YARA rules for Citrine Sleet
12 rules · scoped to actor · back to Citrine Sleet
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule APT_UNC4736_NK_MAL_TAXHAUL_3CX_Apr23_1 {
meta:
description = "Detects TAXHAUL (AKA TxRLoader) malware used in the 3CX compromise by UNC4736"
author = "Mandiant"
date = "2023-03-04"
score = 80
reference = "https://www.3cx.com/blog/news/mandiant-initial-results/"
id = "25a80f98-03d6-59e6-84e6-6d847a6c591e"
strings:
$p00_0 = {410f45fe4c8d3d[4]eb??4533f64c8d3d[4]eb??4533f64c8d3d[4]eb}
$p00_1 = {4d3926488b01400f94c6ff90[4]41b9[4]eb??8bde4885c074}
condition:
uint16(0) == 0x5A4D and any of them
}
rule APT_NK_TradingTech_ForensicArtifacts_Apr23_1 {
meta:
description = "Detects forensic artifacts, file names and keywords related the Trading Technologies compromise UNC4736"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
modified = "2023-04-21"
score = 60
id = "f79a5321-4f22-52d9-aa83-4aa750ecc036"
strings:
$x1 = "www.tradingtechnologies.com/trading/order-management" ascii wide
$xf1 = "X_TRADER_r7.17.90p608.exe" ascii wide
$xf2 = "\\X_TRADER-ja.mst" ascii wide
$xf3 = "C:\\Programdata\\TPM\\TpmVscMgrSvr.exe" ascii wide
$xf4 = "C:\\Programdata\\TPM\\winscard.dll" ascii wide
$fp1 = "<html"
condition:
not uint16(0) == 0x5025
and 1 of ($x*) and not 1 of ($fp*)
}
rule SUSP_TH_APT_UNC4736_TradingTech_Cert_Apr23_1 {
meta:
description = "Threat hunting rule that detects samples signed with the compromised Trading Technologies certificate after May 2022"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
score = 65
id = "9a05fba9-9466-5b69-9207-27ad01d6eb8b"
strings:
$s1 = { 00 85 38 A6 C5 01 8F 50 FC } /* serial number */
$s2 = "Go Daddy Secure Certificate Authority - G2" /* CA */
$s3 = "Trading Technologies International, Inc"
condition:
pe.timestamp > 1651363200 /* Sunday, May 1, 2022 12:00:00 AM */
and all of them
}
rule APT_HiddenCobra_enc_PK_header {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
hash0 = "3229a6cea658b1b3ca5ca9ad7b40d8d4"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects trojan with encrypted header"
id = "5d7001b3-162c-5a97-a740-1b8e33d4aa9e"
strings:
$s0 = { 5f a8 80 c5 a0 87 c7 f0 9e e6 }
$s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a }
$s2 = { ae 1d af 74 c0 f5 e1 02 50 10 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
rule APT_HiddenCobra_import_obfuscation_2 {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects remote access trojan"
id = "bc139580-a55b-514f-8a4e-ca1402ce3ad9"
strings:
$s0 = {A6 D6 02 EB 4E B2 41 EB C3 EF 1F}
$s1 = {B6 DF 01 FD 48 B5 }
$s2 = {B6 D5 0E F3 4E B5 }
$s3 = {B7 DF 0E EE }
$s4 = {B6 DF 03 FC }
$s5 = {A7 D3 03 FC }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
rule APT_NK_AR18_165A_HiddenCobra_import_deob {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
md5 = "ae769e62fef4a1709c12c9046301aa5d"
md5 = "e48fe20eblf5a5887f2ac631fed9ed63"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects installed proxy module as a service"
id = "f403d589-be35-57a7-9675-f92657c11acc"
strings:
$ = { 8a 01 3c 62 7c 0a 3c 79 7f 06 b2 db 2a d0 88 11 8a 41 01 41 84 c0 75 e8}
$ = { 8A 08 80 F9 62 7C 0B 80 F9 79 7F 06 82 DB 2A D1 88 10 8A 48 01 40 84 C9 75 E6}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
rule HiddenCobra_BANKSHOT_Gen {
meta:
description = "Detects Hidden Cobra BANKSHOT trojan"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
date = "2017-12-26"
modified = "2022-06-10"
hash1 = "89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486"
hash2 = "8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247"
hash3 = "b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24"
hash4 = "daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75"
hash5 = "ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699"
hash6 = "d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff"
hash7 = "ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9"
hash8 = "3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6"
hash9 = "6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca"
id = "fbf9dd32-cb9a-51f2-bd03-0387fbf44baa"
strings:
$s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" fullword wide
$s2 = "rHTTP/1.1 200 Connection established" fullword wide
$s3 = "Proxy-Connection: keep-alive" fullword wide
$s4 = "\\msncf.dat" wide
$s5 = "msvcru32.bat" fullword ascii
$s6 = "reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"%s\" /f" fullword ascii
