YARA rules for Lazarus Group
103 rules · scoped to actor · back to Lazarus Group
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule APT_Lazarus_Aug18_Downloader_1 {
meta:
description = "Detects Lazarus Group Malware Downloadery"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/operation-applejeus/87553/"
date = "2018-08-24"
hash1 = "d555dcb6da4a6b87e256ef75c0150780b8a343c4a1e09935b0647f01d974d94d"
hash2 = "bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb"
hash3 = "e2199fc4e4b31f7e4c61f6d9038577633ed6ad787718ed7c39b36f316f38befd"
id = "f536db7b-b645-522f-b750-6431878d2e31"
strings:
$x1 = "H:\\DEV\\TManager\\" ascii
$x2 = "\\Release\\dloader.pdb" ascii
$x3 = "Z:\\jeus\\"
$x4 = "\\Debug\\dloader.pdb" ascii
$x5 = "Moz&Wie;#t/6T!2yW29ab@ad%Df324V$Yd" fullword ascii
$s1 = "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)" fullword ascii
$s2 = "Error protecting memory page" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
( 1 of ($x*) or 2 of them )
)
}
rule APT_Lazarus_Aug18_1 {
meta:
description = "Detects Lazarus Group Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/operation-applejeus/87553/"
date = "2018-08-24"
hash1 = "ef400d73c6920ac811af401259e376458b498eb0084631386136747dfc3dcfa8"
hash2 = "1b8d3e69fc214cb7a08bef3c00124717f4b4d7fd6be65f2829e9fd337fc7c03c"
id = "fda4970a-2787-5e9c-9944-a6222145f4a7"
strings:
$s1 = "mws2_32.dll" fullword wide
$s2 = "%s.bat" fullword wide
$s3 = "%s%s%s \"%s > %s 2>&1\"" fullword wide
$s4 = "Microsoft Corporation. All rights reserved." fullword wide
$s5 = "ping 127.0.0.1 -n 3" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
pe.imphash() == "3af996e4f960108533e69b9033503f40" or
4 of them
)
}
rule APT_Lazarus_Aug18_2 {
meta:
description = "Detects Lazarus Group Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/operation-applejeus/87553/"
date = "2018-08-24"
hash1 = "8ae766795cda6336fd5cad9e89199ea2a1939a35e03eb0e54c503b1029d870c4"
hash2 = "d3ef262bae0beb5d35841d131b3f89a9b71a941a86dab1913bda72b935744d2e"
id = "3c77d603-6443-5e78-8a8a-a89112619aa6"
strings:
$s1 = "vAdvapi32.dll" fullword wide
$s2 = "lws2_32.dll" fullword wide
$s3 = "%s %s > \"%s\" 2>&1" fullword wide
$s4 = "Not Service" fullword wide
$s5 = "ping 127.0.0.1 -n 3" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (
4 of them
)
}
rule APT_NK_Lazarus_RC4_Loop {
meta:
author = "f-secure "
description = "Detects RC4 loop in Lazarus Group implant"
date = "2020-06-10"
reference = "https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical"
id = "a9503795-b4b8-505e-a1bf-df64ec8c1c32"
strings:
$str_rc4_loop = { 41 FE 8? 00 01 00 00 45 0F B6 ?? 00 01 00 00 48
FF C? 43 0F B6 0? ?? 41 00 8? 01 01 00 00 41 0F
B6 ?? 01 01 00 00 }
condition:
int16(0) == 0x5a4d and filesize < 3000KB and $str_rc4_loop
}
rule APT_NK_Lazarus_Network_Backdoor_Unpacked {
meta:
author = "f-secure"
description = "Detects unpacked variant of Lazarus Group network backdoor"
date = "2020-06-10"
reference = "https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical"
id = "8eda9e74-1a19-5510-82d8-cd2eb324629c"
strings:
$str_netsh_1 = "netsh firewall add portopening TCP %d" ascii wide nocase
$str_netsh_2 = "netsh firewall delete portopening TCP %d" ascii wide nocase
$str_mask_1 = "cmd.exe /c \"%s >> %s 2>&1\"" ascii wide
$str_mask_2 = "cmd.exe /c \"%s 2>> %s\"" ascii wide
$str_mask_3 = "%s\\%s\\%s" ascii wide
$str_other_1 = "perflog.dat" ascii wide nocase
$str_other_2 = "perflog.evt" ascii wide nocase
$str_other_3 = "cbstc.log" ascii wide nocase
$str_other_4 = "LdrGetProcedureAddress" ascii
$str_other_5 = "NtProtectVirtualMemory" ascii
condition:
int16(0) == 0x5a4d
and filesize < 3000KB
and 1 of ($str_netsh*)
and 1 of ($str_mask*)
and 1 of ($str_other*)
}
rule APT_Lazarus_Dropper_Jun18_1 {
meta:
description = "Detects Lazarus Group Dropper"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/DrunkBinary/status/1002587521073721346"
date = "2018-06-01"
hash1 = "086a50476f5ceee4b10871c1a8b0a794e96a337966382248a8289598b732bd47"
hash2 = "9f2d4fd79d3c68270102c4c11f3e968c10610a2106cbf1298827f8efccdd70a9"
id = "226be9d4-93c0-5512-9667-3388cd6f20d4"
strings:
$s1 = /%s\\windows10-kb[0-9]{7}.exe/ fullword ascii
$s2 = "EYEJIW" fullword ascii
$s3 = "update" fullword wide /* Goodware String - occured 254 times */
condition:
uint16(0) == 0x5a4d and filesize < 21000KB and (
pe.imphash() == "fcac768eff9896d667a7c706d70712ce" or
all of them
)
}
rule APT_Lazarus_RAT_Jun18_1 {
meta:
description = "Detects Lazarus Group RAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/DrunkBinary/status/1002587521073721346"
date = "2018-06-01"
hash1 = "c10363059c57c52501c01f85e3bb43533ccc639f0ea57f43bae5736a8e7a9bc8"
hash2 = "e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292"
id = "fd394d15-70c5-543a-a845-2058f296b5f8"
strings:
$a1 = "www.marmarademo.com/include/extend.php" fullword ascii
$a2 = "www.33cow.com/include/control.php" fullword ascii
$a3 = "www.97nb.net/include/arc.sglistview.php" fullword ascii
