YARA rules for Sandworm Team
107 rules · scoped to actor · back to Sandworm Team
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule BlackEnergy_Driver_USBMDM {
meta:
description = "Black Energy Driver"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
date = "2016-01-04"
super_rule = 1
hash1 = "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094"
hash2 = "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a"
hash3 = "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281"
hash4 = "ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc"
hash5 = "7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291"
hash6 = "405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5"
hash7 = "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5"
hash8 = "edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf"
id = "d5e8faf0-38cb-5193-b859-83ea09278011"
strings:
$s1 = "USB MDM Driver" fullword wide
$s2 = "KdDebuggerNotPresent" fullword ascii /* Goodware String - occured 50 times */
$s3 = "KdDebuggerEnabled" fullword ascii /* Goodware String - occured 69 times */
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
rule BlackEnergy_Driver_AMDIDE {
meta:
description = "Black Energy Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
date = "2016-01-04"
super_rule = 1
hash1 = "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614"
hash2 = "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2"
hash3 = "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c"
hash4 = "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"
hash5 = "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc"
hash6 = "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988"
hash7 = "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68"
id = "e5b57c33-87f7-5411-995c-384e0afa0348"
strings:
$s1 = " AMD IDE driver" fullword wide
$s2 = "SessionEnv" fullword wide
$s3 = "\\DosDevices\\{C9059FFF-1C49-4445-83E8-" wide
$s4 = "\\Device\\{C9059FFF-1C49-4445-83E8-" wide
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule IMPLANT_4_v1 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "be4d222f-009f-5dde-93da-376626a77263"
strings:
$STR1 = {55 8B EC 81 EC 54 01 00 00 83 65 D4 00 C6 45 D8 61 C6 45 D9 64
C6 45 DA 76 C6 45 DB 61 C6 45 DC 70 C6 45 DD 69 C6 45 DE 33 C6 45 DF
32 C6 45 E0 2EE9 ?? ?? ?? ??} $STR2 = {C7 45 EC 5A 00 00 00 C7 45 E0
46 00 00 00 C7 45 E8 5A 00 00 00 C7 45 E4 46 00 00 00}
condition:
(uint16(0)== 0x5A4D or uint16(0) == 0xCFD0 or uint16(0)== 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 1 of them
}
rule IMPLANT_4_v2 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "2edaeb08-19bc-5ab4-bc75-40c16ba85d9f"
strings:
$BUILD_USER32 = {75 73 65 72 ?? ?? ?? 33 32 2E 64}
$BUILD_ADVAPI32 = {61 64 76 61 ?? ?? ?? 70 69 33 32}
$CONSTANT = {26 80 AC C8}
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
rule IMPLANT_4_v3 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$a1 = "Adobe Flash Player Installer" wide nocase
$a3 = "regedt32.exe" wide nocase
$a4 = "WindowsSysUtility" wide nocase
$a6 = "USB MDM Driver" wide nocase
$b1 = {00 05 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00
4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00
00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15 28 0A 3F 00 00 00
00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 5C 04 00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00
6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 1C 02 00 00 01 00 30 00 30
00 31 00 35 00 30 00 34 00 62 00 30 00 00 00 4C 00 16 00 01 00 43 00
6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00
00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00
6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 46
00 0F 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00
69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 55 00 53 00 42 00 20
00 4D 00 44 00 4D 00 20 00 44 00 72 00 69 00 76 00 65 00 72 00 00 00
00 00 3C 00 0E 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73
00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00
30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 4A 00 13 00 01 00 4C
00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00
68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74
00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 31 00 33 00 00 00 00 00
3E 00 0B 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46
00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 75 00 73 00 62 00
6D 00 64 00 6D 00 2E 00 73 00 79 00 73 00 00 00 00 00 66 00 23 00 01
00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00
00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20
00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00
72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65
00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00
63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E
00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00
00 00 1C 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 62 00 30
00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00
4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73
00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00
74 00 69 00 6F 00 6E 00 00 00 46 00 0F 00 01 00 46 00 69 00 6C 00 65
00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00
00 00 00 00 55 00 53 00 42 00 20 00 4D 00 44 00 4D 00 20 00 44 00 72
00 69 00 76 00 65 00 72 00 00 00 00 00 3C 00 0E 00 01 00 46 00 69 00
6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35
00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00
32 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F
00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00
79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32
00 30 00 31 00 33 00 00 00 00 00 3E 00 0B 00 01 00 4F 00 72 00 69 00
67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D
00 65 00 00 00 75 00 73 00 62 00 6D 00 64 00 6D 00 2E 00 73 00 79 00
73 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63
00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00
6F 00 73 00 6F 00 66 00 74 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77
00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00
20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01
00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00
69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30
00 2E 00 35 00 35 00 31 00 32 00 00 00 48 00 00 00 01 00 56 00 61 00
72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 28
00 08 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00
6F 00 6E 00 00 00 00 00 15 00 B0 04 09 04 B0 04}
$b2 = {34 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00
4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00
00 01 00 03 00 03 00 04 00 02 00 03 00 03 00 04 00 02 00 3F 00 00 00
00 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 94 02 00 00 00 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00
6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 70 02 00 00 00 00 30 00 34
00 30 00 39 00 30 00 34 00 65 00 34 00 00 00 4A 00 15 00 01 00 43 00
6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00
00 53 00 6F 00 6C 00 69 00 64 00 20 00 53 00 74 00 61 00 74 00 65 00
20 00 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 73 00 00 00 00 00 62
00 1D 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00
