YARA rules for Project Sauron / Strider
25 rules · scoped to actor · back to Project Sauron / Strider
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule APT_Project_Sauron_Scripts {
meta:
description = "Detects scripts (mostly LUA) from Project Sauron report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
id = "575a6f1b-5a4d-5f81-b44a-b7025dbec2a5"
strings:
$x1 = "local t = w.exec2str(\"regedit "
$x2 = "local r = w.exec2str(\"cat"
$x3 = "ap*.txt link*.txt node*.tun VirtualEncryptedNetwork.licence"
$x4 = "move O FakeVirtualEncryptedNetwork.dll"
$x5 = "sinfo | basex b 32url | dext l 30"
$x6 = "w.exec2str(execStr)"
$x7 = "netnfo irc | basex b 32url"
$x8 = "w.exec(\"wfw status\")"
$x9 = "exec(\"samdump\")"
$x10 = "cat VirtualEncryptedNetwork.ini|grep"
$x11 = "if string.lower(k) == \"securityproviders\" then"
$x12 = "exec2str(\"plist b | grep netsvcs\")"
$x14 = "SAURON_KBLOG_KEY ="
condition:
1 of them
}
rule APT_Project_Sauron_arping_module {
meta:
description = "Detects strings from arping module - Project Sauron report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
id = "42389511-de92-57cb-9dee-9f829fd5e55a"
strings:
$s1 = "Resolve hosts that answer"
$s2 = "Print only replying Ips"
$s3 = "Do not display MAC addresses"
condition:
all of them
}
rule APT_Project_Sauron_kblogi_module {
meta:
description = "Detects strings from kblogi module - Project Sauron report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
id = "e1dd4d1a-1089-5897-8f4a-52c7068802fa"
strings:
$x1 = "Inject using process name or pid. Default"
$s2 = "Convert mode: Read log from file and convert to text"
$s3 = "Maximum running time in seconds"
condition:
$x1 or 2 of them
}
rule APT_Project_Sauron_basex_module {
meta:
description = "Detects strings from basex module - Project Sauron report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
id = "51ef3826-af5c-562b-a1f8-3bf11532ac2d"
strings:
$x1 = "64, 64url, 32, 32url or 16."
$s2 = "Force decoding when input is invalid/corrupt"
$s3 = "This cruft"
condition:
$x1 or 2 of them
}
rule APT_Project_Sauron_dext_module {
meta:
description = "Detects strings from dext module - Project Sauron report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
id = "d69373e0-d6ad-5475-8766-06e865620ed8"
strings:
$x1 = "Assemble rows of DNS names back to a single string of data"
$x2 = "removes checks of DNS names and lengths (during split)"
$x3 = "Randomize data lengths (length/2 to length)"
$x4 = "This cruft"
condition:
2 of them
}
rule Hacktool_This_Cruft {
meta:
description = "Detects string 'This cruft' often used in hack tools like netcat or cryptcat and also mentioned in Project Sauron report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
score = 60
id = "a39de541-19b5-5b7e-a3dc-51a5309181e5"
strings:
$x1 = "This cruft" fullword
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and $x1 )
}
rule APT_Project_Sauron_Custom_M1 {
meta:
description = "Detects malware from Project Sauron APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-09"
hash1 = "9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9"
id = "c741bd7d-1885-55f1-a5b3-8f00fda2fe39"
strings:
$s1 = "ncnfloc.dll" fullword wide
$s4 = "Network Configuration Locator" fullword wide
$op0 = { 80 75 6e 85 c0 79 6a 66 41 83 38 0a 75 63 0f b7 } /* Opcode */
$op1 = { 80 75 29 85 c9 79 25 b9 01 } /* Opcode */
$op2 = { 2b d8 48 89 7c 24 38 44 89 6c 24 40 83 c3 08 89 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and ( all of ($s*) ) and 1 of ($op*) ) or ( all of them )