$c1 = "Content-Disposition: form-data; name=\"file1\"; filename=\"example.dat\"" fullword ascii
$c2 = "Content-Disposition: form-data; name=\"file1\"; filename=\"pratice.pdf\"" fullword ascii
$c3 = "Content-Disposition: form-data; name=\"file1\"; filename=\"happy.pdf\"" fullword ascii
$c4 = "Content-Disposition: form-data; name=\"file1\"; filename=\"my.doc\"" fullword ascii
$c5 = "Content-Disposition: form-data; name=\"board_id\"" fullword ascii
$s1 = "Winhttp.dll" fullword ascii
$s2 = "Wsock32.dll" fullword ascii
$s3 = "WM*.tmp" fullword ascii
$s4 = "FM*.tmp" fullword ascii
$s5 = "Cache-Control: max-age=0" fullword ascii /* Goodware String - occured 1 times */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
1 of ($a*) or
2 of ($c*) or
4 of them
)
}
rule APT_Lazarus_RAT_Jun18_2 {
meta:
description = "Detects Lazarus Group RAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/DrunkBinary/status/1002587521073721346"
date = "2018-06-01"
hash1 = "e6096fb512a6d32a693491f24e67d772f7103805ad407dc37065cebd1962a547"
id = "4f2e280e-ed76-5fb9-b137-5191bbea2155"
strings:
$s1 = "\\KB\\Release\\" ascii
$s3 = "KB, Version 1.0" fullword wide
$s4 = "TODO: (c) <Company name>. All rights reserved." fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and 2 of them
}
rule Lazarus_Dec_17_1 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
hash1 = "d5f9a81df5061c69be9c0ed55fba7d796e1a8ebab7c609ae437c574bd7b30b48"
id = "f195ebf0-d7af-58e8-a544-769a0c8b628b"
strings:
$s1 = "::DataSpace/Storage/MSCompressed/Transform/" ascii
$s2 = "HHA Version 4." ascii
$s3 = { 74 45 58 74 53 6F 66 74 77 61 72 65 00 41 64 6F
62 65 20 49 6D 61 67 65 52 65 61 64 79 71 }
$s4 = "bUEeYE" fullword ascii
condition:
uint16(0) == 0x5449 and filesize < 4000KB and all of them
}
rule Lazarus_Dec_17_2 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
hash1 = "cbebafb2f4d77967ffb1a74aac09633b5af616046f31dddf899019ba78a55411"
hash2 = "9ca3e56dcb2d1b92e88a0d09d8cab2207ee6d1f55bada744ef81e8b8cf155453"
id = "45127fb5-0f70-5140-acd9-46147d365dfe"
strings:
$s1 = "SkypeSetup.exe" fullword wide
$s2 = "%s\\SkypeSetup.exe" fullword ascii
$s3 = "Skype Technologies S.A." fullword wide
$a1 = "Microsoft Code Signing PCA" ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 7000KB and (
all of ($s*) and not $a1
)
}
rule Lazarus_Dec_17_4 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017ithumb.js"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
hash1 = "8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3"
hash2 = "7975c09dd436fededd38acee9769ad367bfe07c769770bd152f33a10ed36529e"
id = "fbdc6287-c177-53b5-83dd-979936f65192"
strings:
$s1 = "var _0xf5ed=[\"\\x57\\x53\\x63\\x72\\x69\\x70\\x74\\x2E\\x53\\x68\\x65\\x6C\\x6C\"," ascii
condition:
filesize < 9KB and 1 of them
}
rule Lazarus_Dec_17_5 {
meta:
description = "Detects Lazarus malware from incident in Dec 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/8U6fY2"
date = "2017-12-20"
hash1 = "db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471"
id = "33bd8c08-123e-5a8e-b5dc-02af7291addc"
strings:
$x1 = "$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList" fullword ascii
$x2 = "$respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData;" fullword ascii
$x3 = "[String]$PS_PATH = \"C:\\\\Users\\\\Public\\\\Documents\\\\ProxyAutoUpdate.ps1\";" fullword ascii
$x4 = "$cmdSchedule = 'schtasks /create /tn \"ProxyServerUpdater\"" ascii
$x5 = "/tr \"powershell.exe -ep bypass -windowstyle hidden -file " ascii
$x6 = "C:\\\\Users\\\\Public\\\\Documents\\\\tmp' + -join " ascii
$x7 = "$cmdResult = cmd.exe /c $cmdInst | Out-String;" fullword ascii
$x8 = "whoami /groups | findstr /c:\"S-1-5-32-544\"" fullword ascii
condition:
filesize < 500KB and 1 of them
}
rule APT_lazaruswannacry {
meta:
description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"
date = "2017-05-15"
reference = "https://twitter.com/neelmehta/status/864164081116225536"
author = "Costin G. Raiu, Kaspersky Lab"
version = "1.0"
hash = "9c7c7149387a1c79679a87dd1ba755bc"
hash = "ac21c8ad899727137c4b94458d7aa8d8"
id = "e9dd9750-2366-503a-a879-972dbead6bf3"
strings:
$a1 = { 51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75
04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01 46
56 E8 }
$a2 = { 03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00
10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00
30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00
38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00
44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00
68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00
FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0
08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0
10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0
2B C0 2C C0 FF FE }
condition:
uint16(0) == 0x5A4D and filesize < 15000000 and all of them
}
rule MAL_Gopuram_Apr23 {
meta:
description = "Detects Lazarus Gopuram malware"
reference = "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/"
