Turla Agent.BTZ

2024-11-07 02:25:19 +00:00 · 2018-04-12 19:42:29 +02:00 · 2018-04-12 19:42:29 +02:00 · 4ca62a2556
commit 4ca62a2556
parent b1641ee954
1 changed files with 36 additions and 7 deletions
--- a/yara/apt_turla.yar
+++ b/yara/apt_turla.yar
@ -168,15 +168,44 @@ rule Turla_KazuarRAT {
      date = "2018-04-08"
      hash1 = "6b5d9fca6f49a044fd94c816e258bf50b1e90305d7dab2e0480349e80ed2a0fa"
      hash2 = "7594fab1aadc4fb08fb9dbb27c418e8bc7f08dadb2acf5533dc8560241ecfc1d"
-      hash3 = "4e5a86e33e53931afe25a8cb108f53f9c7e6c6a731b0ef4f72ce638d0ea5c198"   
+      hash3 = "4e5a86e33e53931afe25a8cb108f53f9c7e6c6a731b0ef4f72ce638d0ea5c198"
   strings:
-      $x1 = "~1.EXE" wide 
-      $s2 = "dl32.dll" fullword ascii 
-      $s3 = "HookProc@" ascii 
-      $s4 = "0`.wtf" fullword ascii 
+      $x1 = "~1.EXE" wide
+      $s2 = "dl32.dll" fullword ascii
+      $s3 = "HookProc@" ascii
+      $s4 = "0`.wtf" fullword ascii
   condition:
      uint16(0) == 0x5a4d and  filesize < 20KB and (
-         pe.imphash() == "682156c4380c216ff8cb766a2f2e8817" or 
-         2 of them ) 
+         pe.imphash() == "682156c4380c216ff8cb766a2f2e8817" or
+         2 of them )
      }

+rule MAL_Turla_Agent_BTZ {
+   meta:
+      description = "Detects Turla Agent.BTZ"
+      author = "Florian Roth"
+      reference = "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified"
+      date = "2018-04-12"
+      hash1 = "c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8"
+   strings:
+      $x1 = "1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s" fullword ascii
+      $x3 = "mstotreg.dat" fullword ascii
+      $x4 = "Bisuninst.bin" fullword ascii
+      $x5 = "mfc42l00.pdb" fullword ascii
+      $x6 = "ielocal~f.tmp" fullword ascii
+
+      $s1 = "%s\\1.txt" fullword ascii
+      $s2 = "%windows%" fullword ascii
+      $s3 = "%s\\system32" fullword ascii
+      $s4 = "\\Help\\SYSTEM32\\" fullword ascii
+      $s5 = "%windows%\\mfc42l00.pdb" fullword ascii
+      $s6 = "Size of log(%dB) is too big, stop write." fullword ascii
+      $s7 = "Log: Size of log(%dB) is too big, stop write." fullword ascii
+      $s8 = "%02d.%02d.%04d Log begin:" fullword ascii
+      $s9 = "\\system32\\win.com" fullword ascii
+   condition:
+      uint16(0) == 0x5a4d and filesize < 100KB and (
+         1 of ($x*) or
+         4 of them
+      )
+}