RUAG APT Case YARA Signatures

- Signatures based on descriptions in report > not the actual samples
2024-11-06 18:15:20 +00:00 · 2016-05-24 07:29:20 -06:00 · 2016-05-24 07:29:20 -06:00 · 902f434811
commit 902f434811
parent 8ac0ec1535
1 changed files with 85 additions and 0 deletions
--- a/yara/apt_ruag.yar
+++ b/yara/apt_ruag.yar
@ -0,0 +1,85 @@
+/*
+  Yara Rule Set
+  Author: Florian Roth
+  Date: 2016-05-23
+  Identifier: Swiss RUAG APT Case
+  Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case 
+*/
+
+rule RUAG_Tavdig_Malformed_Executable {
+  meta:
+    description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  condition:
+    uint16(0) == 0x5a4d and /* MZ Header */
+    uint32(uint32(0x3C)) == 0x0000AD0B /* malformed PE header > 0x0bad */
+}
+
+rule RUAG_Bot_Config_File {
+  meta:
+    description = "Detects a specific config file used by malware in RUAG APT case"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $s1 = "[CONFIG]" ascii
+    $s2 = "name = " ascii
+    $s3 = "exe = cmd.exe" ascii
+  condition:
+    $s1 at 0 and $s2 and $s3 and filesize < 160 
+}
+
+rule RUAG_Cobra_Malware {
+  meta:
+    description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
+  condition:
+    uint16(0) == 0x5a4d and $s1
+}
+
+rule RUAG_Cobra_Config_File {
+  meta:
+    description = "Detects a config text file used by malware Cobra in RUAG case"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $h1 = "[NAME]" ascii
+
+    $s1 = "object_id=" ascii
+    $s2 = "[TIME]" ascii fullword
+    $s3 = "lastconnect" ascii 
+    $s4 = "[CW_LOCAL]" ascii fullword
+    $s5 = "system_pipe" ascii
+    $s6 = "user_pipe" ascii
+    $s7 = "[TRANSPORT]" ascii
+    $s8 = "run_task_system" ascii
+    $s9 = "[WORKDATA]" ascii 
+    $s10 = "address1" ascii
+  condition:
+    $h1 at 0 and 8 of ($s*) and filesize < 5KB
+}
+
+rule RUAG_Exfil_Config_File {
+  meta:
+    description = "Detects a config text file used in data exfiltration in RUAG case"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $h1 = "[TRANSPORT]" ascii
+
+    $s1 = "system_pipe" ascii
+    $s2 = "spstatus" ascii
+    $s3 = "adaptable" ascii 
+    $s4 = "post_frag" ascii
+    $s5 = "pfsgrowperiod" ascii
+  condition:
+    $h1 at 0 and all of ($s*) and filesize < 1KB
+}