YARA rules for Intellexa / Predator / Cytrox
6 rules · scoped to actor · back to Intellexa / Predator / Cytrox
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule WebShell_GFS {
meta:
description = "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
super_rule = 1
hash0 = "c2f1ef6b11aaec255d4dd31efad18a3869a2a42c"
hash1 = "34f6640985b07009dbd06cd70983451aa4fe9822"
hash2 = "d25ef72bdae3b3cb0fc0fdd81cfa58b215812a50"
id = "bde6cfd8-466f-528a-b1e3-f874aa778010"
strings:
$s0 = "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==\";" fullword
$s1 = "lIENPTk47DQpleGl0IDA7DQp9DQp9\";" fullword
$s2 = "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm"
condition:
all of them
}
rule RAT_PredatorPain
{
meta:
author = "Kevin Breen <kevin@techanarchy.net>"
date = "01.04.2014"
description = "Detects PredatorPain RAT"
reference = "http://malwareconfig.com/stats/PredatorPain"
maltype = "Remote Access Trojan"
filetype = "exe"
id = "c6670179-871d-5a57-983b-d77354e2ede9"
strings:
$string1 = "holderwb.txt" wide
$string3 = "There is a file attached to this email" wide
$string4 = "screens\\screenshot" wide
$string5 = "Disablelogger" wide
$string6 = "\\pidloc.txt" wide
$string7 = "clearie" wide
$string8 = "clearff" wide
$string9 = "emails should be sent to you shortly" wide
$string10 = "jagex_cache\\regPin" wide
$string11 = "open=Sys.exe" wide
$ver1 = "PredatorLogger" wide
$ver2 = "EncryptedCredentials" wide
$ver3 = "Predator Pain" wide
condition:
7 of ($string*) and any of ($ver*)
}
rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109"
date = "2024-08-07"
score = 40
id = "3cc780a4-7b9c-516e-91a1-705f785922d2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
rule APT_Webshell_SUPERNOVA_1
{
meta:
author = "FireEye"
description = "SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA."
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
date = "2020-12-14"
score = 85
id = "73a27fa2-a846-5f4b-8182-064ac06c71a8"
strings:
$compile1 = "CompileAssemblyFromSource"
$compile2 = "CreateCompiler"
$context = "ProcessRequest"
$httpmodule = "IHttpHandler" ascii
$string1 = "clazz"
$string2 = "//NetPerfMon//images//NoLogo.gif" wide
$string3 = "SolarWinds" ascii nocase wide
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and pe.imports("mscoree.dll","_CorDllMain") and $httpmodule and $context and all of ($compile*) and all of ($string*)
}
rule APT_Webshell_SUPERNOVA_2
{
meta:
author = "FireEye"
description = "This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
date = "2020-12-14"
score = 85
id = "c39bf9ba-fd62-5619-92b6-1633375ef197"
strings:
$dynamic = "DynamicRun"
$solar = "Solarwinds" nocase
$string1 = "codes"
$string2 = "clazz"
$string3 = "method"
$string4 = "args"
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and 3 of ($string*) and $dynamic and $solar
}
rule PUA_VULN_Renamed_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109"
date = "2024-08-07"
score = 70
id = "a8590fdf-3af6-5231-b089-bb07eef1e2d4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CtiIo64/i
}