YARA rules for APT33
109 rules · scoped to actor · back to APT33
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule EldoS_RawDisk {
meta:
description = "EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0)"
author = "Florian Roth (Nextron Systems) (with Binar.ly)"
reference = "https://goo.gl/jKIfGB"
date = "2016-12-01"
modified = "2023-01-27"
score = 50
hash1 = "47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34"
hash2 = "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b"
id = "8a43f425-86b7-5a05-b7c3-13c78aa905f8"
strings:
$s1 = "g\\system32\\" wide
$s2 = "ztvttw" fullword wide
$s3 = "lwizvm" fullword ascii
$s4 = "FEJIKC" fullword ascii
$s5 = "INZQND" fullword ascii
$s6 = "IUTLOM" fullword wide
$s7 = "DKFKCK" fullword ascii
$op1 = { 94 35 77 73 03 40 eb e9 }
$op2 = { 80 7c 41 01 00 74 0a 3d }
$op3 = { 74 0a 3d 00 94 35 77 }
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and 4 of them )
}
rule StoneDrill_main_sub {
meta:
author = "Kaspersky Lab"
description = "Rule to detect StoneDrill (decrypted) samples"
hash1 = "d01781f1246fd1b64e09170bd6600fe1"
hash2 = "ac3c25534c076623192b9381f926ba0d"
reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
version = "1.0"
id = "92f53e6a-8f49-5ffa-8c16-3ec3e6f2bdcd"
strings:
$code = {B8 08 00 FE 7F FF 30 8F 44 24 ?? 68 B4 0F 00 00 FF 15 ?? ?? ?? 00 B8 08 00 FE 7F FF 30 8F 44 24 ?? 8B ?? 24 [1 - 4] 2B ?? 24 [6] F7 ?1 [5 - 12] 00}
condition:
uint16(0) == 0x5A4D and $code and filesize < 5000000
}
rule StoneDrill_BAT_1 {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Rule to detect Batch file from StoneDrill report"
reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
id = "92f53e6a-8f49-5ffa-8c16-3ec3e6f2bdcd"
strings:
$s1 = "set u100=" ascii
$s2 = "set u200=service" ascii fullword
$s3 = "set u800=%~dp0" ascii fullword
$s4 = "\"%systemroot%\\system32\\%u100%\"" ascii
$s5 = "%\" start /b %systemroot%\\system32\\%" ascii
condition:
uint32(0) == 0x68636540 and 2 of them and filesize < 500
}
rule StoneDrill_Service_Install {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Rule to detect Batch file from StoneDrill report"
reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
id = "92f53e6a-8f49-5ffa-8c16-3ec3e6f2bdcd"
strings:
$s1 = "127.0.0.1 >nul && sc config" ascii
$s2 = "LocalService\" && ping -n" ascii fullword
$s3 = "127.0.0.1 >nul && sc start" ascii fullword
$s4 = "sc config NtsSrv binpath= \"C:\\WINDOWS\\system32\ntssrvr64.exe" ascii
condition:
2 of them and filesize < 500
}
rule StoneDrill_ntssrvr32 {
meta:
description = "Detects malware from StoneDrill threat report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
date = "2017-03-07"
modified = "2023-01-27"
hash1 = "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b"
id = "92f53e6a-8f49-5ffa-8c16-3ec3e6f2bdcd"
strings:
$s1 = "g\\system32\\" wide
$s2 = "ztvttw" fullword wide
$s3 = "lwizvm" fullword ascii
$op1 = { 94 35 77 73 03 40 eb e9 }
$op2 = { 80 7c 41 01 00 74 0a 3d }
$op3 = { 74 0a 3d 00 94 35 77 }
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and 3 of them )
}
rule StoneDrill_Malware_2 {
meta:
description = "Detects malware from StoneDrill threat report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
date = "2017-03-07"