69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 41 00 64 00 6F 00 62
00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 50 00 6C 00 61 00
79 00 65 00 72 00 20 00 49 00 6E 00 73 00 74 00 61 00 6C 00 6C 00 65
00 72 00 00 00 00 00 30 00 08 00 01 00 46 00 69 00 6C 00 65 00 56 00
65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 33 00 2E 00 33 00 2E
00 32 00 2E 00 34 00 00 00 32 00 09 00 01 00 49 00 6E 00 74 00 65 00
72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 68 00 6F 00 73
00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 76 00 29 00 01 00 4C 00
65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68
00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00
20 00 28 00 43 00 29 00 20 00 41 00 64 00 6F 00 62 00 65 00 20 00 53
00 79 00 73 00 74 00 65 00 6D 00 73 00 20 00 49 00 6E 00 63 00 6F 00
72 00 70 00 6F 00 72 00 61 00 74 00 65 00 64 00 00 00 00 00 3A 00 09
00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00
6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 68 00 6F 00 73 00 74 00 2E
00 65 00 78 00 65 00 00 00 00 00 5A 00 1D 00 01 00 50 00 72 00 6F 00
64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 41 00 64
00 6F 00 62 00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 50 00
6C 00 61 00 79 00 65 00 72 00 20 00 49 00 6E 00 73 00 74 00 61 00 6C
00 6C 00 65 00 72 00 00 00 00 00 34 00 08 00 01 00 50 00 72 00 6F 00
64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00
00 33 00 2E 00 33 00 2E 00 32 00 2E 00 34 00 00 00 44 00 00 00 00 00
56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00
00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00
74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 E4 04 46 45 32 58}
$b3 = {C8 02 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00
4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00
00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15 28 0A 17 00 00 00
00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 28 02 00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00
6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 04 02 00 00 01 00 30 00 34
00 30 00 39 00 30 00 34 00 65 00 34 00 00 00 4C 00 16 00 01 00 43 00
6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00
00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00
6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 48
00 10 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00
69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 49 00 44 00 45 00 20
00 50 00 6F 00 72 00 74 00 20 00 44 00 72 00 69 00 76 00 65 00 72 00
00 00 62 00 21 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73
00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00
30 00 30 00 2E 00 35 00 35 00 31 00 32 00 20 00 28 00 78 00 70 00 73
00 70 00 2E 00 30 00 38 00 30 00 34 00 31 00 33 00 2D 00 30 00 38 00
35 00 32 00 29 00 00 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00 61
00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00
43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43
00 29 00 20 00 32 00 30 00 30 00 39 00 00 00 00 00 66 00 23 00 01 00
50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00
00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00
57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72
00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00
6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00 63
00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00
31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00
00 44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00
6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E
00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 E4 04 }
$b4 = {9C 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00
4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00
00 01 00 01 00 06 00 01 40 B0 1D 01 00 06 00 01 40 B0 1D 3F 00 00 00
00 00 00 00 04 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 FA 02 00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00
6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 D6 02 00 00 01 00 30 00 34
00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00
6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00
00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00
6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 58
00 18 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00
69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 52 00 65 00 67 00 69
00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6F 00 72 00
20 00 55 00 74 00 69 00 6C 00 69 00 74 00 79 00 00 00 6C 00 26 00 01
00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00
00 00 00 00 36 00 2E 00 31 00 2E 00 37 00 36 00 30 00 30 00 2E 00 31
00 36 00 33 00 38 00 35 00 20 00 28 00 77 00 69 00 6E 00 37 00 5F 00
72 00 74 00 6D 00 2E 00 30 00 39 00 30 00 37 00 31 00 33 00 2D 00 31
00 32 00 35 00 35 00 29 00 00 00 3A 00 0D 00 01 00 49 00 6E 00 74 00
65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 72 00 65
00 67 00 65 00 64 00 74 00 33 00 32 00 2E 00 65 00 78 00 65 00 00 00
00 00 80 00 2E 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70
00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00
63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70
00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20 00 41 00 6C 00
6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73
00 65 00 72 00 76 00 65 00 64 00 2E 00 00 00 42 00 0D 00 01 00 4F 00
72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E
00 61 00 6D 00 65 00 00 00 72 00 65 00 67 00 65 00 64 00 74 00 33 00
32 00 2E 00 65 00 78 00 65 00 00 00 00 00 6A 00 25 00 01 00 50 00 72
00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00
4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 AE 00 20 00 57
00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 20 00 4F 00 70 00 65 00
72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65
00 6D 00 00 00 00 00 42 00 0F 00 01 00 50 00 72 00 6F 00 64 00 75 00
63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 36 00 2E
00 31 00 2E 00 37 00 36 00 30 00 30 00 2E 00 31 00 36 00 33 00 38 00
35 00 00 00 00 00 44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C
00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00
72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00
00 09 04 B0 04}
$b5 = {78 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00
4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00
00 01 00 00 00 05 00 6A 44 B1 1D 00 00 05 00 6A 44 B1 1D 3F 00 00 00
00 00 00 00 04 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 D6 02 00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00
6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 B2 02 00 00 01 00 30 00 34
00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00
6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00
00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00
6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 4E
00 13 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00
69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 57 00 69 00 6E 00 64
00 6F 00 77 00 73 00 AE 00 53 00 79 00 73 00 55 00 74 00 69 00 6C 00
69 00 74 00 79 00 00 00 00 00 72 00 29 00 01 00 46 00 69 00 6C 00 65
00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00
30 00 2E 00 37 00 36 00 30 00 31 00 2E 00 31 00 37 00 35 00 31 00 34
