YARA rules for GhostSec
2 rules · scoped to actor · back to GhostSec
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule APT_HiddenCobra_GhostSecret_1 {
meta:
description = "Detects Hidden Cobra Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
date = "2018-08-11"
hash1 = "05a567fe3f7c22a0ef78cc39dcf2d9ff283580c82bdbe880af9549e7014becfc"
id = "d6955294-84a4-5694-87c9-b5b1c39e0fae"
strings:
$s1 = "%s\\%s.dll" fullword wide
$s2 = "PROXY_SVC_DLL.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
rule APT_HiddenCobra_GhostSecret_2 {
meta:
description = "Detects Hidden Cobra Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
date = "2018-08-11"
hash1 = "45e68dce0f75353c448865b9abafbef5d4ed6492cd7058f65bf6aac182a9176a"
id = "dab5b0ec-ae89-521e-bbb9-15602db9ed6c"
strings:
$s1 = "ping 127.0.0.1 -n 3" fullword wide
$s2 = "Process32" fullword ascii
$s11 = "%2d%2d%2d%2d%2d%2d" fullword ascii
$s12 = "del /a \"" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}