add solarwinds credential stealer + PHPs <?= to filetypes

misc/file-type-signatures.txt

@@ -25,6 +25,7 @@ A1 B2 CD 34;LIBPCAP
 FF 4B 45 59 42 20 20 20;SYS Keyboard Driver
 FF FE 3C 00 3F 00 78 00 6D 00 6C;Windows At Job
 3C 3F 70 68 70;PHP
+3C 3F 3D;PHP <?=
 0D 44 4F 43;DOC
 FF D8 FF E0;JPEG
 1F 8B 08;GZIP

yara/gen_solarwinds_credential_stealer.yar

@@ -0,0 +1,27 @@
+
+rule HKTL_Solarwinds_credential_stealer {
+    meta:
+        description = "Detects solarwinds credential stealers like e.g. solarflare via the touched certificate, files and database columns"
+        reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware"
+        reference = "https://github.com/mubix/solarflare"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2021-01-20"
+		hash = "1b2e5186464ed0bdd38fcd9f4ab294a7ba28bd829bf296584cbc32e2889037e4"
+		hash = "4adb69d4222c80d97f8d64e4d48b574908a518f8d504f24ce93a18b90bd506dc"
+    strings:
+        $certificate = "CN=SolarWinds-Orion" ascii nocase wide
+        $credfile1 = "\\CredentialStorage\\SolarWindsDatabaseAccessCredential" ascii nocase wide
+        $credfile2 = "\\KeyStorage\\CryptoHelper\\default.dat" ascii nocase wide
+        $credfile3 = "\\Orion\\SWNetPerfMon.DB" ascii nocase wide
+        $credfile4 = "\\Orion\\RabbitMQ\\.erlang.cookie" ascii nocase wide
+        $sql1 = "encryptedkey" ascii nocase wide fullword
+        $sql2 = "protectiontype" ascii nocase wide fullword
+        $sql3 = "CredentialProperty" ascii nocase wide fullword
+        $sql4 = "passwordhash" ascii nocase wide fullword
+        $sql5 = "credentialtype" ascii nocase wide fullword
+        $sql6 = "passwordsalt" ascii nocase wide fullword
+    condition:
+        uint16(0) == 0x5A4D and $certificate and ( 2 of ( $credfile* ) or 5 of ( $sql* ) )
+}
+