00 20 00 28 00 77 00 69 00 6E 00 37 00 73 00 70 00 31 00 5F 00 72 00
74 00 6D 00 2E 00 31 00 30 00 31 00 31 00 31 00 39 00 2D 00 31 00 38
00 35 00 30 00 29 00 00 00 00 00 30 00 08 00 01 00 49 00 6E 00 74 00
65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 6D 00 73
00 69 00 65 00 78 00 65 00 63 00 00 00 80 00 2E 00 01 00 4C 00 65 00
67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74
00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00
74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F
00 6E 00 2E 00 20 00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68 00
74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 2E
00 00 00 40 00 0C 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00
6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 6D 00 73
00 69 00 65 00 78 00 65 00 63 00 2E 00 65 00 78 00 65 00 00 00 58 00
1C 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D
00 65 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 53 00
79 00 73 00 55 00 74 00 69 00 6C 00 69 00 74 00 79 00 20 00 2D 00 20
00 55 00 6E 00 69 00 63 00 6F 00 64 00 65 00 00 00 42 00 0F 00 01 00
50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69
00 6F 00 6E 00 00 00 35 00 2E 00 30 00 2E 00 37 00 36 00 30 00 31 00
2E 00 31 00 37 00 35 00 31 00 34 00 00 00 00 00 44 00 00 00 01 00 56
00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00
00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74
00 69 00 6F 00 6E 00 00 00 00 00 09 04 B0 04}
$b6 = {D4 02 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00
4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00
00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15 28 0A 17 00 00 00
00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 34 02 00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00
00 65 00 49 00 6E 00 66 00 6F 00 00 00 10 02 00 00 01 00 30 00 34 00
30 00 39 00 30 00 34 00 65 00 34 00 00 00 4C 00 16 00 01 00 43 00 6F
00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00
4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F
00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 4E 00
13 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69
00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 53 00 65 00 72 00 69 00
61 00 6C 00 20 00 50 00 6F 00 72 00 74 00 20 00 44 00 72 00 69 00 76
00 65 00 72 00 00 00 00 00 62 00 21 00 01 00 46 00 69 00 6C 00 65 00
56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 31
00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 20 00
28 00 78 00 70 00 73 00 70 00 2E 00 30 00 38 00 30 00 34 00 31 00 33
00 2D 00 30 00 38 00 35 00 32 00 29 00 00 00 00 00 4A 00 13 00 01 00
4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67
00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00
74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 30 00 34 00 00 00 00
00 6A 00 25 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00
61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F
00 66 00 74 00 AE 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00
AE 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20
00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00
50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69
00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00
2E 00 35 00 35 00 31 00 32 00 00 00 44 00 00 00 01 00 56 00 61 00 72
00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00
04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F
00 6E 00 00 00 00 00 09 04 E4 04}
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and
(((any of ($a*)) and (uint32(uint32(0x3C)+8) == 0x00000000)) or
(for any of ($b*): ($ in (uint32(uint32(0x3C)+248+(40*(uint16(uint32(0x3C)+6)-1)+20))..(uint32(uint32(0x3C)+248+(40*(uint16(uint32(0x3C)+6)-1)+20))+uint32(uint32(0x3C)+248+(40*(uint16(uint32(0x3C)+6)-1)+16)))))))
}
rule IMPLANT_4_v4 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "27a5fb98-fe8b-561c-b490-e04257e7dd1c"
strings:
$DK_format1 = "/c format %c: /Y /Q" ascii
$DK_format2 = "/c format %c: /Y /X /FS:NTFS" ascii
$DK_physicaldrive = "PhysicalDrive%d" wide
$DK_shutdown = "shutdown /r /t %d"
condition:
uint16(0) == 0x5A4D and all of ($DK*)
}
rule IMPLANT_4_v5 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "d203f3c6-4e86-5632-ad5d-61763ee59bbe"
strings:
$GEN_HASH = {0F BE C9 C1 C0 07 33 C1}
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or
uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or
uint32(1) == 0x6674725C) and all of them
}
rule IMPLANT_4_v6 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = "DispatchCommand" wide ascii
$STR2 = "DispatchEvent" wide ascii
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
rule IMPLANT_4_v7 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "a0dda12a-22b6-53e6-9528-8c178ad871ad"
strings:
$sb1 = {C7 [1-5] 33 32 2E 64 C7 [1-5] 77 73 32 5F 66 C7 [1-5] 6C 6C}
$sb2 = {C7 [1-5] 75 73 65 72 C7 [1-5] 33 32 2E 64 66 C7 [1-5] 6C 6C}
$sb3 = {C7 [1-5] 61 64 76 61 C7 [1-5] 70 69 33 32 C7 [1-5] 2E 64 6C 6C}
$sb4 = {C7 [1-5] 77 69 6E 69 C7 [1-5] 6E 65 74 2E C7 [1-5] 64 6C 6C}
$sb5 = {C7 [1-5] 73 68 65 6C C7 [1-5] 6C 33 32 2E C7 [1-5] 64 6C 6C}
$sb6 = {C7 [1-5] 70 73 61 70 C7 [1-5] 69 2E 64 6C 66 C7 [1-5] 6C}
$sb7 = {C7 [1-5] 6E 65 74 61 C7 [1-5] 70 69 33 32 C7 [1-5] 2E 64 6C 6C}
$sb8 = {C7 [1-5] 76 65 72 73 C7 [1-5] 69 6F 6E 2E C7 [1-5] 64 6C 6C}
$sb9 = {C7 [1-5] 6F 6C 65 61 C7 [1-5] 75 74 33 32 C7 [1-5] 2E 64 6C 6C}
$sb10 = {C7 [1-5] 69 6D 61 67 C7 [1-5] 65 68 6C 70 C7 [1-5] 2E 64 6C 6C}
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 3 of them
}
rule IMPLANT_4_v8 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "1e82d105-8dda-55c9-aec0-8f9f02c3a94e"
strings:
$f1 = {5E 81 EC 04 01 00 00 8B D4 68 04 01 00 00 52 6A 00 FF 57 1C 8B D4
33 C9 03 D0 4A 41 3B C8 74 05 80 3A 5C 75 F5 42 81 EC 04 01 00 00 8B
DC 52 51 53 68 04 01 00 00 FF 57 20 59 5A 66 C7 04 03 5C 20 56 57 8D
3C 03 8B F2 F3 A4 C6 07 00 5F 5E 33 C0 50 68 80 00 00 00 6A 02 50 50
68 00 00 00 40 53 FF 57 14 53 8B 4F 4C 8B D6 33 DB 30 1A 42 43 3B D9
7C F8 5B 83 EC 04 8B D4 50 6A 00 52 FF 77 4C 8B D6 52 50 FF 57 24 FF
57 18}
$f2 = {5E 83 EC 1C 8B 45 08 8B 4D 08 03 48 3C 89 4D E4 89 75 EC 8B 45 08
2B 45 10 89 45 E8 33 C0 89 45 F4 8B 55 0C 3B 55 F4 0F 86 98 00 00 00
8B 45 EC 8B 4D F4 03 48 04 89 4D F4 8B 55 EC 8B 42 04 83 E8 08 D1 E8
89 45 F8 8B 4D EC 83 C1 08 89 4D FC}
$f3 = {5F 8B DF 83 C3 60 2B 5F 54 89 5C 24 20 8B 44 24 24 25 00 00 FF FF
66 8B 18 66 81 FB 4D 5A 74 07 2D 00 00 01 00 EB EF 8B 48 3C 03 C8 66
8B 19 66 81 FB 50 45 75 E0 8B E8 8B F7 83 EC 60 8B FC B9 60 00 00 00
F3 A4 83 EF 60 6A 0D 59 E8 88 00 00 00 E2 F9 68 6C 33 32 00 68 73 68
65 6C 54 FF 57}
$a1 = {83 EC 04 60 E9 1E 01 00 00}
condition:
$a1 at pe.entry_point or any of ($f*)
}
rule IMPLANT_4_v9 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "a404212a-d9ef-54c1-bbf8-a213ec094f18"
strings:
$a = "wevtutil clear-log" ascii wide nocase
$b = "vssadmin delete shadows" ascii wide nocase
$c = "AGlobal\\23d1a259-88fa-41df-935f-cae523bab8e6" ascii wide nocase
$d = "Global\\07fd3ab3-0724-4cfd-8cc2-60c0e450bb9a" ascii wide nocase //$e = {57 55 33 c9 51 8b c3 99 57 52 50}
$openPhysicalDiskOverwriteWithZeros = { 57 55 33 C9 51 8B C3 99 57 52
50 E8 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 83 C4 10 84 C0 75 21 33 C0 89
44 24 10 89 44 24 14 6A 01 8B C7 99 8D 4C 24 14 51 52 50 56 FF 15 ??