}
rule APT_Project_Sauron_Custom_M2 {
meta:
description = "Detects malware from Project Sauron APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-09"
hash1 = "30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8"
id = "79abe5f2-a750-5018-a67f-6ee1c51a2ca1"
strings:
$s2 = "\\*\\3vpn" ascii
$op0 = { 55 8b ec 83 ec 0c 53 56 33 f6 39 75 08 57 89 75 } /* Opcode */
$op1 = { 59 59 c3 8b 65 e8 ff 75 88 ff 15 50 20 40 00 ff } /* Opcode */
$op2 = { 8b 4f 06 85 c9 74 14 83 f9 12 0f 82 a7 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and ( all of ($s*) ) and all of ($op*) )
}
rule APT_Project_Sauron_Custom_M3 {
meta:
description = "Detects malware from Project Sauron APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-09"
hash1 = "a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec"
id = "555b37a2-6a3c-539f-81dc-24c739795510"
strings:
$s1 = "ExampleProject.dll" fullword ascii
$op0 = { 8b 4f 06 85 c9 74 14 83 f9 13 0f 82 ba } /* Opcode */
$op1 = { ff 15 34 20 00 10 85 c0 59 a3 60 30 00 10 75 04 } /* Opcode */
$op2 = { 55 8b ec ff 4d 0c 75 09 ff 75 08 ff 15 00 20 00 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) and all of ($op*) )
}
rule APT_Project_Sauron_Custom_M4 {
meta:
description = "Detects malware from Project Sauron APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-09"
hash1 = "e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57"
id = "32717ace-ff56-5b5b-8ed9-4bb353886eea"
strings:
$s1 = "xpsmngr.dll" fullword wide
$s2 = "XPS Manager" fullword wide
$op0 = { 89 4d e8 89 4d ec 89 4d f0 ff d2 3d 08 00 00 c6 } /* Opcode */
$op1 = { 55 8b ec ff 4d 0c 75 09 ff 75 08 ff 15 04 20 5b } /* Opcode */
$op2 = { 8b 4f 06 85 c9 74 14 83 f9 13 0f 82 b6 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 90KB and ( all of ($s*) ) and 1 of ($op*) ) or ( all of them )
}
rule APT_Project_Sauron_Custom_M6 {
meta:
description = "Detects malware from Project Sauron APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-09"
hash1 = "3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8"
id = "1aa6dd43-52ac-5321-9941-767833073c37"
strings:
$s1 = "rseceng.dll" fullword wide
$s2 = "Remote Security Engine" fullword wide
$op0 = { 8b 0d d5 1d 00 00 85 c9 0f 8e a2 } /* Opcode */
$op1 = { 80 75 6e 85 c0 79 6a 66 41 83 38 0a 75 63 0f b7 } /* Opcode */
$op2 = { 80 75 29 85 c9 79 25 b9 01 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and ( all of ($s*) ) and 1 of ($op*) ) or ( all of them )
}
rule APT_Project_Sauron_Custom_M7 {
meta:
description = "Detects malware from Project Sauron APT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-09"
hash1 = "6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd"
hash2 = "7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca"
id = "c5e83e1a-872d-53b3-a74a-b1a9b4a89168"
strings:
$sx1 = "Default user" fullword wide
$sx2 = "Hincorrect header check" fullword ascii /* Typo */
$sa1 = "MSAOSSPC.dll" fullword ascii
$sa2 = "MSAOSSPC.DLL" fullword wide
$sa3 = "MSAOSSPC" fullword wide
$sa4 = "AOL Security Package" fullword wide
$sa5 = "AOL Security Package" fullword wide
$sa6 = "AOL Client for 32 bit platforms" fullword wide
$op0 = { 8b ce 5b e9 4b ff ff ff 55 8b ec 51 53 8b 5d 08 } /* Opcode */
$op1 = { e8 0a fe ff ff 8b 4d 14 89 46 04 89 41 04 8b 45 } /* Opcode */
$op2 = { e9 29 ff ff ff 83 7d fc 00 0f 84 cf 0a 00 00 8b } /* Opcode */
$op3 = { 83 f8 0c 0f 85 3a 01 00 00 44 2b 41 6c 41 8b c9 } /* Opcode */