license = "Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-04-04"
hash = "beb775af5196f30e0ee021790a4978ca7a7ac2a7cf970a5a620ffeb89cc60b2c"
hash = "97b95b4a5461f950e712b82783930cb2a152ec0288c00a977983ca7788342df7"
id = "e0bb43b0-542b-5c8e-bcba-0326f80efaa0"
strings:
// VTgrep content:"%s.TxR.0.regtrans-ms" hits only the 2 hashes above
$path = "%s.TxR.0.regtrans-ms"
condition:
uint16(0) == 0x5A4D and $path and filesize < 10MB
}
rule APT_MAL_NK_Lazarus_VHD_Ransomware_Oct20_1 {
meta:
description = "Detects Lazarus VHD Ransomware"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
date = "2020-10-05"
hash1 = "52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6"
hash2 = "5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473"
hash3 = "6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306"
id = "5cb3c136-ec5c-5596-8dcc-e4c6ef33050a"
strings:
$s1 = "HowToDecrypt.txt" wide fullword
$s2 = "rsa.cpp" wide fullword
$s3 = "sc stop \"Microsoft Exchange Compliance Service\"" ascii fullword
$op1 = { 8b 8d bc fc ff ff 8b 94 bd 34 03 00 00 33 c0 50 }
$op2 = { 8b 8d 98 f9 ff ff 8d 64 24 00 8b 39 3b bc 85 34 }
$op3 = { 8b 94 85 34 03 00 00 89 11 40 83 c1 04 3b 06 7c }
condition:
uint16(0) == 0x5a4d and
filesize < 400KB and
2 of them
}
rule APT_MAL_NK_Lazarus_VHD_Ransomware_Oct20_2 {
meta:
description = "Detects Lazarus VHD Ransomware"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
date = "2020-10-05"
hash1 = "097ca829e051a4877bca093cee340180ff5f13a9c266ad4141b0be82aae1a39b"
hash2 = "73a10be31832c9f1cbbd798590411009da0881592a90feb472e80025dfb0ea79"
id = "b75668de-93e6-57e7-90f0-fa335295be7c"
strings:
$op1 = { f9 36 88 08 8d ad fc ff ff ff 66 ff c1 e9 72 86 }
$op2 = { c6 c4 58 0f a4 c8 12 8d ad ff ff ff ff 0f b6 44 }
$op3 = { 88 02 66 c1 f0 54 8d bf fc ff ff ff 0f ba e0 19 }
condition:
uint16(0) == 0x5a4d and
filesize < 9000KB and
all of them
}
rule SUSP_VEST_Encryption_Core_Accumulator_Jan21 {
meta:
description = "Detects VEST encryption core accumulator in PE file as used by Lazarus malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/ochsenmeier/status/1354737155495649280"
date = "2021-01-28"
score = 70
hash1 = "7cd3ca8bdfb44e98a4b9d0c6ad77546e03d169bda9bdf3d1bcf339f68137af23"
id = "8343652b-8865-5213-b735-d6d4084e4a84"
strings:
$sc1 = { 4F 70 46 DA E1 8D F6 41 59 E8 5D 26 1E CC 2F 89
26 6D 52 BA BC 11 6B A9 C6 47 E4 9C 1E B6 65 A2
B6 CD 90 47 1C DF F8 10 4B D2 7C C4 72 25 C6 97
25 5D C6 1D 4B 36 BC 38 36 33 F8 89 B4 4C 65 A7
96 CA 1B 63 C3 4B 6A 63 DC 85 4C 57 EE 2A 05 C7
0C E7 39 35 8A C1 BF 13 D9 52 51 3D 2E 41 F5 72
85 23 FE A1 AA 53 61 3B 25 5F 62 B4 36 EE 2A 51
AF 18 8E 9A C6 CF C4 07 4A 9B 25 9B 76 62 0E 3E
96 3A A7 64 23 6B B6 19 BC 2D 40 D7 36 3E E2 85
9A D1 22 9F BC 30 15 9F C2 5D F1 23 E6 3A 73 C0 }
condition:
uint16(0) == 0x5a4d and
1 of them
}
rule APT_HiddenCobra_enc_PK_header {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
hash0 = "3229a6cea658b1b3ca5ca9ad7b40d8d4"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects trojan with encrypted header"
id = "5d7001b3-162c-5a97-a740-1b8e33d4aa9e"
strings:
$s0 = { 5f a8 80 c5 a0 87 c7 f0 9e e6 }
$s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a }
$s2 = { ae 1d af 74 c0 f5 e1 02 50 10 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
rule APT_HiddenCobra_import_obfuscation_2 {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects remote access trojan"
id = "bc139580-a55b-514f-8a4e-ca1402ce3ad9"
strings:
$s0 = {A6 D6 02 EB 4E B2 41 EB C3 EF 1F}
$s1 = {B6 DF 01 FD 48 B5 }
$s2 = {B6 D5 0E F3 4E B5 }
$s3 = {B7 DF 0E EE }
$s4 = {B6 DF 03 FC }
$s5 = {A7 D3 03 FC }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
rule APT_NK_AR18_165A_HiddenCobra_import_deob {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
md5 = "ae769e62fef4a1709c12c9046301aa5d"
md5 = "e48fe20eblf5a5887f2ac631fed9ed63"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects installed proxy module as a service"
id = "f403d589-be35-57a7-9675-f92657c11acc"
strings:
$ = { 8a 01 3c 62 7c 0a 3c 79 7f 06 b2 db 2a d0 88 11 8a 41 01 41 84 c0 75 e8}
$ = { 8A 08 80 F9 62 7C 0B 80 F9 79 7F 06 82 DB 2A D1 88 10 8A 48 01 40 84 C9 75 E6}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
rule HiddenCobra_BANKSHOT_Gen {
meta:
description = "Detects Hidden Cobra BANKSHOT trojan"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
date = "2017-12-26"
modified = "2022-06-10"
hash1 = "89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486"
hash2 = "8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247"
hash3 = "b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24"
hash4 = "daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75"
hash5 = "ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699"
hash6 = "d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff"
hash7 = "ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9"
hash8 = "3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6"
hash9 = "6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca"