?? ?? ?? 85 C0 74 0B 83 C3 01 81 FB 00 01 00 00 7C B6 }
$f = {83 c4 0c 53 53 6a 03 53 6a 03 68 00 00 00 c0}
condition:
($a and $b) or $c or $d or ($openPhysicalDiskOverwriteWithZeros and $f)
}
rule IMPLANT_4_v10 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "75c266ca-a27f-5ffe-a438-c35bbacfa70c"
strings:
$ ={A1B05C72}
$ ={EB3D0384}
$ ={6F45594E}
$ ={71815A4E}
$ ={D5B03E72}
$ ={6B43594E}
$ ={F572993D}
$ ={665D9DC0}
$ ={0BE7A75A}
$ ={F37443C5}
$ ={A2A474BB}
$ ={97DEEC67}
$ ={7E0CB078}
$ ={9C9678BF}
$ ={4A37A149}
$ ={8667416B}
$ ={0A375BA4}
$ ={DC505A8D}
$ ={02F1F808}
$ ={2C819712}
condition:
uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550 and 15 of them
}
rule IMPLANT_4_v11 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "e5fb0843-20f7-56a0-8eea-0db7cef7f610"
strings:
$ = "/c format %c: /Y /X /FS:NTFS"
$ = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" wide
$ = ".dll.exe.xml.ttf.nfo.fon.ini.cfg.boot.jar" wide
$= ".crt.bin.exe.db.dbf.pdf.djvu.doc.docx.xls.xlsx.jar.ppt.pptx.tib.vhd.iso.lib.mdb.accdb.sql.mdf.xml.rtf.ini.cf g.boot.txt.rar.msi.zip.jpg.bmp.jpeg.tiff" wide
$tempfilename = "%ls_%ls_%ls_%d.~tmp" ascii wide
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 2 of them
}
rule IMPLANT_4_v12 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "be4d222f-009f-5dde-93da-376626a77263"
strings:
$CMP1 = {81 ?? 4D 5A 00 00 }
$SUB1 = {81 ?? 00 10 00 00}
$CMP2 = {66 81 38 4D 5A}
$SUB2 = {2D 00 10 00 00}
$HAL = "HAL.dll"
$OUT = {E6 64 E9 ?? ?? FF FF}
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and ($CMP1 or $CMP2)
and ($SUB1 or $SUB2) and $OUT and $HAL
}
rule IMPLANT_4_v13 {
meta:
description = "BlackEnergy / Voodoo Bear Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "e96a7d9f-1840-542f-9a9b-95e74377f234"
strings:
$XMLDOM1 = {81 BF 33 29 36 7B D2 11 B2 0E 00 C0 4F 98 3E 60}
$XMLDOM2 = {90 BF 33 29 36 7B D2 11 B2 0E 00 C0 4F 98 3E 60}
$XMLPARSE = {8B 06 [0-2] 8D 55 ?C 52 FF 75 08 [0-2] 50 FF 91 04 01 00 00
66 83 7D ?C FF 75 3? 8B 06 [0-2] 8D 55 F? 52 50 [0-2] FF 51 30 85 C0
78 2?}
$EXP1 = "DispatchCommand"
$EXP2 = "DispatchEvent"
$BDATA = {85 C0 74 1? 0F B7 4? 06 83 C? 28 [0-6] 72 ?? 33 C0 5F 5E 5B 5D
C2 08 00 8B 4? 0? 8B 4? 0? 89 01 8B 4? 0C 03 [0-2] EB E?}
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
rule blackenergy3_installer
{
meta:
author = "Mike Schladt"
date = "2015-05-29"
description = "Matches unique code block for import name construction "
md5 = "78387651DD9608FCDF6BFB9DF8B84DB4"
sha1 = "78636F7BBD52EA80D79B4E2A7882403092BBB02D"
reference = "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
id = "4afeb7ac-ce8d-506c-9c97-db7ec6102490"
strings:
$import_names = { C7 45 D0 75 73 65 72 C7 45 D4 33 32 2E 64 66 C7 45 D8 6C 6C 88 5D DA C7 45 84 61 64 76 61 C7 45 88 70 69 33 32 C7 45 8C 2E 64 6C 6C 88 5D 90 C7 45 B8 77 69 6E 69 C7 45 BC 6E 65 74 2E C7 45 C0 64 6C 6C 00 C7 45 C4 77 73 32 5F C7 45 C8 33 32 2E 64 66 C7 45 CC 6C 6C 88 5D CE C7 45 94 73 68 65 6C C7 45 98 6C 33 32 2E C7 45 9C 64 6C 6C 00 C7 45 E8 70 73 61 70 C7 45 EC 69 2E 64 6C 66 C7 45 F0 6C 00 C7 85 74 FF FF FF 6E 65 74 61 C7 85 78 FF FF FF 70 69 33 32 C7 85 7C FF FF FF 2E 64 6C 6C 88 5D 80 C7 85 64 FF FF FF 6F 6C 65 61 C7 85 68 FF FF FF 75 74 33 32 C7 85 6C FF FF FF 2E 64 6C 6C 88 9D 70 FF FF FF C7 45 DC 6F 6C 65 33 C7 45 E0 32 2E 64 6C 66 C7 45 E4 6C 00 C7 45 A0 76 65 72 73 C7 45 A4 69 6F 6E 2E C7 45 A8 64 6C 6C 00 C7 85 54 FF FF FF 69 6D 61 67 C7 85 58 FF FF FF 65 68 6C 70 C7 85 5C FF FF FF 2E 64 6C 6C 88 9D 60 FF FF FF C7 45 AC 61 70 70 68 C7 45 B0 65 6C 70 2E C7 45 B4 64 6C 6C 00 C7 45 F4 2E 64 6C 6C 88 5D F8 }
condition :
any of them
}
rule FLAME2_Orchestrator {
meta:
desc = "Encrypted resources in Flame2.0 Orchestrators"
author = "turla @ Uppercase"
hash1 = "15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1"
hash2 = "426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82"
hash3 = "af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4"
reference = "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0"
condition:
for any i in (0..pe.number_of_resources-1):
((hash.md5(pe.resources[i].offset,pe.resources[i].length) == "53b19d9863d8ff8cde8e4358d1b57c04") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "4849cc439e524ef6a9964a3666dddb13") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "62bfe21a8eb76fd07e22326c0073fef5") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "dfed2c71749b04dad46d0ce52834492c") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9119aa701b39242a98be118d9c237ecc") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "b69d168e29fba6c88ad4e670949815aa") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "4849cc439e524ef6a9964a3666dddb13") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "1933a1e254b1657a6a2eb8ad1fbe6fa3") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "dfed2c71749b04dad46d0ce52834492c") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9119aa701b39242a98be118d9c237ecc") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "b69d168e29fba6c88ad4e670949815aa") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "17c794f7056349cb82889b5e5b030d15") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "e15187f79b6916cb6763d29d215623c1") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "923963bb24f2e2ceac9f9759071dba88") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9a2766aba7f2a56ef1ab24cf171ee0ed") or
(hash.md5(pe.resources[i].offset,pe.resources[i].length) == "ebe15bfb5a3944ea4952ddf0f73aa6e8"))
}
rule DarkComet_Keylogger_File {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Looks like a keylogger file created by DarkComet Malware"
date = "25.07.14"
score = 50
id = "65058450-3ae3-5b85-bcc5-8bc1fab14614"
strings:
$entry = /\n:: [A-Z]/
$timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/
condition:
uint16(0) == 0x3A3A and #entry > 10 and #timestamp > 10
}
rule RAT_DarkComet
{
meta:
author = "Kevin Breen <kevin@techanarchy.net>"
date = "01.04.2014"
description = "Detects DarkComet RAT"
reference = "http://malwareconfig.com/stats/DarkComet"
maltype = "Remote Access Trojan"
filetype = "exe"
id = "e6fd0269-dd0c-58c0-a1a3-24c2aed916ee"
strings:
// Versions 2x
$a1 = "#BOT#URLUpdate"
$a2 = "Command successfully executed!"