$s7 = "MXINFO.DLL" fullword ascii
$s8 = "usrvc32.bat" fullword ascii
$s9 = "ping -n 1 127.0.0.1" fullword ascii
$s10 = "%sd.e%sc \"%s > %s 2>&1\"" ascii fullword
$s11 = "DWS*.tmp" ascii fullword
$s12 = "CS*.tmp" fullword wide
$s13 = "WM*.tmp" fullword wide
$x1 = "CgpaipIddwspwe32Hnaehsdi" fullword ascii
$x2 = "RpiPmtiCdopIsgpao" fullword ascii
$x3 = "RpiLtnodlhOtgpcidgyA" fullword ascii
$x4 = "LatiQdgHtnrwpDbupci" fullword ascii
/* $x5 = "vchost.exe" fullword ascii */
$x6 = "\\system32\\msncf.dat" ascii
$x7 = "GprthipgHpgktcpCigwSanowpgA" fullword ascii
$a1 = "live.dropbox.com" fullword ascii
$a2 = "tatadocomo.yahoo.com" fullword ascii
$a3 = "widgets.twimg.com" fullword ascii
$a4 = "history.paypal.com" fullword ascii
$a5 = "www.bitcoin.org" fullword ascii
$a6 = "web.whatsapp.com" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
1 of ($x*) or
2 of ($s*) or
4 of ($a*)
)
}
rule HiddenCobra_Rule_1 {
meta:
description = "Detects Hidden Cobra Malware"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
date = "2017-06-13"
id = "921c027e-fac3-5419-b0a6-5043f5cde466"
strings:
$rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94
A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77
48 EE 6F 4B 9B 53 60 98 45 A5 28 65 8A 0B F8 39
73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2
AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED
39 3F FA D0 AD 3D D9 C5 3D 28 EF 3D 67 B1 E0 68
3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13
B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0}
condition:
all of them
}
rule HiddenCobra_Rule_2 {
meta:
description = "Detects Hidden Cobra Malware"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
date = "2017-06-13"
strings:
$STR1 = "Wating" wide ascii fullword
$STR2 = "Reamin" wide ascii fullword
$STR3 = "laptos" wide ascii fullword
condition:
( uint16(0) == 0x5A4D or
uint16(0) == 0xCFD0 or
uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or
uint32(1) == 0x6674725C
) and all of them
}
rule HiddenCobra_Rule_3 {
meta:
description = "Detects Hidden Cobra Malware"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
date = "2017-06-13"
id = "39c7e039-4b07-575d-a93a-539ecc4e63d8"
strings:
$randomUrlBuilder = { 83 EC 48 53 55 56 57 8B 3D ?? ?? ?? ?? 33 C0 C7
44 24 28 B4 6F 41 00 C7 44 24 2C B0 6F 41 00 C7 44 24 30 AC 6F 41
00 C7 44 24 34 A8 6F 41 00 C7 44 24 38 A4 6F 41 00 C7 44 24 3C A0
6F 41 00 C7 44 24 40 9C 6F 41 00 C7 44 24 44 94 6F 41 00 C7 44 24
48 8C 6F 41 00 C7 44 24 4C 88 6F 41 00 C7 44 24 50 80 6F 41 00 89
44 24 54 C7 44 24 10 7C 6F 41 00 C7 44 24 14 78 6F 41 00 C7 44 24
18 74 6F 41 00 C7 44 24 1C 70 6F 41 00 C7 44 24 20 6C 6F 41 00 89
44 24 24 FF D7 99 B9 0B 00 00 00 F7 F9 8B 74 94 28 BA 9C 6F 41 00
66 8B 06 66 3B 02 74 34 8B FE 83 C9 FF 33 C0 8B 54 24 60 F2 AE 8B
6C 24 5C A1 ?? ?? ?? ?? F7 D1 49 89 45 00 8B FE 33 C0 8D 5C 11 05
83 C9 FF 03 DD F2 AE F7 D1 49 8B FE 8B D1 EB 78 FF D7 99 B9 05 00
00 00 8B 6C 24 5C F7 F9 83 C9 FF 33 C0 8B 74 94 10 8B 54 24 60 8B
FE F2 AE F7 D1 49 BF 60 6F 41 00 8B D9 83 C9 FF F2 AE F7 D1 8B C2
49 03 C3 8B FE 8D 5C 01 05 8B 0D ?? ?? ?? ?? 89 4D 00 83 C9 FF 33
C0 03 DD F2 AE F7 D1 49 8D 7C 2A 05 8B D1 C1 E9 02 F3 A5 8B CA 83
E1 03 F3 A4 BF 60 6F 41 00 83 C9 FF F2 AE F7 D1 49 BE 60 6F 41 00
8B D1 8B FE 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FB 2B F9 8B CA 8B C1
C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7C 24 60 8D 75 04 57 56 E8
?? ?? ?? ?? 83 C4 08 C6 04 3E 2E 8B C5 C6 03 00 5F 5E 5D 5B 83 C4
48 C3 }
condition:
$randomUrlBuilder
}
rule APT_HiddenCobra_GhostSecret_1 {
meta:
description = "Detects Hidden Cobra Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
date = "2018-08-11"
hash1 = "05a567fe3f7c22a0ef78cc39dcf2d9ff283580c82bdbe880af9549e7014becfc"
id = "d6955294-84a4-5694-87c9-b5b1c39e0fae"
strings:
$s1 = "%s\\%s.dll" fullword wide
$s2 = "PROXY_SVC_DLL.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
rule APT_HiddenCobra_GhostSecret_2 {
meta:
description = "Detects Hidden Cobra Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
date = "2018-08-11"
hash1 = "45e68dce0f75353c448865b9abafbef5d4ed6492cd7058f65bf6aac182a9176a"
id = "dab5b0ec-ae89-521e-bbb9-15602db9ed6c"
strings:
$s1 = "ping 127.0.0.1 -n 3" fullword wide
$s2 = "Process32" fullword ascii
$s11 = "%2d%2d%2d%2d%2d%2d" fullword ascii
$s12 = "del /a \"" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}