id = "fbf9dd32-cb9a-51f2-bd03-0387fbf44baa"
strings:
$s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" fullword wide
$s2 = "rHTTP/1.1 200 Connection established" fullword wide
$s3 = "Proxy-Connection: keep-alive" fullword wide
$s4 = "\\msncf.dat" wide
$s5 = "msvcru32.bat" fullword ascii
$s6 = "reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"%s\" /f" fullword ascii
$s7 = "MXINFO.DLL" fullword ascii
$s8 = "usrvc32.bat" fullword ascii
$s9 = "ping -n 1 127.0.0.1" fullword ascii
$s10 = "%sd.e%sc \"%s > %s 2>&1\"" ascii fullword
$s11 = "DWS*.tmp" ascii fullword
$s12 = "CS*.tmp" fullword wide
$s13 = "WM*.tmp" fullword wide
$x1 = "CgpaipIddwspwe32Hnaehsdi" fullword ascii
$x2 = "RpiPmtiCdopIsgpao" fullword ascii
$x3 = "RpiLtnodlhOtgpcidgyA" fullword ascii
$x4 = "LatiQdgHtnrwpDbupci" fullword ascii
/* $x5 = "vchost.exe" fullword ascii */
$x6 = "\\system32\\msncf.dat" ascii
$x7 = "GprthipgHpgktcpCigwSanowpgA" fullword ascii
$a1 = "live.dropbox.com" fullword ascii
$a2 = "tatadocomo.yahoo.com" fullword ascii
$a3 = "widgets.twimg.com" fullword ascii
$a4 = "history.paypal.com" fullword ascii
$a5 = "www.bitcoin.org" fullword ascii
$a6 = "web.whatsapp.com" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
1 of ($x*) or
2 of ($s*) or
4 of ($a*)
)
}
rule HiddenCobra_Rule_1 {
meta:
description = "Detects Hidden Cobra Malware"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
date = "2017-06-13"
id = "921c027e-fac3-5419-b0a6-5043f5cde466"
strings:
$rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94
A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77
48 EE 6F 4B 9B 53 60 98 45 A5 28 65 8A 0B F8 39
73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2
AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED
39 3F FA D0 AD 3D D9 C5 3D 28 EF 3D 67 B1 E0 68
3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13
B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0}
condition:
all of them
}
rule HiddenCobra_Rule_2 {
meta:
description = "Detects Hidden Cobra Malware"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
date = "2017-06-13"
strings:
$STR1 = "Wating" wide ascii fullword
$STR2 = "Reamin" wide ascii fullword
$STR3 = "laptos" wide ascii fullword
condition:
( uint16(0) == 0x5A4D or
uint16(0) == 0xCFD0 or
uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or
uint32(1) == 0x6674725C
) and all of them
}
rule HiddenCobra_Rule_3 {
meta:
description = "Detects Hidden Cobra Malware"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
date = "2017-06-13"
id = "39c7e039-4b07-575d-a93a-539ecc4e63d8"
strings:
$randomUrlBuilder = { 83 EC 48 53 55 56 57 8B 3D ?? ?? ?? ?? 33 C0 C7
44 24 28 B4 6F 41 00 C7 44 24 2C B0 6F 41 00 C7 44 24 30 AC 6F 41
00 C7 44 24 34 A8 6F 41 00 C7 44 24 38 A4 6F 41 00 C7 44 24 3C A0
6F 41 00 C7 44 24 40 9C 6F 41 00 C7 44 24 44 94 6F 41 00 C7 44 24
48 8C 6F 41 00 C7 44 24 4C 88 6F 41 00 C7 44 24 50 80 6F 41 00 89
44 24 54 C7 44 24 10 7C 6F 41 00 C7 44 24 14 78 6F 41 00 C7 44 24
18 74 6F 41 00 C7 44 24 1C 70 6F 41 00 C7 44 24 20 6C 6F 41 00 89
44 24 24 FF D7 99 B9 0B 00 00 00 F7 F9 8B 74 94 28 BA 9C 6F 41 00
66 8B 06 66 3B 02 74 34 8B FE 83 C9 FF 33 C0 8B 54 24 60 F2 AE 8B
6C 24 5C A1 ?? ?? ?? ?? F7 D1 49 89 45 00 8B FE 33 C0 8D 5C 11 05
83 C9 FF 03 DD F2 AE F7 D1 49 8B FE 8B D1 EB 78 FF D7 99 B9 05 00
00 00 8B 6C 24 5C F7 F9 83 C9 FF 33 C0 8B 74 94 10 8B 54 24 60 8B
FE F2 AE F7 D1 49 BF 60 6F 41 00 8B D9 83 C9 FF F2 AE F7 D1 8B C2
49 03 C3 8B FE 8D 5C 01 05 8B 0D ?? ?? ?? ?? 89 4D 00 83 C9 FF 33
C0 03 DD F2 AE F7 D1 49 8D 7C 2A 05 8B D1 C1 E9 02 F3 A5 8B CA 83
E1 03 F3 A4 BF 60 6F 41 00 83 C9 FF F2 AE F7 D1 49 BE 60 6F 41 00
8B D1 8B FE 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FB 2B F9 8B CA 8B C1
C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7C 24 60 8D 75 04 57 56 E8
?? ?? ?? ?? 83 C4 08 C6 04 3E 2E 8B C5 C6 03 00 5F 5E 5D 5B 83 C4
48 C3 }
condition:
$randomUrlBuilder
}
rule APT_HiddenCobra_GhostSecret_1 {
meta:
description = "Detects Hidden Cobra Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
date = "2018-08-11"
hash1 = "05a567fe3f7c22a0ef78cc39dcf2d9ff283580c82bdbe880af9549e7014becfc"
id = "d6955294-84a4-5694-87c9-b5b1c39e0fae"
strings:
$s1 = "%s\\%s.dll" fullword wide
$s2 = "PROXY_SVC_DLL.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
rule APT_HiddenCobra_GhostSecret_2 {
meta:
description = "Detects Hidden Cobra Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
date = "2018-08-11"
hash1 = "45e68dce0f75353c448865b9abafbef5d4ed6492cd7058f65bf6aac182a9176a"
id = "dab5b0ec-ae89-521e-bbb9-15602db9ed6c"
strings:
$s1 = "ping 127.0.0.1 -n 3" fullword wide
$s2 = "Process32" fullword ascii
$s11 = "%2d%2d%2d%2d%2d%2d" fullword ascii
$s12 = "del /a \"" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
rule APT_NK_Methodology_Artificial_UserAgent_IE_Win7 {
meta:
author = "Steve Miller aka @stvemillertime"
description = "Detects hard-coded User-Agent string that has been present in several APT37 malware families."