$a3 = "MUTEXNAME" wide
$a4 = "NETDATA" wide
// Versions 3x & 4x & 5x
$b1 = "FastMM Borland Edition"
$b2 = "%s, ClassID: %s"
$b3 = "I wasn't able to open the hosts file"
$b4 = "#BOT#VisitUrl"
$b5 = "#KCMDDC"
condition:
all of ($a*) or all of ($b*)
}
rule ProjectM_DarkComet_1 {
meta:
description = "Detects ProjectM Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/"
date = "2016-03-26"
modified = "2023-01-27"
hash = "cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157"
id = "6de74d73-f9b2-5e7f-b15e-f850425d849c"
strings:
$x1 = "DarkO\\_2" fullword ascii
$a1 = "AVICAP32.DLL" fullword ascii
$a2 = "IDispatch4" fullword ascii
$a3 = "FLOOD/" fullword ascii
$a4 = "T<-/HTTP://" ascii
$a5 = "infoes" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 4 of them ) or ( all of them )
}
rule OlympicDestroyer_Gen2 {
meta:
description = "Detects Olympic Destroyer malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
date = "2018-02-12"
hash1 = "d934cb8d0eadb93f8a57a9b8853c5db218d5db78c16a35f374e413884d915016"
hash2 = "3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2"
hash3 = "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"
hash4 = "28858cc6e05225f7d156d1c6a21ed11188777fa0a752cb7b56038d79a88627cc"
id = "8d0cbb7b-6650-53ed-8d58-176f8b4af880"
strings:
$x1 = "cmd.exe /c (ping 0.0.0.0 > nul) && if exist %programdata%\\evtchk.txt" fullword wide
$x2 = "cmd.exe /c (echo strPath = Wscript.ScriptFullName & echo.Set FSO = CreateObject^(\"Scripting.FileSystemObject\"^)" wide
$x3 = "del %programdata%\\evtchk.txt" fullword wide
$x4 = "Pyeongchang2018.com\\svc_all_swd_installc" fullword ascii
$s1 = "<STARTCRED>" fullword wide
$s2 = "SELECT ds_cn FROM ds_computer" fullword wide
$s3 = "\\system32\\notepad.exe" wide
$s4 = "%s \\\\%s -u \"%s\" -p \"%s\" -accepteula -d %s %s \"%s\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and (
pe.imphash() == "fd7200dcd5c0d9d4d277a26d951210aa" or
pe.imphash() == "975087e9286238a80895b195efb3968d" or
pe.imphash() == "da1c2d7acfe54df797bfb1f470257bc3" or
1 of ($x*) or
3 of them
)
}
rule NotPetya_Ransomware_Jun17 {
meta:
description = "Detects new NotPetya Ransomware variant from June 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/h6iaGj"
date = "2017-06-27"
hash1 = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
hash2 = "45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0"
hash3 = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"
id = "8805f971-0680-534d-9955-65dc4ecc934a"
strings:
$x1 = "Ooops, your important files are encrypted." fullword wide ascii
$x2 = "process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\%s\\\" #1 " fullword wide
$x3 = "-d C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1 " fullword wide
$x4 = "Send your Bitcoin wallet ID and personal installation key to e-mail " fullword wide
$x5 = "fsutil usn deletejournal /D %c:" fullword wide
$x6 = "wevtutil cl Setup & wevtutil cl System" ascii
/* ,#1 ..... rundll32.exe */
$x7 = { 2C 00 23 00 31 00 20 00 00 00 00 00 00 00 00 00 72 00 75 00 6E
00 64 00 6C 00 6C 00 33 00 32 00 2E 00 65 00 78 00 65 00 }
$s1 = "%s /node:\"%ws\" /user:\"%ws\" /password:\"%ws\" " fullword wide
$s4 = "\\\\.\\pipe\\%ws" fullword wide
$s5 = "schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%02d" fullword wide
$s6 = "u%s \\\\%s -accepteula -s " fullword wide
$s7 = "dllhost.dat" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 3 of them )
}
rule APT_MAL_LNX_Kobalos {
meta:
description = "Kobalos malware"
author = "Marc-Etienne M.Leveille"
date = "2020-11-02"
reference = "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
id = "dfa47e30-c093-57f6-af01-72a2534cc6f4"
strings:
$encrypted_strings_sizes = {
05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00
08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00
01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00
05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00
}
$password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C }
$rsa_512_mod_header = { 10 11 02 00 09 02 00 }
$strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE }
condition:
uint16(0) == 0x457f and /* modification by Florian Roth to avoid false posirives */
any of them
}
rule APT_MAL_LNX_Kobalos_SSH_Credential_Stealer {
meta:
description = "Kobalos SSH credential stealer seen in OpenSSH client"
author = "Marc-Etienne M.Leveille"
date = "2020-11-02"
reference = "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
version = "1"
id = "0f923f92-c5d8-500d-9a2e-634ca7945c5c"
strings:
$ = "user: %.128s host: %.128s port %05d user: %.128s password: %.128s"
condition:
uint16(0) == 0x457f and /* modification by Florian Roth to avoid false posirives */
any of them
}
rule APT_Sandworm_Keywords_May20_1 {
meta:
description = "Detects commands used by Sandworm group to exploit critical vulernability CVE-2019-10149 in Exim"
author = "Florian Roth (Nextron Systems)"
reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
date = "2020-05-28"
id = "e0d4e90e-5547-5487-8d0c-a141d88fff7c"
strings:
$x1 = "MAIL FROM:<$(run("
$x2 = "exec\\x20\\x2Fusr\\x2Fbin\\x2Fwget\\x20\\x2DO\\x20\\x2D\\x20http"
condition:
filesize < 8000KB and
1 of them
}
rule APT_Sandworm_SSH_Key_May20_1 {
meta:
description = "Detects SSH key used by Sandworm on exploited machines"
author = "Florian Roth (Nextron Systems)"
reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
date = "2020-05-28"
hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
id = "ea2968b8-7ae4-56b8-9547-816c5e37c50a"
strings:
$x1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2q/NGN/brzNfJiIp2zswtL33tr74pIAjMeWtXN1p5Hqp5fTp058U1EN4NmgmjX0KzNjjV"
condition:
filesize < 1000KB and
1 of them
}
rule APT_Sandworm_SSHD_Config_Modification_May20_1 {
meta:
description = "Detects ssh config entry inserted by Sandworm on compromised machines"
author = "Florian Roth (Nextron Systems)"
reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
date = "2020-05-28"
hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
id = "dd60eeb7-3d4b-5a6a-8054-50c617ee8c73"
strings:
$x1 = "AllowUsers mysql_db" ascii
$a1 = "ListenAddress" ascii fullword
condition:
filesize < 10KB and
all of them
}
rule APT_Sandworm_InitFile_May20_1 {
meta:
description = "Detects mysql init script used by Sandworm on compromised machines"
author = "Florian Roth (Nextron Systems)"
reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
date = "2020-05-28"
hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
id = "0bd613e3-6bd4-5cec-bc0d-2bdb83caf142"
strings:
$s1 = "GRANT ALL PRIVILEGES ON * . * TO 'mysqldb'@'localhost';" ascii
$s2 = "CREATE USER 'mysqldb'@'localhost' IDENTIFIED BY '" ascii fullword
condition:
filesize < 10KB and
all of them
}
rule APT_Sandworm_User_May20_1 {
meta:
description = "Detects user added by Sandworm on compromised machines"
author = "Florian Roth (Nextron Systems)"
reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
date = "2020-05-28"
hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
id = "ada549a4-abcc-5c0a-9601-75631e78c835"
strings:
$s1 = "mysql_db:x:" ascii /* malicious user */
$a1 = "root:x:"
$a2 = "daemon:x:"
condition:
filesize < 4KB and all of them
}
rule APT_WEBSHELL_PHP_Sandworm_May20_1 {
meta:
description = "Detects GIF header PHP webshell used by Sandworm on compromised machines"
author = "Florian Roth (Nextron Systems)"
reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
date = "2020-05-28"
hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
id = "b9ec02c2-fa83-5f21-95cf-3528047b2d01"
strings:
$h1 = "GIF89a <?php $" ascii
$s1 = "str_replace(" ascii
condition:
filesize < 10KB and
$h1 at 0 and $s1
}
rule APT_SH_Sandworm_Shell_Script_May20_1 {
meta:
description = "Detects shell script used by Sandworm in attack against Exim mail server"
author = "Florian Roth (Nextron Systems)"
reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
date = "2020-05-28"
hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
id = "21cf2c89-5511-5eb6-a2dd-4ad54ebfa2d1"
strings:
$x1 = "echo \"GRANT ALL PRIVILEGES ON * . * TO 'mysqldb'@'localhost';\" >> init-file.txt" ascii fullword
$x2 = "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version" ascii fullword
$x3 = "sed -i -e '/PasswordAuthentication/s/no/yes/g; /PermitRootLogin/s/no/yes/g;" ascii fullword
$x4 = "useradd -M -l -g root -G root -b /root -u 0 -o mysql_db" ascii fullword
$s1 = "/ip.php?port=${PORT}\"" ascii fullword
$s2 = "sed -i -e '/PasswordAuthentication" ascii fullword
$s3 = "PATH_KEY=/root/.ssh/authorized_keys" ascii fullword
$s4 = "CREATE USER" ascii fullword
$s5 = "crontab -l | { cat; echo" ascii fullword
$s6 = "mysqld --user=mysql --init-file=/etc/opt/init-file.txt --console" ascii fullword
$s7 = "sshkey.php" ascii fullword
condition:
uint16(0) == 0x2123 and
filesize < 20KB and
1 of ($x*) or 4 of them
}
rule APT_RU_Sandworm_PY_May20_1 {
meta:
description = "Detects Sandworm Python loader"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/billyleonard/status/1266054881225236482"
date = "2020-05-28"
hash1 = "c025008463fdbf44b2f845f2d82702805d931771aea4b506573b83c8f58bccca"
id = "a392d800-1fe8-5ae9-b813-e1dfcedecda6"
strings:
$x1 = "o.addheaders=[('User-Agent','Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko')]" ascii fullword
$s1 = "exec(o.open('http://" ascii
$s2 = "__import__({2:'urllib2',3:'urllib.request'}"
condition:
uint16(0) == 0x6d69 and
filesize < 1KB and
1 of ($x*) or 2 of them
}
rule APT_RU_Sandworm_PY_May20_2 {
meta:
description = "Detects Sandworm Python loader"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/billyleonard/status/1266054881225236482"
date = "2020-05-28"
hash1 = "abfa83cf54db8fa548942acd845b4f34acc94c46d4e1fb5ce7e97cc0c6596676"
id = "5b32ad64-d959-5632-a03c-17aa055b213f"
strings:
$x1 = "import sys;import re, subprocess;cmd" ascii fullword
$x2 = "UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http"
$x3 = "';t='/admin/get.php';req" ascii
$x4 = "ps -ef | grep Little\\ Snitch | grep " ascii fullword
condition:
uint16(0) == 0x6d69 and
filesize < 2KB and
1 of them
}
rule APT_Sandworm_CyclopsBlink_notable_strings {
meta:
author = "NCSC"
description = "Detects notable strings identified within the Cyclops Blink executable"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
date = "2022-02-23"
id = "81ccf582-41f5-5fe5-8afc-e008e01289ff"
strings:
// Process names masqueraded by implant
$proc_name1 = "[kworker/0:1]"
$proc_name2 = "[kworker/1:1]"
// DNS query over SSL, used to resolve C2 server address
$dns_query = "POST /dns-query HTTP/1.1\x0d\x0aHost: dns.google\x0d\x0a"
// iptables commands
$iptables1 = "iptables -I %s -p tcp --dport %d -j ACCEPT &>/dev/null"
$iptables2 = "iptables -D %s -p tcp --dport %d -j ACCEPT &>/dev/null"
// Format strings used for system recon
$sys_recon1 = "{\"ver\":\"%x\",\"mods\";["
$sys_recon2 = "uptime: %lu mem_size: %lu mem_free: %lu"
