
||||
}
|
||||
|
||||
rule APT_APT41_CRACKSHOT {
|
||||
meta:
|
||||
description = "Detects APT41 malware CRACKSHOT"
|
||||
author = "Florian Roth"
|
||||
reference = "Internal Research"
|
||||
date = "2019-08-07"
|
||||
score = 85
|
||||
hash1 = "993d14d00b1463519fea78ca65d8529663f487cd76b67b3fd35440bcdf7a8e31"
|
||||
strings:
|
||||
$x1 = ";procmon64.exe;netmon.exe;tcpview.exe;MiniSniffer.exe;smsniff.exe" ascii
|
||||
|
||||
$s1 = "RunUrlBinInMem" fullword ascii
|
||||
$s2 = "DownRunUrlFile" fullword ascii
|
||||
$s3 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" fullword ascii
|
||||
$s4 = "%s|%s|%s|%s|%s|%s|%s|%dx%d|%04x|%08X|%s|%s" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 250KB and ( 1 of ($x*) or 2 of them )
|
||||
}
|
||||
|
||||
rule APT_APT41_POISONPLUG_2 {
|
||||
meta:
|
||||
description = "Detects APT41 malware POISONPLUG"
|
||||
author = "Florian Roth"
|
||||
reference = "Internal Research"
|
||||
date = "2019-08-07"
|
||||
score = 70
|
||||
hash1 = "0055dfaccc952c99b1171ce431a02abfce5c6f8fb5dc39e4019b624a7d03bfcb"
|
||||
strings:
|
||||
$s1 = "ma_lockdown_service.dll" fullword wide
|
||||
$s2 = "acbde.dll" fullword ascii
|
||||
$s3 = "MA lockdown Service" fullword wide
|
||||
$s4 = "McAfee Agent" fullword wide
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 11000KB and all of them
|
||||
}
|
||||
|
||||
rule APT_APT41_POISONPLUG {
|
||||
meta:
|
||||
description = "Detects APT41 malware POISONPLUG"
|
||||
author = "Florian Roth"
|
||||
reference = "Internal Research"
|
||||
date = "2019-08-07"
|
||||
score = 80
|
||||
hash1 = "2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd"
|
||||
hash2 = "5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90"
|
||||
hash3 = "f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661"
|
||||
hash4 = "3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f"
|
||||
strings:
|
||||
$s1 = "TSMSISrv.DLL" fullword wide
|
||||
$s2 = "[-]write failed[%d]" fullword ascii
|
||||
$s3 = "[-]load failed" fullword ascii
|
||||
$s4 = "Remote Desktop Services" fullword wide
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 10000KB and (
|
||||
pe.imphash() == "1b074ef7a1c0888ef31337c8ad2f2e0a" or
|
||||
2 of them
|
||||
)
|
||||
}
|
||||
|
||||
rule APT_APT41_HIGHNOON {
|
||||
meta:
|
||||
description = "Detects APT41 malware HIGHNOON"
|
||||
author = "Florian Roth"
|
||||
reference = "Internal Research"
|
||||
date = "2019-08-07"
|
||||
score = 85
|
||||
hash1 = "63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7"
|
||||
hash2 = "4aa6970cac04ace4a930de67d4c18106cf4004ba66670cfcdaa77a4c4821a213"
|
||||
strings:
|
||||
$x1 = "workdll64.dll" fullword ascii
|
||||
|
||||
$s1 = "\\Fonts\\Error.log" fullword ascii
|
||||
$s2 = "[%d/%d/%d/%d:%d:%d]" fullword ascii
|
||||
$s3 = "work_end" fullword ascii
|
||||
$s4 = "work_start" fullword ascii
|
||||
$s5 = "\\svchost.exe" fullword ascii
|
||||
$s6 = "LoadAppInit_DLLs" fullword ascii
|
||||
$s7 = "netsvcs" fullword ascii
|
||||
$s8 = "HookAPIs ...PID %d " fullword ascii
|
||||
$s9 = "SOFTWARE\\Microsoft\\HTMLHelp" fullword ascii
|
||||
$s0 = "DllMain_mem" fullword ascii
|
||||
$s10 = "%s\\NtKlRes.dat" fullword ascii
|
||||
$s11 = "Global\\%s-%d" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 4 of them )
|
||||
}
|
||||
|
||||
rule APT_APT41_HIGHNOON_2 {
|
||||
meta:
|
||||
description = "Detects APT41 malware HIGHNOON"
|
||||
author = "Florian Roth"
|
||||
reference = "Internal Research"
|
||||
date = "2019-08-07"
|
||||
hash1 = "79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d"
|
||||
strings:
|
||||
$x1 = "H:\\RBDoor\\" ascii
|
||||
|
||||
$s1 = "PlusDll.dll" fullword ascii
|
||||