hash1 = "e63efbf8624a531bb435b7446dbbfc25"
score = 45
id = "a747c908-7af7-5c29-8386-a71db7648061"
strings:
$a1 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
$a2 = {4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f 00 00 00 00}
$fp1 = "Esumsoft" wide
$fp2 = "Acunetix" wide ascii
$fp3 = "TASER SYNC" ascii
condition:
uint16(0) == 0x5A4D and all of ($a*) and not 1 of ($fp*)
}
rule HvS_APT37_smb_scanner {
meta:
description = "Unknown smb login scanner used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Marc Stroebel"
date = "2020-12-15"
reference1 = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
reference2 = "https://www.hybrid-analysis.com/sample/d16163526242508d6961f061aaffe3ae5321bd64d8ceb6b2788f1570757595fc?environmentId=2"
id = "89a5cc32-f151-583d-823d-692de2c2b084"
strings:
$s1 = "Scan.exe StartIP EndIP ThreadCount logfilePath [Username Password Deep]" fullword ascii
$s2 = "%s - %s:(Username - %s / Password - %s" fullword ascii
$s3 = "Load mpr.dll Error " fullword ascii
$s4 = "Load Netapi32.dll Error " fullword ascii
$s5 = "%s U/P not Correct! - %d" fullword ascii
$s6 = "GetNetWorkInfo Version 1.0" fullword wide
$s7 = "Hello World!" fullword wide
$s8 = "%s Error: %ld" fullword ascii
$s9 = "%s U/P Correct!" fullword ascii
$s10 = "%s --------" fullword ascii
$s11 = "%s%-30s%I64d" fullword ascii
$s12 = "%s%-30s(DIR)" fullword ascii
$s13 = "%04d-%02d-%02d %02d:%02d" fullword ascii
$s14 = "Share: Local Path: Uses: Descriptor:" fullword ascii
$s15 = "Share: Type: Remark:" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (10 of them)
}
rule HvS_APT37_cred_tool {
meta:
description = "Unknown cred tool used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Markus Poelloth"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
id = "e830025a-f2ac-55b1-aca3-ded9dba83a67"
strings:
$s1 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii
$s2 = "Domain Login" fullword ascii
$s3 = "IEShims_GetOriginatingThreadContext" fullword ascii
$s4 = " Type Descriptor'" fullword ascii
$s5 = "User: %s" fullword ascii
$s6 = "Pass: %s" fullword ascii
$s7 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
$s8 = "E@c:\\u" fullword ascii
condition:
filesize < 500KB and 7 of them
}
rule HvS_APT37_RAT_loader {
meta:
description = "BLINDINGCAN RAT loader named iconcash.db used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Marc Stroebel"
date = "2020-12-15"
hash = "b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9"
reference1 = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
reference2 = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
id = "6c3e8465-d607-59bf-85fc-5abbef71fb1c"
condition:
(pe.version_info["OriginalFilename"] contains "MFC_DLL.dll") and
(pe.exports("SMain") and pe.exports("SMainW") )
}
rule HvS_APT37_webshell_img_thumbs_asp {
meta:
description = "Webshell named img.asp, thumbs.asp or thumb.asp used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "94d2448d3794ae3f29678a7337473d259b5cfd1c7f703fe53ee6c84dd10a48ef"
id = "e45d4507-81de-5f72-9ce2-4f0e3e5c62b1"
strings:
$s1 = "strMsg = \"E : F\"" fullword ascii
$s2 = "strMsg = \"S : \" & Len(fileData)" fullword ascii
$s3 = "Left(workDir, InStrRev(workDir, \"/\")) & \"video\""
$a1 = "Server.CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
$a2 = "Dim tmpPath, workDir" fullword ascii
$a3 = "Dim objFSO, objTextStream" fullword ascii
$a4 = "workDir = Request.ServerVariables(\"URL\")" fullword ascii
$a5 = "InStrRev(workDir, \"/\")" ascii
$g1 = "WriteFile = 0" fullword ascii
$g2 = "fileData = Request.Form(\"fp\")" fullword ascii
$g3 = "fileName = Request.Form(\"fr\")" fullword ascii
$g4 = "Err.Clear()" fullword ascii
$g5 = "Option Explicit" fullword ascii
condition:
filesize < 2KB and (( 1 of ($s*) ) or (3 of ($a*)) or (5 of ($g*)))
}
rule HvS_APT37_webshell_template_query_asp {
meta:
description = "Webshell named template-query.aspimg.asp used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "961a66d01c86fa5982e0538215b17fb9fae2991331dfea812b8c031e2ceb0d90"
id = "dc006b46-4c51-59cd-8b7d-adbfec86cd2e"
strings:
$g1 = "server.scripttimeout=600" fullword ascii
$g2 = "response.buffer=true" fullword ascii
$g3 = "response.expires=-1" fullword ascii
$g4 = "session.timeout=600" fullword ascii
$a1 = "redhat hacker" ascii
$a2 = "want_pre.asp" ascii
$a3 = "vgo=\"admin\"" ascii
$a4 = "ywc=false" ascii
$s1 = "public br,ygv,gbc,ydo,yka,wzd,sod,vmd" fullword ascii
condition:
filesize > 70KB and filesize < 200KB and (( 1 of ($s*) ) or (2 of ($a*)) or (3 of ($g*)))
}
rule HvS_APT37_webshell_controllers_asp {
meta:
description = "Webshell named controllers.asp or inc-basket-offer.asp used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "829462fc6d84aae04a962dfc919d0a392265fbf255eab399980d2b021e385517"
id = "82370415-30f4-514d-8806-e2daced96f07"
strings:
$s0 = "<%@Language=VBScript.Encode" ascii
// Case permutations of the word SeRvEr encoded with the Microsoft Script Encoder followed by .scriptrimeOut
$x1 = { 64 7F 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x2 = { 64 7F 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x3 = { 64 7F 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x4 = { 64 7F 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x5 = { 64 7F 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x6 = { 64 7F 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x7 = { 64 7F 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x8 = { 64 41 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x9 = { 64 41 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x10 = { 64 41 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x11 = { 64 41 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x12 = { 64 7F 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x13 = { 64 41 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x14 = { 64 41 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x15 = { 64 41 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x16 = { 64 41 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x17 = { 64 41 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x18 = { 64 41 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x19 = { 64 41 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x20 = { 64 41 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x21 = { 64 41 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x22 = { 64 41 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x23 = { 64 7F 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x24 = { 64 41 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x25 = { 64 41 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x26 = { 6A 7F 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x27 = { 6A 7F 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x28 = { 6A 7F 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x29 = { 6A 7F 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x30 = { 6A 7F 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x31 = { 6A 7F 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x32 = { 6A 7F 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x33 = { 6A 7F 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x34 = { 64 7F 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x35 = { 6A 7F 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x36 = { 6A 7F 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x37 = { 6A 7F 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x38 = { 6A 7F 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x39 = { 6A 7F 