$sys_recon3 = "disk_size: %lu disk_free: %lu"
$sys_recon4 = "hw: %02x:%02x:%02x:%02x:%02x:%02x"
// Format string for filepath used to test access to device filesystem
$testpath = "%s/214688dsf46"
// Format string for implant configuration filepath
$confpath = "%s/rootfs_cfg"
// Default file download path
$downpath = "/var/tmp/a.tmp"
condition:
(uint32(0) == 0x464c457f) and (8 of them)
}
rule APT_Sandworm_CyclopsBlink_module_initialisation {
meta:
author = "NCSC"
description = "Detects the code bytes used to initialise the modules built into Cyclops Blink"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
date = "2022-02-23"
id = "c81b92c4-3f70-5bbd-acfa-ed1e1d33461d"
strings:
// Module initialisation code bytes, simply returning the module ID
// to the caller
$ = {94 21 FF F0 93 E1 00 08 7C 3F 0B 78 38 00 00 ?? 7C 03
03 78 81 61 00 00 8E EB FF F8 7D 61 5B 78 4E 80 00 20}
condition:
(uint32(0) == 0x464c457f) and (any of them)
}
rule APT_Sandworm_CyclopsBlink_modified_install_upgrade {
meta:
author = "NCSC"
description = "Detects notable strings identified within the modified install_upgrade executable, embedded within Cyclops Blink"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
hash3 = "7d61c0dd0cd901221a9dff9df09bb90810754f10"
hash4 = "438cd40caca70cafe5ca436b36ef7d3a6321e858"
reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
date = "2022-02-23"
id = "4c4f7262-df74-5f6a-afc0-df1fcae4741c"
strings:
// Format strings used for temporary filenames
$ = "/pending/%010lu_%06d_%03d_p1"
$ = "/pending/sysa_code_dir/test_%d_%d_%d_%d_%d_%d"
// Hard-coded key used to initialise HMAC calculation
$ = "etaonrishdlcupfm"
// Filepath used to store the patched firmware image
$ = "/pending/WGUpgrade-dl.new"
// Filepath of legitimate install_upgrade executable
$ = "/pending/bin/install_upgraded"
// Loop device IOCTL LOOP_SET_FD
$ = {38 80 4C 00}
// Loop device IOCTL LOOP_GET_STATUS64
$ = {38 80 4C 05}
// Loop device IOCTL LOOP_SET_STATUS64
$ = {38 80 4C 04}
// Firmware HMAC record starts with the string "HMAC"
$ = {3C 00 48 4D 60 00 41 43 90 09 00 00}
condition:
(uint32(0) == 0x464c457f) and (6 of them)
}
rule APT_Sandworm_CyclopsBlink_core_command_check {
meta:
author = "NCSC"
description = "Detects the code bytes used to test the command ID being sent to the core component of Cyclops Blink"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
date = "2022-02-23"
id = "46066474-7647-52fb-b40d-30ff8e285b6e"
strings:
// Check for command ID equals 0x7, 0xa, 0xb, 0xc or 0xd
$cmd_check = {81 3F 00 18 88 09 00 05 54 00 06 3E 2F 80 00 (07|0A|0B|0C|0D) }
condition:
(uint32(0) == 0x464c457f) and (#cmd_check == 5)
}
rule APT_Sandworm_CyclopsBlink_config_identifiers {
meta:
author = "NCSC"
description = "Detects the initial characters used to identify Cyclops Blink configuration data"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
date = "2022-02-23"
id = "db5b3a4a-82c2-500a-88f6-340b3392eac8"
strings:
// Main config parameter data starts with the string "<p: "
//$ = "<p: " fullword // short atom - not necessary
// RSA public key data starts with the string "<k: "
$ = {3C 00 3C 6B 60 00 3A 20 90 09 00 00}
// X.509 certificate data starts with the string "<c: "
$ = {3C 00 3C 63 60 00 3A 20 90 09 00 00}
// RSA private key data starts with the string "<s: "
$ = {3C 00 3C 73 60 00 3A 20 90 09 00 00}
condition:
(uint32(0) == 0x464c457f) and (all of them)
}
rule APT_Sandworm_CyclopsBlink_handle_mod_0xf_command {
meta:
author = "NCSC"
description = "Detects the code bytes used to check module ID 0xf control flags and a format string used for file content upload"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
date = "2022-02-23"
id = "36646b7a-389d-5fd9-88a1-e43e7224763a"
strings:
// Tests execute flag (bit 0)
$ = {54 00 06 3E 54 00 07 FE 54 00 06 3E 2F 80 00 00}
// Tests add module flag (bit 1)
$ = {54 00 06 3E 54 00 07 BC 2F 80 00 00}
// Tests run as shellcode flag (bit 2)
$ = {54 00 06 3E 54 00 07 7A 2F 80 00 00}
// Tests upload flag (bit 4)
$ = {54 00 06 3E 54 00 06 F6 2F 80 00 00}
// Upload format string
$ = "file:%s\n" fullword
condition:
(uint32(0) == 0x464c457f) and (all of them)
}
rule APT_Sandworm_CyclopsBlink_default_config_values {
meta:
author = "NCSC"
description = "Detects the code bytes used to set default Cyclops Blink configuration values"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
date = "2022-02-23"
id = "04067609-1173-51f2-907f-2a236aae6c7c"
strings:
// Unknown config value set to 0x19
$ = {38 00 00 19 90 09 01 A4}
// Unknown config value set to 0x18000
$ = {3C 00 00 01 60 00 80 00 90 09 01 A8}
// Unknown config value set to 0x4000
$ = {38 00 40 00 90 09 01 AC}
// Unknown config value set to 0x10b
$ = {38 00 01 0B 90 09 01 B0}
// Unknown config value set to 0x2711
$ = {38 00 27 11 90 09 01 C0}
condition:
(uint32(0) == 0x464c457f) and (3 of them)
}
rule APT_Sandworm_CyclopsBlink_handle_mod_0x51_command {
meta:
author = "NCSC"
description = "Detects the code bytes used to check commands sent to module ID 0x51 and notable strings relating to the Cyclops Blink update process"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
date = "2022-02-23"
id = "a6800aed-27dc-5d01-b005-1eb4a62344a3"
strings:
// Check for module command ID equals 0x1, 0x2 or 0x3
$cmd_check = {88 1F [2] 54 00 06 3E 2F 80 00 (01|02|03) }
// Legitimate WatchGuard filepaths relating to device configuration