$op4 = { 44 39 57 0c 0f 84 d6 0c 00 00 44 89 6f 18 45 89 } /* Opcode */
$op5 = { c1 ed 02 83 c6 fe e9 68 fe ff ff 44 39 57 08 75 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
(
( 3 of ($s*) and 3 of ($op*) ) or
( 1 of ($sx*) and 1 of ($sa*) )
)
}
rule apt_ProjectSauron_pipe_backdoor {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron pipe backdoors"
version = "1.0"
reference = "https://securelist.com/blog/"
id = "5a1dd4b3-a03c-51bb-a7bc-25729b487f70"
strings:
$a1 = "CreateNamedPipeW" fullword ascii
$a2 = "SetSecurityDescriptorDacl" fullword ascii
$a3 = "GetOverlappedResult" fullword ascii
$a4 = "TerminateThread" fullword ascii
$a5 = "%s%s%X" fullword wide
condition:
uint16(0) == 0x5A4D
and (all of ($a*))
and filesize < 100000
}
rule apt_ProjectSauron_encrypted_LSA {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron encrypted LSA samples"
version = "1.0"
reference = "https://securelist.com/blog/"
id = "f6fd8619-60f0-5c0d-aa66-cd0e154de63c"
strings:
$a1 = "EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492" fullword ascii
$a2 = "\\Device\\NdisRaw_" ascii
$a3 = "\\\\.\\GLOBALROOT\\Device\\{8EDB44DC-86F0-4E0E-8068-BD2CABA4057A}" fullword wide
$a4 = "Global\\{a07f6ba7-8383-4104-a154-e582e85a32eb}" fullword wide
$a5 = "Missing function %S::#%d" fullword wide
$a6 = {8945D08D8598FEFFFF2BD08945D88D45BC83C20450C745C0030000008975C48955DCFF55FC8BF88D8F0000003A83F90977305333DB53FF15}
$a7 = {488D4C24304889442450488D452044886424304889442460488D4520C7442434030000002BD848897C243844896C244083C308895C246841FFD68D880000003A8BD883F909772DFF}
condition:
uint16(0) == 0x5A4D
and (any of ($a*) or
(
pe.exports("InitializeChangeNotify") and
pe.exports("PasswordChangeNotify") and
math.entropy(0x400, filesize) >= 7.5
))
and filesize < 1000000
}
rule apt_ProjectSauron_encrypted_SSPI {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect encrypted ProjectSauron SSPI samples"
version = "1.0"
reference = "https://securelist.com/blog/"
id = "43c0e772-46d2-510e-bea1-6f505199f38c"
condition:
uint16(0) == 0x5A4D and
filesize < 1000000 and
pe.exports("InitSecurityInterfaceA") and
pe.characteristics & pe.DLL and
(pe.machine == pe.MACHINE_AMD64 or pe.machine == pe.MACHINE_IA64) and
math.entropy(0x400, filesize) >= 7.5
}
rule apt_ProjectSauron_MyTrampoline {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron MyTrampoline module"
version = "1.0"
reference = "https://securelist.com/blog/"
id = "b4f2cabf-11da-5fa1-8c23-0a177f8a4741"
strings:
$a1 = ":\\System Volume Information\\{" wide
$a2 = "\\\\.\\PhysicalDrive%d" wide
$a3 = "DMWndClassX%d"
$b1 = "{774476DF-C00F-4e3a-BF4A-6D8618CFA532}" ascii wide
$b2 = "{820C02A4-578A-4750-A409-62C98F5E9237}" ascii wide
condition:
uint16(0) == 0x5A4D and
filesize < 5000000 and
(all of ($a*) or any of ($b*))
}
rule apt_ProjectSauron_encrypted_container {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron samples encrypted container"
version = "1.0"
reference = "https://securelist.com/blog/"
id = "4462ebd9-24eb-570a-94b8-6fa6bf2a5a63"
strings:
$vfs_header = {02 AA 02 C1 02 0?}
$salt = {91 0A E0 CC 0D FE CE 36 78 48 9B 9C 97 F7 F5 55}
condition:
uint16(0) == 0x5A4D
and ((@vfs_header < 0x4000) or $salt) and
math.entropy(0x400, filesize) >= 6.5 and
(filesize > 0x400) and filesize < 10000000
}
rule apt_ProjectSauron_encryption {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron string encryption"
version = "1.0"
reference = "https://securelist.com/blog/"
id = "b3139045-54f5-5d59-980b-8510faa9ad0e"
strings:
$a1 = {81??02AA02C175??8B??0685}
$a2 = {918D9A94CDCC939A93939BD18B9AB8DE9C908DAF8D9B9BBE8C8C9AFF}
$a3 = {803E225775??807E019F75??807E02BE75??807E0309}
condition:
filesize < 5000000 and
any of ($a*)
}
rule apt_ProjectSauron_generic_pipe_backdoor {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron generic pipe backdoors"
version = "1.0"
reference = "https://securelist.com/blog/"
id = "77a82c67-7ee1-5d1f-ad75-28ce174e41bc"
strings:
$a = { C7 [2-3] 32 32 32 32 E8 }
$b = { 42 12 67 6B }
$c = { 25 31 5F 73 }
$d = "rand"
$e = "WS2_32"
condition:
uint16(0) == 0x5A4D and
(all of them) and
filesize < 400000
}
rule remsec_executable_blob_32 {
meta:
copyright = "Symantec"
description = "Detects malware from Symantec's Strider APT report"
score = 80
date = "2016/08/08"
reference = "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"
id = "d7a7e57a-b117-5da8-a7a2-4c6351bd9072"
strings:
$code = { 31 06 83 C6 04 D1 E8 73 05 35 01 00 00 D0 E2 F0 }
condition:
all of them
}
rule remsec_executable_blob_64 {
meta:
copyright = "Symantec"
description = "Detects malware from Symantec's Strider APT report"
score = 80
date = "2016/08/08"
reference = "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"
id = "22345f40-3dae-5d5b-acc6-c67394475636"
strings:
$code = { 31 06 48 83 C6 04 D1 E8 73 05 35 01 00 00 D0 E2 EF }
condition:
all of them
}
rule remsec_executable_blob_parser {
meta:
copyright = "Symantec"
description = "Detects malware from Symantec's Strider APT report"
score = 80
date = "2016/08/08"
reference = "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"
id = "b2189bfe-7b84-5fe9-8829-64f49d1e2030"
strings:
$code = { ( 0F 82 ?? ?? 00 00 | 72 ?? ) ( 80 | 41 80 ) ( 7? | 7C 24 ) 04 02 ( 0F 85 ?? ?? 00 00 | 75 ?? ) ( 81 | 41 81 ) ( 3? | 3C 24 | 7D 00 ) 02 AA 02 C1 ( 0F 85 ?? ?? 00 00 | 75 ?? ) ( 8B | 41 8B | 44 8B | 45 8B ) ( 4? | 5? | 6? | 7? | ?4 24 | ?C 24 ) 06 }
condition:
all of them
}
rule remsec_encrypted_api {
meta:
copyright = "Symantec"
description = "Detects malware from Symantec's Strider APT report"
score = 80
date = "2016/08/08"
reference = "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"
id = "1aa3380b-d704-5eb9-b25d-f4bf20ae7179"
strings:
$open_process = { 91 9A 8F B0 9C 90 8D AF 8C 8C 9A FF }
condition:
all of them
}
rule remsec_packer_A {
meta:
copyright = "Symantec"
description = "Detects malware from Symantec's Strider APT report"
score = 80
date = "2016/08/08"
reference = "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"
id = "d75198ab-b1ea-572a-a674-9a38c3e2958b"
strings:
$code = { 69 ( C? | D? | E? | F? ) AB 00 00 00 ( 81 | 41 81 ) C? CD 2B 00 00 ( F7 | 41 F7 ) E? ( C1 | 41 C1 ) E? 0D ( 69 | 45 69 ) ( C? | D? | E? | F? ) 85 CF 00 00 ( 29 | 41 29 | 44 29 | 45 29 | 2B | 41 2B | 44 2B | 45 2B ) }
condition:
all of them
}
rule remsec_packer_B {
meta:
copyright = "Symantec"
description = "Detects malware from Symantec's Strider APT report"
score = 80
date = "2016/08/08"
reference = "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"
id = "18e7f84e-27f2-532d-9ead-0db6e9e6c0b2"
strings:
$code = { 48 8B 05 ?? ?? ?? ?? 48 89 44 24 ?? 48 8B 05 ?? ?? ?? ?? 48 8D 4C 24 ?? 48 89 44 24 ?? 48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) ( 44 88 6? 24 ?? | C6 44 24 ?? 00 ) 48 89 44 24 ?? 48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) C7 44 24 ?? 0? 00 00 00 2B ?8 48 89 ?C 24 ?? 44 89 6? 24 ?? 83 C? 08 89 ?C 24 ?? ( FF | 41 FF ) D? ( 05 | 8D 88 ) 00 00 00 3A }
condition:
all of them
}