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x40 = { 6A 7F 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x41 = { 6A 7F 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x42 = { 6A 7F 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x43 = { 6A 41 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x44 = { 6A 41 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x45 = { 64 7F 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x46 = { 6A 41 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x47 = { 6A 41 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x48 = { 6A 41 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x49 = { 6A 41 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x50 = { 6A 41 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x51 = { 6A 41 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x52 = { 6A 41 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x53 = { 6A 41 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x54 = { 6A 41 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x55 = { 6A 41 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x56 = { 64 7F 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x57 = { 6A 41 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x58 = { 6A 41 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x59 = { 6A 41 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x60 = { 6A 41 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x61 = { 64 7F 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x62 = { 64 7F 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x63 = { 64 7F 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x64 = { 64 7F 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
condition:
filesize > 50KB and filesize < 200KB and ( $s0 and 1 of ($x*) )
}
rule BluenoroffPoS_DLL {
meta:
description = "Bluenoroff POS malware - hkp.dll"
author = "http://blog.trex.re.kr/"
reference = "http://blog.trex.re.kr/3?category=737685"
date = "2018-06-07"
id = "d2b34b50-c7eb-5852-ba5d-734dd5038c2e"
strings:
$dll = "ksnetadsl.dll" ascii wide fullword nocase
$exe = "xplatform.exe" ascii wide fullword nocase
$agent = "Nimo Software HTTP Retriever 1.0" ascii wide nocase
$log_file = "c:\\windows\\temp\\log.tmp" ascii wide nocase
$base_addr = "%d-BaseAddr:0x%x" ascii wide nocase
$func_addr = "%d-FuncAddr:0x%x" ascii wide nocase
$HF_S = "HF-S(%d)" ascii wide
$HF_T = "HF-T(%d)" ascii wide
condition:
5 of them
}
rule MAL_APT_NK_Andariel_ScheduledTask_Loader {
meta:
author = "CISA.gov"
description = "Detects a scheduled task loader used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 80
id = "0c32758b-480c-5784-b28f-cee85d038850"
strings:
$obfuscation1 = { B8 02 00 00 00 48 6B C0 00 B9 CD FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 01 B9 CC FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 02 B9 8D FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 03 B9 9A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 04 B9 8C FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 05 B9 8A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 06 33 C9 66 89 8C 04 60 01 00 00 }
$obfuscation2 = { 48 6B C0 02 C6 44 04 20 BA B8 01 00 00 00 48 6B C0 03 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 04 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 05 C6 44 04 20 8A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 9C B8 01 00 00 00 }
$obfuscation3 = { 48 6B C0 00 C6 44 04 20 A8 B8 01 00 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 6B C0 03 C6 44 04 20 96 B8 01 00 00 00 48 6B C0 04 C6 44 04 20 B9 B8 01 00 00 00 48 6B C0 05 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 07 C6 44 04 20 9E B8 01 00 00 00 48 6B C0 08 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 09 C6 44 04 20 8D B8 01 00 00 00 48 6B C0 0A C6 44 04 20 BC B8 01 00 00 00 }
condition:
uint16(0) == 0x5A4D
and $obfuscation1 and $obfuscation2 and $obfuscation3
}
rule MAL_APT_NK_Andariel_KaosRAT_Yamabot {
meta:
author = "CISA.gov"
description = "Detects the KaosRAT variant"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 70
id = "cdde69cd-1b38-52f5-8552-cef2cf4ad69c"
strings:
$str1 = "/kaos/"
$str2 = "Abstand ["
$str3 = "] anwenden"
$str4 = "cmVjYXB0Y2hh"
$str5 = "/bin/sh"
$str6 = "utilities.CIpaddress"
$str7 = "engine.NewEgg"
$str8 = "%s%04x%s%s%s"
$str9 = "Y2FwdGNoYV9zZXNzaW9u"
$str10 = "utilities.EierKochen"
$str11 = "kandidatKaufhaus"
condition:
3 of them
}
rule MAL_APT_NK_Andariel_CutieDrop_MagicRAT {
meta:
author = "CISA.gov (modified by Florian Roth, Nextron Systems)"
description = "Detects the MagicRAT variant used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 80
id = "104244de-83fb-5112-a2b6-e20d38a6ced6"
strings:
// I removed the 'wide' from the strings because the samples don't contain the strings
// UTF-16 formatted and there's no indication that they ever will be, F.R.
$config_os_w = "os/windows" ascii
$config_os_l = "os/linux" ascii
$config_os_m = "os/mac" ascii
$config_comp_msft = "company/microsoft" ascii
$config_comp_orcl = "company/oracle" ascii
$POST_field_1 = "session=" ascii
$POST_field_2 = "type=" ascii
// $POST_field_3 = "id=" ascii wide // disabled this string because it's too short
$command_misspelled = "renmae" ascii
condition:
uint16(0) == 0x5a4d
and 7 of them
}
rule MAL_APT_NK_Andariel_HHSD_FileTransferTool {
meta:
author = "CISA.gov"
description = "Detects a variant of the HHSD File Transfer Tool"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
modified = "2025-07-09"
score = 70
id = "46b6dbaf-1272-5bbd-a586-5e48ba6c5022"
strings:
// 30 4D C7 xor [rbp+buffer_v41+3], cl
// 81 7D C4 22 C0 78 00 cmp dword ptr [rbp+buffer_v41], 78C022h
// 44 88 83 00 01 00 00 mov [rbx+100h], r8b
$handshake = { 30 ?? ?? 81 7? ?? 22 C0 78 00 4? 88 }
// B1 14 mov cl, 14h
// C7 45 F7 14 00 41 00 mov [rbp+57h+Src], 410014h
// C7 45 FB 7A 00 7F 00 mov [rbp+57h+var_5C], 7F007Ah
// C7 45 FF 7B 00 63 00 mov [rbp+57h+var_58], 63007Bh
// C7 45 03 7A 00 34 00 mov [rbp+57h+var_54], 34007Ah
// C7 45 07 51 00 66 00 mov [rbp+57h+var_50], 660051h
// C7 45 0B 66 00 7B 00 mov [rbp+57h+var_4C], 7B0066h
// C7 45 0F 66 00 00 00 mov [rbp+57h+var_48], 66h ; 'f'
$err_xor_str = { 14 C7 [2] 14 00 41 00 C7 [2] 7A 00 7F 00 C7 [2] 7B 00 63 00 C7 [2] 7A 00 34 00 }
// 41 02 D0 add dl, r8b
// 44 02 DA add r11b, dl
// 3C 1F cmp al, 1Fh
// $buf_add_cmp_1f = { 4? 02 ?? 4? 02 ?? 3? 1F } removed due to 1 byte atom
// B9 8D 10 B7 F8 mov ecx, 0F8B7108Dh
// E8 F1 BA FF FF call sub_140001280
$hash_call_loadlib = { B? 8D 10 B7 F8 E8 }
$hash_call_unk = { B? 91 B8 F6 88 E8 }
condition:
uint16(0) == 0x5a4d
and 1 of ($handshake, $err_xor_str)
and 1 of ($hash_call_*)
or 2 of ($handshake, $err_xor_str)
}
rule MAL_APT_NK_Andariel_Atharvan_3RAT {
meta:
author = "CISA.gov"
description = "Detects a variant of the Atharvan 3RAT malware family"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 80
id = "9ff6998a-a2dd-5671-bd3f-ee69561f71ef"
strings:
$3RAT = "D:\\rang\\TOOL\\3RAT"
$atharvan = "Atharvan_dll.pdb"
condition:
uint16(0) == 0x5a4d
and 1 of them
}
rule MAL_APT_NK_Andariel_LilithRAT_Variant {
meta:
author = "CISA.gov (modified by Florian Roth, Nextron Systems)"
description = "Detects a variant of the Lilith RAT malware family"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
modified = "2024-07-26"
score = 80
id = "916a289b-db7b-5f09-9d3e-589c3f09101d"
strings:
// I removed the 'wide' from the strings because the samples don't contain the strings
// UTF-16 formatted and there's no indication that they ever will be, F.R.