hash1 = "69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db"
id = "92f53e6a-8f49-5ffa-8c16-3ec3e6f2bdcd"
strings:
$s1 = "cmd /c WMIC Process Call Create \"C:\\Windows\\System32\\Wscript.exe //NOLOGO " fullword wide
$s2 = "C:\\ProgramData\\InternetExplorer" fullword wide
$s3 = "WshShell.CopyFile \"" fullword wide
$s4 = "Abd891.tmp" fullword wide
$s5 = "Set WshShell = Nothing" fullword wide
$s6 = "AaCcdDeFfGhiKLlMmnNoOpPrRsSTtUuVvwWxyZz32" fullword ascii
$s7 = "\\FileInfo.txt" wide
$x1 = "C-PDI-C-Cpy-T.vbs" fullword wide
$x2 = "C-Dlt-C-Org-T.vbs" fullword wide
$x3 = "C-PDC-C-Cpy-T.vbs" fullword wide
$x4 = "AC-PDC-C-Cpy-T.vbs" fullword wide
$x5 = "C-Dlt-C-Trsh-T.tmp" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 700KB and ( 1 of ($x*) or 3 of ($s*) ) ) or 5 of them
}
rule StoneDrill {
meta:
description = "Detects malware from StoneDrill threat report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
date = "2017-03-07"
super_rule = 1
hash1 = "2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83"
hash2 = "62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260"
hash3 = "69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db"
id = "92f53e6a-8f49-5ffa-8c16-3ec3e6f2bdcd"
strings:
$x1 = "C-Dlt-C-Trsh-T.tmp" fullword wide
$x2 = "C-Dlt-C-Org-T.vbs" fullword wide
$s1 = "Hello dear" fullword ascii
$s2 = "WRZRZRAR" fullword ascii
$opa1 = { 66 89 45 d8 6a 64 ff }
$opa2 = { 8d 73 01 90 0f bf 51 fe }
condition:
uint16(0) == 0x5a4d and filesize < 700KB and 1 of ($x*) or ( all of ($op*) and all of ($s*) )
}
rule StoneDrill_VBS_1 {
meta:
description = "Detects malware from StoneDrill threat report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
date = "2017-03-07"
hash1 = "0f4d608a87e36cb0dbf1b2d176ecfcde837070a2b2a049d532d3d4226e0c9587"
id = "a7ee3bd4-eeae-5eb4-92e7-9601ec17300a"
strings:
$x1 = "wmic /NameSpace:\\\\root\\default Class StdRegProv Call SetStringValue hDefKey = \"&H80000001\" sSubKeyName = \"Software\\Micros" ascii
$x2 = "ping 1.0.0.0 -n 1 -w 20000 > nul" fullword ascii
$s1 = "WshShell.CopyFile \"%COMMON_APPDATA%\\Chrome\\" ascii
$s2 = "WshShell.DeleteFile \"%temp%\\" ascii
$s3 = "WScript.Sleep(10 * 1000)" fullword ascii
$s4 = "Set WshShell = CreateObject(\"Scripting.FileSystemObject\") While WshShell.FileExists(\"" ascii
$s5 = " , \"%COMMON_APPDATA%\\Chrome\\" ascii
condition:
( filesize < 1KB and 1 of ($x*) or 2 of ($s*) )
}
rule APT_MAL_FalseFont_Backdoor_Jan24 {
meta:
description = "Detects FalseFont backdoor, related to Peach Sandstorm APT"
author = "X__Junior, Jonathan Peters"
date = "2024-01-11"
reference = "https://twitter.com/MsftSecIntel/status/1737895710169628824"
hash = "364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614"
score = 80
id = "b6a3efff-2abf-5ac1-9a2b-c7b30b51f92c"
strings:
$x1 = "Agent.Core.WPF.App" ascii
$x2 = "3EzuNZ0RN3h3oV7rzILktSHSaHk+5rtcWOr0mlA1CUA=" wide //AesIV
$x3 = "viOIZ9cX59qDDjMHYsz1Yw==" wide // AesKey
$sa1 = "StopSendScreen" wide
$sa2 = "Decryption failed :(" wide
$sb1 = "{0} {1} {2} {3}" wide
$sb2 = "\\BraveSoftware\\Brave-Browser\\User Data\\" wide
$sb3 = "select * from logins" wide
$sb4 = "Loginvault.db" wide
$sb5 = "password_value" wide
condition:
uint16(0) == 0x5a4d
and (
1 of ($x*)
or all of ($sa*)
or all of ($sb*)
or ( 1 of ($sa*) and 4 of ($sb*) )
)
}