YARA rules for Kimsuky
63 rules · scoped to actor · back to Kimsuky
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Empire_Invoke_PsExec {
meta:
description = "Detects Empire component - file Invoke-PsExec.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
id = "19aaec3e-3e8f-5d7d-9c70-a212756c0300"
strings:
$s1 = "Invoke-PsExecCmd" fullword ascii
$s2 = "\"[*] Executing service .EXE" fullword ascii
$s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii
condition:
( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them
}
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule Lazagne_PW_Dumper {
meta:
description = "Detects Lazagne PW Dumper"
author = "Markus Neis / Florian Roth"
reference = "https://github.com/AlessandroZ/LaZagne/releases/"
date = "2018-03-22"
score = 70
id = "1904029e-9336-5278-ae2e-4bc853316600"
strings:
$s1 = "Crypto.Hash" fullword ascii
$s2 = "laZagne" fullword ascii
$s3 = "impacket.winregistry" fullword ascii
condition:
3 of them
}
rule HKTL_Lazagne_PasswordDumper_Dec18_1 {
meta:
description = "Detects password dumper Lazagne often used by middle eastern threat groups"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
date = "2018-12-11"
score = 85
hash1 = "1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c"
hash2 = "884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63"
hash3 = "bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50"
id = "bae48a4d-33b6-55b9-abf5-daf87e5da9e9"
strings:
$s1 = "softwares.opera(" ascii
$s2 = "softwares.mozilla(" ascii
$s3 = "config.dico(" ascii
$s4 = "softwares.chrome(" ascii
$s5 = "softwares.outlook(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 17000KB and 1 of them
}
rule HKTL_Lazagne_Gen_18 {
meta:
description = "Detects Lazagne password extractor hacktool"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/AlessandroZ/LaZagne"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
date = "2018-12-11"
score = 80
hash1 = "51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf"
id = "034ea6d8-f5cf-5664-9ff9-24d19403093d"
strings:
$x1 = "lazagne.config.powershell_execute(" ascii
$x2 = "creddump7.win32." ascii
$x3 = "lazagne.softwares.windows.hashdump" ascii
$x4 = ".softwares.memory.libkeepass.common(" ascii
condition:
2 of them
}
rule Sliver_Implant_32bit
{
meta:
description = "Sliver 32-bit implant (with and without --debug flag at compile)"
hash = "911f4106350871ddb1396410d36f2d2eadac1166397e28a553b28678543a9357"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
modified = "2025-03-21"
id = "6bc4d7d1-64cf-5920-8f07-54a8a7a94f26"
strings:
// We look for the specific switch/case statement case values.
// case "tcppivot":
/*
81 ?? 74 63 70 70 cmp dword ptr [ecx], 70706374h
.
.
.
81 ?? 04 69 76 6F 74 cmp dword ptr [ecx+4], 746F7669h
*/
$s_tcppivot = { 81 ?? 74 63 70 70 [2-20] 81 ?? 04 69 76 6F 74 }
// case "wg":
/*
66 81 ?? 77 67 cmp word ptr [eax], 6777h // "gw"
*/
$s_wg = { 66 81 ?? 77 67 }
// case "dns":
/*
66 81 ?? 64 6E cmp word ptr [eax], 6E64h // "nd"
.
.
.
80 ?? 02 73 cmp byte ptr [eax+2], 73h ; 's'
*/
$s_dns = { 66 81 ?? 64 6E [2-20] 80 ?? 02 73 }
// case "http":
/*
81 ?? 68 74 74 70 cmp dword ptr [eax], 70747468h // "ptth"
*/
$s_http = { 81 ?? 68 74 74 70 }
// case "https":
/*
81 ?? 68 74 74 70 cmp dword ptr [ecx], 70747468h // "ptth"
.
.
.
80 ?? 04 73 cmp byte ptr [ecx+4], 73h ; 's'
*/
$s_https = { 81 ?? 68 74 74 70 [2-20] 80 ?? 04 73 }
// case "mtls": NOTE: this one can be missing due to compilate time config
/*
81 ?? 6D 74 6C 73 cmp dword ptr [eax], 736C746Dh // "sltm"
*/
$s_mtls = { 81 ?? 6D 74 6C 73 }
$fp1 = "cloudfoundry" ascii fullword
$fp2 = "googleapi.Error" ascii
condition:
4 of ($s*)
and not 1 of ($fp*)
and not pe.number_of_signatures > 0
}
rule Sliver_Implant_64bit
{
meta:
description = "Sliver 64-bit implant (with and without --debug flag at compile)"
hash = "2d1c9de42942a16c88a042f307f0ace215cdc67241432e1152080870fe95ea87"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
modified = "2025-03-21"
id = "b84db933-0e11-5871-821d-43697c015665"
strings:
// We look for the specific switch/case statement case values.
