Improved TA17-293A rule by Kyle O'Meara

https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html
2024-11-07 02:25:19 +00:00 · 2019-03-26 11:41:00 +01:00 · 2019-03-26 11:41:00 +01:00 · aad4925d37
commit aad4925d37
parent c4b6c032f9
1 changed files with 15 additions and 11 deletions
--- a/yara/apt_ta17_293A.yar
+++ b/yara/apt_ta17_293A.yar
@ -73,17 +73,21 @@ rule TA17_293A_malware_1 {
        1 of ($x*)
 }

-rule TA17_293A_malware_2 {
-    meta:
-        description = "rule detects malware"
-        author = "other"
-        reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
-    strings:
-        $api_hash = { 8A 08 84 C9 74 0D 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }
-        $http_push = "X-mode: push" nocase
-        $http_pop = "X-mode: pop" nocase
-    condition:
-        any of them
+rule TA17_293A_energetic_bear_api_hashing_tool {
+   meta:
+      description = "Energetic Bear API Hashing Tool"
+      assoc_report = "DHS Report TA17-293A"
+      author = "CERT RE Team"
+      version = "2"
+   strings:
+      $api_hash_func_v1 = { 8A 08 84 C9 74 ?? 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }
+      $api_hash_func_v2 = { 8A 08 84 C9 74 ?? 80 C9 60 01 CB C1 E3 01 03 44 24 14 EB EC }
+      $api_hash_func_x64 = { 8A 08 84 C9 74 ?? 80 C9 60 48 01 CB 48 C1 E3 01 48 03 45 20 EB EA }
+
+      $http_push = "X-mode: push" nocase
+      $http_pop = "X-mode: pop" nocase
+   condition:
+      $api_hash_func_v1 or $api_hash_func_v2 or $api_hash_func_x64 and (uint16(0) == 0x5a4d or $http_push or $http_pop)
 }

 rule TA17_293A_Query_XML_Code_MAL_DOC_PT_2 {