// The following are strings seen in the open source version of Lilith
$lilith_1 = "Initiate a CMD session first." ascii
$lilith_2 = "CMD is not open" ascii
$lilith_3 = "Couldn't write command" ascii
$lilith_4 = "Couldn't write to CMD: CMD not open" ascii
// The following are strings that appear to be unique to the Unnamed Trojan based on Lilith
$unique_1 = "Upload Error!" ascii
$unique_2 = "ERROR: Downloading is already running!" ascii
$unique_3 = "ERROR: Unable to open file:" ascii
$unique_4 = "General error" ascii
$unique_5 = "CMD error" ascii
$unique_6 = "killing self" ascii
condition:
// I refactored the condition to make it more generic, F.R.
uint16(0) == 0x5a4d
and filesize < 150KB
and (
all of ($lilith_*)
or 4 of ($unique_*)
or 1 of ($lilith_4, $unique_2) // both strings are very specific - let's use them as a unique indicator, F.R.
)
}
rule MAL_APT_NK_Andariel_HHSD_FileTransferTool {
meta:
author = "CISA.gov"
description = "Detects a variant of the HHSD File Transfer Tool"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
modified = "2025-07-09"
score = 70
id = "46b6dbaf-1272-5bbd-a586-5e48ba6c5022"
strings:
// 30 4D C7 xor [rbp+buffer_v41+3], cl
// 81 7D C4 22 C0 78 00 cmp dword ptr [rbp+buffer_v41], 78C022h
// 44 88 83 00 01 00 00 mov [rbx+100h], r8b
$handshake = { 30 ?? ?? 81 7? ?? 22 C0 78 00 4? 88 }
// B1 14 mov cl, 14h
// C7 45 F7 14 00 41 00 mov [rbp+57h+Src], 410014h
// C7 45 FB 7A 00 7F 00 mov [rbp+57h+var_5C], 7F007Ah
// C7 45 FF 7B 00 63 00 mov [rbp+57h+var_58], 63007Bh
// C7 45 03 7A 00 34 00 mov [rbp+57h+var_54], 34007Ah
// C7 45 07 51 00 66 00 mov [rbp+57h+var_50], 660051h
// C7 45 0B 66 00 7B 00 mov [rbp+57h+var_4C], 7B0066h
// C7 45 0F 66 00 00 00 mov [rbp+57h+var_48], 66h ; 'f'
$err_xor_str = { 14 C7 [2] 14 00 41 00 C7 [2] 7A 00 7F 00 C7 [2] 7B 00 63 00 C7 [2] 7A 00 34 00 }
// 41 02 D0 add dl, r8b
// 44 02 DA add r11b, dl
// 3C 1F cmp al, 1Fh
// $buf_add_cmp_1f = { 4? 02 ?? 4? 02 ?? 3? 1F } removed due to 1 byte atom
// B9 8D 10 B7 F8 mov ecx, 0F8B7108Dh
// E8 F1 BA FF FF call sub_140001280
$hash_call_loadlib = { B? 8D 10 B7 F8 E8 }
$hash_call_unk = { B? 91 B8 F6 88 E8 }
condition:
uint16(0) == 0x5a4d
and 1 of ($handshake, $err_xor_str)
and 1 of ($hash_call_*)
or 2 of ($handshake, $err_xor_str)
}
rule MAL_APT_NK_Andariel_Atharvan_3RAT {
meta:
author = "CISA.gov"
description = "Detects a variant of the Atharvan 3RAT malware family"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 80
id = "9ff6998a-a2dd-5671-bd3f-ee69561f71ef"
strings:
$3RAT = "D:\\rang\\TOOL\\3RAT"
$atharvan = "Atharvan_dll.pdb"
condition:
uint16(0) == 0x5a4d
and 1 of them
}
rule MAL_APT_NK_Andariel_SocksTroy_Strings_OpCodes {
meta:
author = "CISA.gov"
description = "Detects a variant of the SocksTroy malware family"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 80
id = "9e7fb6ba-771e-5cae-a0d5-c0b95ee6d4e9"
strings:
$strHost = "-host" wide
$strAuth = "-auth" wide
$SocksTroy = "SocksTroy"
$cOpCodeCheck = { 81 E? A0 00 00 00 0F 84 ?? ?? ?? ?? 83 E? 03 74 ?? 83 E? 02 74 ?? 83 F? 0B }
condition:
uint16(0) == 0x5a4d and (
1 of ($str*)
and all of ($c*)
or all of ($Socks*)
)
}
rule MAL_APT_NK_Andariel_Agni {
meta:
author = "CISA.gov"
description = "Detects samples of the Agni malware family"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 80
id = "ffe3f427-c10a-5ad4-ab29-c0d9b576c30f"
strings:
$xor = { 34 ?? 88 01 48 8D 49 01 0F B6 01 84 C0 75 F1 }
$stackstrings = { C7 44 24 [5-10] C7 44 24 [5] C7 44 24 [5-10] C7 44 24 [5-10] C7 44 24 }
condition:
uint16(0) == 0x5a4d
and #xor > 100
and #stackstrings > 5
}
rule MAL_APT_NK_Andariel_GoLang_Validalpha_Handshake {
meta:
author = "CISA.gov"
description = "Detects a variant of the GoLang Validalpha malware"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 75
id = "51dafa43-9da0-569a-9123-7e9800284046"
strings:
$ = { 66 C7 00 AB CD C6 40 02 EF ?? 03 00 00 00 48 89 C1 ?? 03 00 00 00 }
condition:
all of them
}
rule MAL_APT_NK_Andariel_GoLang_Validalpha_Tasks {
meta:
author = "CISA.gov"
description = "Detects a variant of the GoLang Validalpha malware"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 80
id = "caa67a79-3ea6-5910-971c-f311722570ff"
strings:
$ = "main.ScreenMonitThread"
$ = "main.CmdShell"
$ = "main.GetAllFoldersAndFiles"
$ = "main.SelfDelete"
condition:
all of them
}
rule MAL_APT_NK_Andariel_GoLang_Validalpha_BlackString {
meta:
author = "CISA.gov"
description = "Detects a variant of the GoLang Validalpha malware based on a file path found in the samples"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 90
id = "36f46a1d-69b6-5c99-9a54-6a14d62d2721"
strings:
$ = "I:/01___Tools/02__RAT/Black"
condition:
uint16(0) == 0x5A4D and all of them
}
rule MAL_APT_NK_Andariel_ELF_Backdoor_Fipps {
meta:
author = "CISA.gov"
description = "Detects a Linux backdoor named Fipps used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 80
id = "040bca78-8b7e-5397-8a2b-1ddeed59eea3"
strings:
$a = "found mac address"
$b = "RecvThread"
$c = "OpenSSL-1.0.0-fipps"
$d = "Disconnected!"