// case "tcppivot":
/*
48 ?? 74 63 70 70 69 76 6F 74 mov rcx, 746F766970706374h
*/
$s_tcppivot = { 48 ?? 74 63 70 70 69 76 6F 74 }
// case "namedpipe":
/*
48 ?? 6E 61 6D 65 64 70 69 70 mov rsi, 70697064656D616Eh // "pipdeman"
.
.
.
80 ?? 08 65 cmp byte ptr [rdx+8], 65h ; 'e'
*/
$s_namedpipe = { 48 ?? 6E 61 6D 65 64 70 69 70 [2-32] 80 ?? 08 65 }
// case "https":
/*
81 3A 68 74 74 70 cmp dword ptr [rdx], 70747468h // "ptth"
.
.
.
80 7A 04 73 cmp byte ptr [rdx+4], 73h ; 's'
*/
$s_https = { 81 ?? 68 74 74 70 [2-32] 80 ?? 04 73 }
// case "wg":
/*
66 81 3A 77 67 cmp word ptr [rdx], 6777h // "gw"
*/
$s_wg = {66 81 ?? 77 67}
// case "dns":
/*
66 81 3A 64 6E cmp word ptr [rdx], 6E64h // "nd"
.
.
.
80 7A 02 73 cmp byte ptr [rdx+2], 73h ; 's'
*/
$s_dns = { 66 81 ?? 64 6E [2-20] 80 ?? 02 73 }
// case "mtls": // This one may or may not be in the file, depending on the config flags.
/*
81 ?? 6D 74 6C 73 cmp dword ptr [rdx], 736C746Dh // "mtls"
*/
$s_mtls = { 81 ?? 6D 74 6C 73 }
$fp1 = "cloudfoundry" ascii fullword
$fp2 = "googleapi.Error" ascii
condition:
5 of ($s*)
and not 1 of ($fp*)
and not pe.number_of_signatures > 0
}
rule MAL_PE_Type_BabyShark_Loader {
meta:
description = "Detects PE Type babyShark loader mentioned in February 2019 blog post by PaloAltNetworks"
author = "Florian Roth (Nextron Systems)"
reference = "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
date = "2019-02-24"
hash1 = "6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c"
id = "141e7a67-7930-5fd8-ac91-5d31b99e4ff3"
strings:
$x1 = "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\" /v AutoRun /t REG_SZ /d \"%s\" /f" fullword ascii
$x2 = /mshta\.exe http:\/\/[a-z0-9\.\/]{5,30}\.hta/
$xc1 = { 57 69 6E 45 78 65 63 00 6B 65 72 6E 65 6C 33 32
2E 44 4C 4C 00 00 00 00 } /* WinExec kernel32.DLL */
condition:
uint16(0) == 0x5a4d and (
pe.imphash() == "57b6d88707d9cd1c87169076c24f962e" or
1 of them or
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "thawte SHA256 Code Signing CA" and
pe.signatures[i].serial == "0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d"
)
)
}
rule APT_NK_BabyShark_KimJoingRAT_Apr19_1 {
meta:
description = "Detects BabyShark KimJongRAT"
author = "Florian Roth (Nextron Systems)"
reference = "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/"
date = "2019-04-27"
hash1 = "d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712"
id = "c6bd1e1a-68f2-5a2d-a159-b16ea0d33987"
strings:
$x1 = "%s\\Microsoft\\ttmp.log" fullword wide
$a1 = "logins.json" fullword ascii
$s1 = "https://www.google.com/accounts/servicelogin" fullword ascii
$s2 = "https://login.yahoo.com/config/login" fullword ascii
$s3 = "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login" ascii
$s4 = "\\mozsqlite3.dll" ascii
$s5 = "SMTP Password" fullword ascii
$s6 = "Yandex\\YandexBrowser\\User Data\\Default\\Login Data" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and (
1 of ($x*) or
( $a1 and 3 of ($s*) )
)
}