$path1 = "/etc/wg/configd-hash.xml"
$path2 = "/etc/wg/config.xml"
// Mount arguments used to remount root filesystem as RW or RO
$mnt_arg1 = "ext2"
$mnt_arg2 = "errors=continue"
$mnt_arg3 = {38 C0 0C 20}
$mnt_arg4 = {38 C0 0C 21}
condition:
(uint32(0) == 0x464c457f) and (#cmd_check == 3) and
((@cmd_check[3] - @cmd_check[1]) < 0x200) and
(all of ($path*)) and (all of ($mnt_arg*))
}
rule APT_MAL_Sandworm_Exaramel_Configuration_Key {
meta:
author = "FR/ANSSI/SDO"
description = "Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...]"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
date = "2021-02-15"
score = 80
id = "8078de62-3dd2-5ee0-8bda-f508e4013144"
strings:
$ = "odhyrfjcnfkdtslt"
condition:
all of them
}
rule APT_MAL_Sandworm_Exaramel_Configuration_Name_Encrypted {
meta:
author = "FR/ANSSI/SDO"
description = "Detects the specific name of the configuration file in Exaramel malware as seen in sample e1ff72[...]"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
date = "2021-02-15"
score = 80
id = "1c06f5fc-3435-51cd-92fb-17a4ab6b63ad"
strings:
$ = "configtx.json"
condition:
all of them
}
rule APT_MAL_Sandworm_Exaramel_Configuration_File_Ciphertext {
meta:
author = "FR/ANSSI/SDO"
description = "Detects contents of the configuration file used by Exaramel (encrypted with key odhyrfjcnfkdtslt, sample e1ff72[...]"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
date = "2021-02-15"
score = 80
id = "763dbb17-2bad-5b40-8a7b-b71bc5849cd9"
strings:
$ = { 6F B6 08 E9 A3 0C 8D 5E DD BE D4 } // encrypted with key odhyrfjcnfkdtslt
condition:
all of them
}
rule APT_MAL_Sandworm_Exaramel_Socket_Path {
meta:
author = "FR/ANSSI/SDO"
description = "Detects path of the unix socket created to prevent concurrent executions in Exaramel malware"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
date = "2021-02-15"
score = 80
id = "3aab84c9-9748-5d11-9cd7-efa9151036cf"
strings:
$ = "/tmp/.applocktx"
condition:
all of them
}
rule APT_MAL_Sandworm_Exaramel_Task_Names {
meta:
author = "FR/ANSSI/SDO"
description = "Detects names of the tasks received from the CC server in Exaramel malware"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
date = "2021-02-15"
score = 80
id = "185f2f3b-bf5c-54af-bca2-400d08bf9c91"
strings:
$ = "App.Delete"
$ = "App.SetServer"
$ = "App.SetProxy"
$ = "App.SetTimeout"
$ = "App.Update"
$ = "IO.ReadFile"
$ = "IO.WriteFile"
$ = "OS.ShellExecute"
condition:
all of them
}
rule APT_MAL_Sandworm_Exaramel_Struct {
meta:
author = "FR/ANSSI/SDO"
description = "Detects the beginning of type _type struct for some of the most important structs in Exaramel malware"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
date = "2021-02-15"
score = 80
id = "8282e485-966c-554d-8e41-70dc1657f5ea"
strings:
$struct_le_config = {70 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 47 2d 28 42 0? [2] 19}
$struct_le_worker = {30 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 46 6a 13 e2 0? [2] 19}
$struct_le_client = {20 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 7b 6a 49 84 0? [2] 19}
$struct_le_report = {30 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 bf 35 0d f9 0? [2] 19}
$struct_le_task = {50 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 88 60 a1 c5 0? [2] 19}
condition:
any of them
}
rule APT_MAL_Sandworm_Exaramel_Strings_Typo {
meta:
author = "FR/ANSSI/SDO"
description = "Detects misc strings in Exaramel malware with typos"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
date = "2021-02-15"
score = 80
id = "fdc79b87-eb9e-5751-9474-ff653b073165"
strings:
$typo1 = "/sbin/init | awk "
$typo2 = "Syslog service for monitoring \n"
$typo3 = "Error.Can't update app! Not enough update archive."
$typo4 = ":\"metod\""
condition:
3 of ($typo*)
}
rule APT_MAL_Sandworm_Exaramel_Strings {
meta:
author = "FR/ANSSI/SDO (composed from 4 saparate rules by Florian Roth)"
description = "Detects Strings used by Exaramel malware"
reference = "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
date = "2021-02-15"
score = 80
id = "fdc79b87-eb9e-5751-9474-ff653b073165"
strings:
$persistence1 = "systemd"
$persistence2 = "upstart"
$persistence3 = "systemV"
$persistence4 = "freebsd rc"
$report1 = "systemdupdate.rep"
$report2 = "upstartupdate.rep"
$report3 = "remove.rep"
$url1 = "/tasks.get/"
$url2 = "/time.get/"
$url3 = "/time.set"
$url4 = "/tasks.report"
$url5 = "/attachment.get/"
$url6 = "/auth/app"
condition:
( 5 of ($url*) and all of ($persistence*) ) or
( all of ($persistence*) and all of ($report*) ) or
( 5 of ($url*) and all of ($report*) )
}
rule TeleBots_IntercepterNG {
meta:
description = "Detects TeleBots malware - IntercepterNG"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/4if3HG"
date = "2016-12-14"
hash1 = "5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118"
id = "f4d48eb6-8235-534d-a32f-7f2711b96e9d"
strings:
$s1 = "Usage: %s iface_num\\dump [mode] [w] [-gw] [-t1 ip]" fullword ascii
$s2 = "Target%d found: %s - [%.2X-%.2X-%.2X-%.2X-%.2X-%.2X]" fullword ascii
$s3 = "3: passwords + files, no arp poison" fullword ascii
$s4 = "IRC Joining Keyed Channel intercepted" fullword ascii
$s5 = "-tX - set target ip" fullword ascii
$s6 = "w - save session to .pcap dump" fullword ascii
$s7 = "example: %s 1 1 -gw 192.168.1.1 -t1 192.168.1.3 -t2 192.168.1.5" fullword ascii
$s8 = "ORACLE8 DES Authorization intercepted" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and 1 of them ) or ( 4 of them )
}