condition:
uint32(0) == 0x464c457f
and all of them
}
rule MAL_APT_NK_Andariel_BindShell {
meta:
author = "CISA.gov"
description = "Detects a BindShell used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
modified = "2026-01-29"
score = 50 // prone to FPs
id = "3f6d83da-cea5-5e12-b0ba-93ace09d3d5c"
strings:
$str_comspec = "COMSPEC"
$str_consolewindow = "GetConsoleWindow"
$str_ShowWindow = "ShowWindow"
$str_WSASocketA = "WSASocketA"
$str_CreateProcessA = "CreateProcessA"
$str_port = { B9 4D 05 00 00 89 }
condition:
uint16(0) == 0x5A4D
and all of them
}
rule MAL_APT_NK_Andariel_Grease2 {
meta:
author = "CISA.gov (modified by Florian Roth, Nextron Systems)"
description = "Detects the Grease2 malware family used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
modified = "2024-07-26"
score = 80
id = "4defbe08-b3c6-5ab9-9a57-cec57ff42d9a"
strings:
/* I bet this was an error and fixed the strings - I allow you to kick my butt when I'm wrong
$str_rdpconf = "c: \\windows\\temp\\RDPConf.exe" fullword nocase
$str_rdpwinst = "c: \\windows\\temp\\RDPWInst.exe" fullword nocase
*/
$str_rdpconf = "emp\\RDPConf.exe" // I removed the beginning of the string because the spaces looked like an error and I don't want to use nocase here, F.R.
$str_rdpwinst = "emp\\RDPWInst.exe"
$str_net_user = "net user"
$str_admins_add = "net localgroup administrators"
condition:
uint16(0) == 0x5A4D and
all of them
}
rule MAL_APT_NK_Andariel_NoPineapple_Dtrack_Unpacked {
meta:
author = "CISA.gov"
description = "Detects the Dtrack variant used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
score = 80
id = "6ccaf24b-c110-5788-a792-fa7f39fb18f7"
strings:
$str_nopineapple = "< No Pineapple! >"
$str_qt_library = "Qt 5.12.10"
$str_xor = { 8B 10 83 F6 ?? 83 FA 01 77 }
condition:
uint16(0) == 0x5A4D
and all of them
}
rule MAL_APT_NK_Andariel_DTrack_Unpacked {
meta:
author = "CISA.gov (modified by Florian Roth, Nextron Systems)"
description = "Detects DTrack variant used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
modified = "2024-07-26"
score = 75
id = "0c161275-2b2e-51a4-9e08-c118fb4c8671"
strings:
$x_str_cmd_4 = "/c systeminfo > \"%s\" & tasklist > \"%s\" & netstat -naop tcp > \"%s\"" wide
$x_str_cmd_2 = "/c ping -n 3 127.0.01 > NUL % echo EEE > \"%s\"" wide
$str_mutex = "MTX_Global"
$str_cmd_1 = "/c net use \\\\" wide
$str_cmd_3 = "/c move /y %s \\\\" wide
condition:
// I changed the condition here because there are two strings which are highly specific and unique, F.R.
uint16(0) == 0x5A4D
and (
1 of ($x*)
or 3 of them
)
}
rule MAL_APT_NK_Andariel_TigerRAT_Crowdsourced_Rule {
meta:
author = "CISA.gov (modified by Florian Roth, Nextron Systems)"
description = "Detects the Tiger RAT variant used by Andariel"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
date = "2024-07-25"
modified = "2024-07-26"
score = 75
id = "6be65222-7d3c-5ff5-a9c7-d91dcf1deaa6"
strings:
$m1 = ".?AVModuleKeyLogger@@" fullword ascii
$m2 = ".?AVModulePortForwarder@@" fullword ascii
$m3 = ".?AVModuleScreenCapture@@" fullword ascii
$m4 = ".?AVModuleShell@@" fullword ascii
$s1 = "\\x9891-009942-xnopcopie.dat" fullword wide
$s2 = "(%02d : %02d-%02d %02d:%02d:%02d)--- %s[Clipboard]" fullword ascii
$s3 = "[%02d : %02d-%02d %02d:%02d:%02d]--- %s[Title]" fullword ascii
$s4 = "del \"%s\"%s \"%s\" goto " ascii
// $s5 = "[<<]" fullword ascii // we don't need that short string and the rule probably doesn't lose anything without it, F.R.
condition:
uint16(0) == 0x5a4d and (
all of ($s*) or (
all of ($m*) and 1 of ($s*)
)
or (
2 of ($m*) and 2 of ($s*)
)
)
}