APT6 Malware Signature

2024-11-06 10:05:18 +00:00 · 2016-04-09 12:55:32 +02:00 · 2016-04-09 12:55:32 +02:00 · 65bb44d764
commit 65bb44d764
parent dd4cb5d8a9
2 changed files with 55 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,5 @@
 threatintel/get-otx-iocs_flo.py

 threatintel/get-misp-iocs_flo.py
+
+yara/gen_winrarsfx_uncom_vendors.yar
--- a/yara/apt_apt6_malware.yar
+++ b/yara/apt_apt6_malware.yar
@ -0,0 +1,53 @@
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-04-09
+	Identifier: APT 6 Malware
+*/
+
+rule APT6_Malware_Sample_Gen {
+	meta:
+		description = "Rule written for 2 malware samples that communicated to APT6 C2 servers"
+		author = "Florian Roth"
+		reference = "https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/"
+		date = "2016-04-09"
+		score = 80
+		hash1 = "321ec239bfa6927d39155ef5f10741ed786219489bbbb1dc8fee66e22f9f8e80"
+		hash2 = "7aef130b19d1f940e4c4cee6efe0f190f1402d2e0f741ee605c77518a04cb6d7"
+	strings:
+		/* Specific strings from samples */
+		$x1 = "SystemPropertiesRemote.exe" fullword ascii
+		$x2 = "SPCK!it is a [(?riddle?) wrapped in a {mystery}] inside an <enigma>!" fullword ascii
+		$x3 = "636C7369643A46334430443336462D323346382D343638322D413139352D373443393242303344344146" fullword ascii
+
+		/* Malware Strings */
+		$s1 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" fullword ascii
+		$s2 = "DUMPTHIN" fullword ascii
+		$s3 = "\"C:\\WINDOWS\\system32\\" fullword ascii
+		$s4 = "window.eval(f.decodeURIComponent(a));" fullword ascii
+		$s5 = "/tbedrs.dll" fullword ascii
+		$s6 = "NSISDL/1.2 (Mozilla)" fullword ascii
+		$s7 = "NSIS_Inetc (Mozilla)" fullword ascii
+		$s8 = "/logos.gif" fullword ascii
+		$s9 = "synflood" fullword ascii
+		$s10 = "IconFile=C:\\WINDOWS\\system32\\SHELL32.dll" fullword ascii
+		$s11 = "udpflood" fullword ascii
+		$s12 = "shellcode" fullword ascii
+		$s13 = "&PassWord=" fullword ascii
+		$s14 = "SystemPropertiesProtection.exe" fullword ascii
+
+		/* C2 Server user by APT 6 group */
+		$c1 = "jobcall.org" ascii
+		$c2 = "sportsinfinite.com" ascii
+		$c3 = "milsatcom.us" ascii
+		$c4 = "geographicphotographer.com" ascii
+		$c5 = "snowsmooth.com" ascii
+		$c6 = "goodre.net" ascii
+		$c7 = "gloflabs.com" ascii
+	condition:
+		(
+			uint16(0) == 0x5a4d and filesize < 1000KB and
+			( 1 of ($x*) or 1 of ($c*) or 3 of ($s*) )
+		) or
+		( 6 of them )
+}