YARA rules for Maze
55 rules · scoped to actor · back to Maze
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule apt_RU_MoonlightMaze_xk_keylogger {
meta:
author = "Kaspersky Lab"
date = "2017-03-27"
version = "1.0"
last_modified = "2017-03-27"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
description = "Rule to detect Moonlight Maze 'xk' keylogger"
id = "cf585cd0-afdd-5782-a6e5-bb9509cbf01d"
strings:
$a1="Log ended at => %s"
$a2="Log started at => %s [pid %d]"
$a3="/var/tmp/task" fullword
$a4="/var/tmp/taskhost" fullword
$a5="my hostname: %s"
$a6="/var/tmp/tasklog"
$a7="/var/tmp/.Xtmp01" fullword
$a8="myfilename=-%s-"
$a9="/var/tmp/taskpid"
$a10="mypid=-%d-" fullword
$a11="/var/tmp/taskgid" fullword
$a12="mygid=-%d-" fullword
condition:
((3 of ($a*)))
}
rule apt_RU_MoonlightMaze_encrypted_keylog {
meta:
author = "Kaspersky Lab"
date = "2017-03-27"
version = "1.0"
last_modified = "2017-03-27"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
description = "Rule to detect Moonlight Maze encrypted keylogger logs"
id = "f0d464f0-3955-5f41-a57f-8aa225e1171d"
strings:
$a1={47 01 22 2A 6D 3E 39 2C}
condition:
uint32(0) == 0x2a220147 and ($a1 at 0)
}
rule apt_RU_MoonlightMaze_IRIX_exploit_GEN {
meta:
author = "Kaspersky Lab"
date = "2017-03-27"
version = "1.0"
last_modified = "2017-03-27"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers"
reference2 = "https://www.exploit-db.com/exploits/19274/"
hash = "008ea82f31f585622353bd47fa1d84be" //df3
hash = "a26bad2b79075f454c83203fa00ed50c" //log
hash = "f67fc6e90f05ba13f207c7fdaa8c2cab" //xconsole
hash = "5937db3896cdd8b0beb3df44e509e136" //xlock
hash = "f4ed5170dcea7e5ba62537d84392b280" //xterm
id = "4f9ab7b0-4fb9-5311-ae23-01d0a9e2e104"
strings:
$a1="stack = 0x%x, targ_addr = 0x%x"
$a2="execl failed"
condition:
(uint32(0)==0x464c457f) and (all of them)
}
rule apt_RU_MoonlightMaze_u_logcleaner {
meta:
author = "Kaspersky Lab"
date = "2017-03-27"
version = "1.0"
last_modified = "2017-03-27"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
description = "Rule to detect log cleaners based on utclean.c"
reference2 = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c"
hash = "d98796dcda1443a37b124dbdc041fe3b"
hash = "73a518f0a73ab77033121d4191172820"
id = "2dc1b796-c8fe-5a87-9d6b-3a322f4a43ab"
strings:
$a1="Hiding complit...n"
$a2="usage: %s <username> <fixthings> [hostname]"
$a3="ls -la %s* ; /bin/cp ./wtmp.tmp %s; rm ./wtmp.tmp"
condition:
(uint32(0)==0x464c457f) and (any of them)
}
rule apt_RU_MoonlightMaze_wipe {
meta:
author = "Kaspersky Lab"
date = "2017-03-27"
version = "1.0"
last_modified = "2017-03-27"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
description = "Rule to detect log cleaner based on wipe.c"
reference2 = "http://www.afn.org/~afn28925/wipe.c"
hash = "e69efc504934551c6a77b525d5343241"
id = "35060c3d-b805-54a6-a241-eb6e99168fa8"
strings:
$a1="ERROR: Unlinking tmp WTMP file."
$a2="USAGE: wipe [ u|w|l|a ] ...options..."
$a3="Erase acct entries on tty : wipe a [username] [tty]"
$a4="Alter lastlog entry : wipe l [username] [tty] [time] [host]"
condition:
(uint32(0)==0x464c457f) and (2 of them)
}