From ca0dc06384ff91068fcc2f909b647db2ae088f8d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 16 Apr 2021 10:32:15 +0200 Subject: [PATCH] Codecov rule --- yara/mal_codecov_hack.yar | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yara/mal_codecov_hack.yar diff --git a/yara/mal_codecov_hack.yar b/yara/mal_codecov_hack.yar new file mode 100644 index 0000000..67b25c2 --- /dev/null +++ b/yara/mal_codecov_hack.yar @@ -0,0 +1,16 @@ + +rule APT_SH_CodeCov_Hack_Apr21_1 { + meta: + description = "Detects manipulated Codecov bash uploader tool that has been manipulated by an unknown actor during March / April 2021" + author = "Florian Roth" + reference = "https://about.codecov.io/security-update/" + date = "2021-04-16" + strings: + $a1 = "Global report uploading tool for Codecov" + + $s1 = "curl -sm 0.5 -d" + condition: + uint16(0) == 0x2123 and + filesize < 70KB and + all of them +}