YARA rules for APT17
57 rules · scoped to actor · back to APT17
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule malware_sakula_shellcode {
meta:
description = "Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula"
author = "David Cannings"
id = "147e4894-7877-5367-9f6b-588eb7f0379a"
strings:
/*
55 push ebp
89 E5 mov ebp, esp
E8 00 00 00 00 call $+5
58 pop eax
83 C0 06 add eax, 6
C9 leave
C3 retn
*/
// Get EIP technique (may not be unique enough to identify Sakula)
// Note this only appears in memory or decoded files
$opcodes01 = { 55 89 E5 E8 00 00 00 00 58 83 C0 06 C9 C3 }
/*
8B 5E 3C mov ebx, [esi+3Ch] ; Offset to PE header
8B 5C 1E 78 mov ebx, [esi+ebx+78h] ; Length of headers
8B 4C 1E 20 mov ecx, [esi+ebx+20h] ; Number of data directories
53 push ebx
8B 5C 1E 24 mov ebx, [esi+ebx+24h] ; Export table
01 F3 add ebx, esi
*/
// Export parser
$opcodes02 = { 8B 5E 3C 8B 5C 1E 78 8B 4C 1E 20 53 8B 5C 1E 24 01 F3 }
condition:
any of them
}
rule RAT_Sakula
{
meta:
date = "2015-10-13"
description = "Detects Sakula v1.0 RAT"
author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings"
reference = "http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara"
id = "4be3179c-3b91-56db-bba9-9ccc42066f96"
strings:
$s1 = "%d_of_%d_for_%s_on_%s"
$s2 = "/c ping 127.0.0.1 & del /q \"%s\""
$s3 = "=%s&type=%d"
$s4 = "?photoid="
$s5 = "iexplorer"
$s6 = "net start \"%s\""
$s7 = "cmd.exe /c rundll32 \"%s\""
$v1_1 = "MicroPlayerUpdate.exe"
$v1_2 = "CCPUpdate"
$v1_3 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 }
$v1_4 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF }
$serial01 = { 31 06 2e 48 3e 01 06 b1 8c 98 2f 00 53 18 5c 36 }
$serial02 = { 01 a5 d9 59 95 19 b1 ba fc fa d0 e8 0b 6d 67 35 }
$serial03 = { 47 d5 d5 37 2b cb 15 62 b4 c9 f4 c2 bd f1 35 87 }
$serial04 = { 3a c1 0e 68 f1 ce 51 9e 84 dd cd 28 b1 1f a5 42 }
$opcodes1 = { 89 FF 55 89 E5 83 EC 20 A1 ?? ?? ?? 00 83 F8 00 }
$opcodes2 = { 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B }
$opcodes3 = { 8B 45 08 8D 0C 02 8A 01 84 C0 74 08 3C ?? 74 04 34 ?? 88 01 }
$opcodes4 = { 30 14 38 8D 0C 38 40 FE C2 3B C6 }
$opcodes5 = { 30 14 39 8D 04 39 41 FE C2 3B CE }
$fp1 = "Symantec Corporation" ascii wide
condition:
uint16(0) == 0x5a4d and (
(3 of ($s*) and any of ($v1_*)) or
(any of ($serial0*)) or
(any of ($opcodes*))
)
and not 1 of ($fp*)
}
rule APT17_Sample_FXSST_DLL {
meta:
description = "Detects Samples related to APT17 activity - file FXSST.DLL"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/ZiJyQv"
date = "2015-05-14"
hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3"
id = "e4b9b25e-8895-5ba5-b706-bfb6892c16ae"
strings:
$x1 = "Microsoft? Windows? Operating System" fullword wide
$x2 = "fxsst.dll" fullword ascii
$y1 = "DllRegisterServer" fullword ascii
$y2 = ".cSV" fullword ascii
$s1 = "GetLastActivePopup"
$s2 = "Sleep"
$s3 = "GetModuleFileName"
$s4 = "VirtualProtect"
$s5 = "HeapAlloc"
$s6 = "GetProcessHeap"
$s7 = "GetCommandLine"
condition:
uint16(0) == 0x5a4d and filesize < 800KB and
( all of ($x*) or all of ($y*) ) and all of ($s*)
}
rule APT17_Malware_Oct17_1 {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83"
id = "457312d8-5bfe-5282-9ace-2f169278569c"
strings:
$s1 = "\\spool\\prtprocs\\w32x86\\localspl.dll" ascii
$s2 = "\\spool\\prtprocs\\x64\\localspl.dll" ascii
$s3 = "\\msvcrt.dll" ascii
$s4 = "\\TSMSISrv.dll" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and all of them )
}
rule APT17_Malware_Oct17_2 {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27"
id = "9f21514a-168b-5158-8322-60fa8499b11a"
strings:
$x1 = "Cookie: __xsptplus=%s" fullword ascii
$x2 = "http://services.fiveemotions.co.jp" fullword ascii
$x3 = "http://%s/ja-JP/2015/%d/%d/%d%d%d%d%d%d%d%d.gif" fullword ascii
$s1 = "FoxHTTPClient_EXE_x86.exe" fullword ascii
$s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.3072" ascii
$s3 = "hWritePipe2 Error:%d" fullword ascii
$s4 = "Not Support This Function!" fullword ascii
$s5 = "Global\\PnP_No_Management" fullword ascii
$s6 = "Content-Type: image/x-png" fullword ascii
$s7 = "Accept-Language: ja-JP" fullword ascii
$s8 = "IISCMD Error:%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
pe.exports("_foo@0") or
1 of ($x*) or
6 of them
)
}
rule APT17_Unsigned_Symantec_Binary_EFA {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f"
id = "56eec517-8b00-5cb5-9806-249e50f53b99"
strings:
$s1 = "Copyright (c) 2007 - 2011 Symantec Corporation" fullword wide
$s2 = "\\\\.\\SYMEFA" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them and pe.number_of_signatures == 0 )
}
rule APT17_Malware_Oct17_Gen {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2"
hash2 = "07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d"
hash3 = "ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550"
id = "c2156e68-d5b5-5bd7-858c-2d5e90199287"
strings:
$x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" fullword ascii
$x2 = "http://%s/imgres?q=A380&hl=en-US&sa=X&biw=1440&bih=809&tbm=isus&tbnid=aLW4-J8Q1lmYBM" ascii
$s1 = "hWritePipe2 Error:%d" fullword ascii
$s2 = "Not Support This Function!" fullword ascii
$s3 = "Cookie: SESSIONID=%s" fullword ascii
$s4 = "http://0.0.0.0/1" fullword ascii
$s5 = "Content-Type: image/x-png" fullword ascii
$s6 = "Accept-Language: en-US" fullword ascii
$s7 = "IISCMD Error:%d" fullword ascii
$s8 = "[IISEND=0x%08X][Recv:] 0x%08X %s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and (
pe.imphash() == "414bbd566b700ea021cfae3ad8f4d9b9" or
1 of ($x*) or
6 of them
)
)
}