APT Turla Neuron

2024-11-07 02:25:19 +00:00 · 2017-11-25 00:40:07 +01:00 · 2017-11-25 00:40:07 +01:00 · 7a9d7b9abd
commit 7a9d7b9abd
parent dc521f581d
1 changed files with 122 additions and 0 deletions
--- a/yara/apt_turla_neuron.yar
+++ b/yara/apt_turla_neuron.yar
@ -0,0 +1,122 @@
+/*
+   Yara Rule Set
+   Author: NCSC UK
+   Date: 2017-11-23
+   Identifier: Turla Neuron
+   Reference: https://www.ncsc.gov.uk/alerts/turla-group-malware
+*/
+
+rule Neuron_common_strings {
+    meta:
+        description = "Rule for detection of Neuron based on commonly used strings"
+        author = "NCSC UK"
+        hash = "d1d7a96fcadc137e80ad866c838502713db9cdfe59939342b8e3beacf9c7fe29"
+        date = "2017/11/23"
+        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
+    strings:
+        $strServiceName = "MSExchangeService" ascii
+        $strReqParameter_1 = "cadataKey" wide
+        $strReqParameter_2 = "cid" wide
+        $strReqParameter_3 = "cadata" wide
+        $strReqParameter_4 = "cadataSig" wide
+        $strEmbeddedKey = "PFJTQUtleVZhbHVlPjxNb2R1bHVzPnZ3WXRKcnNRZjVTcCtWVG9Rb2xuaEVkMHVwWDFrVElFTUNTNEFnRkRCclNm clpKS0owN3BYYjh2b2FxdUtseXF2RzBJcHV0YXhDMVRYazRoeFNrdEpzbHljU3RFaHBUc1l4OVBEcURabVVZVklVb HlwSFN1K3ljWUJWVFdubTZmN0JTNW1pYnM0UWhMZElRbnl1ajFMQyt6TUhwZ0xmdEc2b1d5b0hyd1ZNaz08L01vZH VsdXM+PEV4cG9uZW50PkFRQUI8L0V4cG9uZW50PjwvUlNBS2V5VmFsdWU+" wide
+        $strDefaultKey = "8d963325-01b8-4671-8e82-d0904275ab06" wide
+        $strIdentifier = "MSXEWS" wide
+        $strListenEndpoint = "443/ews/exchange/" wide
+        $strB64RegKeySubstring = "U09GVFdBUkVcTWljcm9zb2Z0XENyeXB0b2dyYXBo" wide
+        $strName = "neuron_service" ascii
+        $dotnetMagic = "BSJB" ascii
+    condition:
+        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $dotnetMagic and 6 of ($str*)
+}
+
+rule Neuron_standalone_signature {
+    meta:
+        description = "Rule for detection of Neuron based on a standalone signature from .NET metadata"
+        author = "NCSC UK"
+        hash = "d1d7a96fcadc137e80ad866c838502713db9cdfe59939342b8e3beacf9c7fe29"
+        date = "2017/11/23"
+        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
+    strings:
+        $a = { eb073d151231011234080e12818d1d051281311d1281211d1281211d128121081d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281 }
+        $dotnetMagic = "BSJB" ascii
+    condition:
+        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
+}
+
+rule Nautilus_modified_rc4_loop {
+    meta:
+        description = "Rule for detection of Nautilus based on assembly code for a modified RC4 loop"
+        author = "NCSC UK"
+        hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3"
+        date = "2017/11/23"
+        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
+    strings:
+        $a = {42 0F B6 14 04 41 FF C0 03 D7 0F B6 CA 8A 14 0C 43 32 14 13 41 88 12 49 FF C2 49 FF C9}
+    condition:
+        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $a
+}
+
+rule Nautilus_rc4_key {
+    meta:
+        description = "Rule for detection of Nautilus based on a hardcoded RC4 key"
+        author = "NCSC UK"
+        hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3"
+        date = "2017/11/23"
+        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
+    strings:
+        $key = {31 42 31 34 34 30 44 39 30 46 43 39 42 43 42 34 36 41 39 41 43 39 36 34 33 38 46 45 45 41 38 42}
+    condition:
+        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $key
+}
+
+rule Nautilus_common_strings {
+    meta:
+        description = "Rule for detection of Nautilus based on common plaintext strings"
+        author = "NCSC UK"
+        hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3"
+        date = "2017/11/23"
+        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
+    strings:
+        $ = "nautilus-service.dll" ascii
+        $ = "oxygen.dll" ascii
+        $ = "config_listen.system" ascii
+        $ = "ctx.system" ascii
+        $ = "3FDA3998-BEF5-426D-82D8-1A71F29ADDC3" ascii
+        $ = "C:\\ProgramData\\Microsoft\\Windows\\Caches\\{%s}.2.ver0x0000000000000001.db" ascii
+    condition:
+        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them
+}
+
+/* Forensic Artifacts */
+
+rule Nautilus_forensic_artificats {
+    meta:
+        description = "Rule for detection of Nautilus related strings"
+        author = "NCSC UK / Florian Roth"
+        date = "2017/11/23"
+        score = 60
+        reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware"
+    strings:
+        $ = "App_Web_juvjerf3.dll" fullword ascii
+        $ = "App_Web_vcplrg8q.dll" fullword ascii
+        $ = "ar_all2.txt" fullword ascii
+        $ = "ar_sa.txt" fullword ascii
+        $ = "Convert.FromBase64String(temp[1])" fullword ascii
+        $ = "D68gq#5p0(3Ndsk!" fullword ascii
+        $ = "dcomnetsrv" fullword ascii
+        $ = "errorFE.aspx" fullword ascii
+        $ = "errorfe.aspx.f5dba9b9.compiled" fullword ascii
+        $ = "ERRORF~1.ASP" fullword ascii
+        $ = "intelliAdminRpc" fullword ascii
+        $ = "J8fs4F4rnP7nFl#f" fullword ascii
+        $ = "Msnb.exe" fullword ascii
+        $ = "nautilus-service.dll"
+        $ = "Neuron_service" fullword ascii
+        $ = "owa.exe" fullword ascii
+        $ = "owa_ar2.bat" fullword ascii
+        $ = "payload.x64.dll.system" fullword ascii
+        $ = "service.x64.dll.system" fullword ascii
+    condition:
+        1 of them
+}