$s2 = "ShutDownEvent.dll" fullword ascii
|
||||
$s3 = "\\svchost.exe" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 600KB and (
|
||||
pe.imphash() == "b70358b00dd0138566ac940d0da26a03" or
|
||||
pe.exports("DllMain_mem") or
|
||||
$x1 or 3 of them
|
||||
)
|
||||
}
|
||||
|
||||
rule APT_APT41_HIGHNOON_BIN {
|
||||
meta:
|
||||
description = "Detects APT41 malware HIGHNOON.BIN"
|
||||
author = "Florian Roth"
|
||||
reference = "Internal Research"
|
||||
date = "2019-08-07"
|
||||
score = 90
|
||||
hash1 = "490c3e4af829e85751a44d21b25de1781cfe4961afdef6bb5759d9451f530994"
|
||||
hash2 = "79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d"
|
||||
strings:
|
||||
$s1 = "PlusDll.dll" fullword ascii
|
||||
$s2 = "\\Device\\PORTLESS_DeviceName" fullword wide
|
||||
$s3 = "%s%s\\Security" fullword ascii
|
||||
$s4 = "%s\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword ascii
|
||||
$s5 = "%s%s\\Enum" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 600KB and (
|
||||
pe.imphash() == "b70358b00dd0138566ac940d0da26a03" or
|
||||
3 of them
|
||||
)
|
||||
}
|
||||
|
||||
rule APT_APT41_HIGHNOON_BIN_2 {
|
||||
meta:
|
||||
description = "Detects APT41 malware HIGHNOON.BIN"
|
||||
author = "Florian Roth"
|
||||
reference = "Internal Research"
|
||||
date = "2019-08-07"
|
||||
score = 85
|
||||
hash1 = "63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7"
|
||||
hash2 = "c51c5bbc6f59407286276ce07f0f7ea994e76216e0abe34cbf20f1b1cbd9446d"
|
||||
strings:
|
||||
$x1 = "\\Double\\Door_wh\\" ascii
|
||||
$x2 = "[Stone] Config --> 2k3 TCP Positive Logout." fullword ascii
|
||||
$x3 = "\\RbDoorX64.pdb" ascii
|
||||
$x4 = "RbDoor, Version 1.0" fullword wide
|
||||
$x5 = "About RbDoor" fullword wide
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
|
||||
}
|
||||
|
||||
rule APT_APT41_RevokedCert_Aug19_1 {
|
||||
meta:
|
||||
description = "Detects revoked certificates used by APT41 group"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
|
||||
date = "2019-08-07"
|
||||
score = 60
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and
|
||||
for any i in (0 .. pe.number_of_signatures) : (
|
||||
pe.signatures[i].serial == "0b:72:79:06:8b:eb:15:ff:e8:06:0d:2c:56:15:3c:35" or
|
||||
pe.signatures[i].serial == "63:66:a9:ac:97:df:4d:e1:73:66:94:3c:9b:29:1a:aa" or
|
||||
pe.signatures[i].serial == "01:00:00:00:00:01:30:73:85:f7:02" or
|
||||
pe.signatures[i].serial == "14:0d:2c:51:5e:8e:e9:73:9b:b5:f1:b2:63:7d:c4:78" or
|
||||
pe.signatures[i].serial == "7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b" or
|
||||
pe.signatures[i].serial == "53:0c:e1:4c:81:f3:62:10:a1:68:2a:ff:17:9e:25:80" or
|
||||
pe.signatures[i].serial == "54:c6:c1:40:6f:b4:ac:b5:d2:06:74:e9:93:92:c6:3e" or
|
||||
pe.signatures[i].serial == "fd:f2:83:7d:ac:12:b7:bb:30:ad:05:8f:99:9e:cf:00" or
|
||||
pe.signatures[i].serial == "18:63:79:57:5a:31:46:e2:6b:ef:c9:0a:58:0d:1b:d2" or
|
||||
pe.signatures[i].serial == "5c:2f:97:a3:1a:bc:32:b0:8c:ac:01:00:59:8f:32:f6" or
|
||||
pe.signatures[i].serial == "4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5" or
|
||||
pe.signatures[i].serial == "58:01:5a:cd:50:1f:c9:c3:44:26:4e:ac:e2:ce:57:30" or
|
||||
pe.signatures[i].serial == "47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe" or
|
||||
pe.signatures[i].serial == "30:d3:c1:67:26:5b:52:0c:b8:7f:25:84:4f:95:cb:04" or
|
||||
pe.signatures[i].serial == "1e:52:bb:f5:c9:0e:c1:64:d0:5b:e0:e4:16:61:52:5f" or
|
||||
pe.signatures[i].serial == "25:f8:78:22:de:56:d3:98:21:59:28:73:ea:09:ca:37" or
|
||||
pe.signatures[i].serial == "67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d"
|
||||
)
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user