YARA rules for PlugX
13 rules · scoped to tool · back to PlugX
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule APTGroupX_PlugXTrojanLoader_StringDecode {
meta:
author = "Jay DiMartino"
description = "Rule to detect PlugX Malware"
score = 80
reference = "https://t.co/4xQ8G2mNap"
hash1 = "0535e8c300204e257f0fa57630f386e9fcc8e779"
hash2 = "088ebf9ccde958f32d11f4e7eb14f5332332f97d"
hash3 = "0c999d0bffa007e9e6b6fe593933b52f40c75b3d"
hash4 = "2f644e7131ec0a4f12ce04ba1e54d23856dbbfbf"
hash5 = "3be9148ad132ca342d5fbabea1119a175ef1df7c"
hash6 = "4c1ee94ec0e15491fc4f6b4095f67eee6309e62a"
hash7 = "587af7ce05e61d4c312d6bae12ea380116b08d7e"
hash8 = "5990efd83b5646a7ba419541d3a2c19260224ca3"
hash9 = "67970367c250c44a5feb263843cf45fd91336df5"
hash10 = "68f53f7188910a4cf67843aedd38c1523f1f2e7c"
hash11 = "962dc7e0ad37286df012f623423ac4182fe791ca"
hash12 = "aa0976906807af2e1b127608040aa3ef6e118a13"
hash13 = "b170d015e32b39fa4ac15f94d58e45e65cd16d6c"
hash14 = "c9b3d2cef3b34c7ee18fc2f60ff022965959613d"
hash15 = "cd425ce7f3e4a823d9027780e1b439759c4dc665"
hash16 = "d5e82513c6472d3826a22d9a15c05af8c0d33b58"
hash17 = "d9b32084f27ef13001060e1dcee8a1a9e95d89a6"
hash18 = "daa2d1cb9148b7ba5a86fa9ab593678e77c92672"
hash19 = "e2c098a95d1c1f0e29f207af9c5ffc5bd69a92ee"
hash20 = "ef8cf68dc3c80e9cb5a3fa0f92b544eab583812e"
hash21 = "f0fc0a4e4e0748464caa6a202d0083cd33458677"
hash22 = "fe1abe55529c1d6aa6b2a2f02d7e41ea58040feb"
id = "c6017327-b44d-5b1d-95aa-6e1f9fbf5583"
strings:
$byte1 = { 8A [2-4] 8A [2-4] FF 05 00 30 00 10 [0-5] 2A [1-6] 80 [2-7] 02 [1-6] 88 0? }
$byte2 = { 8B [2-4] 8A [2-4] FF 05 00 30 00 10 [0-5] 2A [1-6] 80 [2-7] 02 [1-6] 88 0? }
condition:
any of them
}
rule PlugX_NvSmartMax_Gen {
meta:
description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 70
hash1 = "718fc72942b9b706488575c0296017971170463f6f40fa19b08fc84b79bf0cef"
hash2 = "1c0379481d17fc80b3330f148f1b87ff613cfd2a6601d97920a0bcd808c718d0"
hash3 = "555952aa5bcca4fa5ad5a7269fece99b1a04816d104ecd8aefabaa1435f65fa5"
hash4 = "71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338"
hash5 = "65bbf0bd8c6e1ccdb60cf646d7084e1452cb111d97d21d6e8117b1944f3dc71e"
id = "5ecd25a8-9717-527f-bb6e-3259b9a60458"
strings:
$s0 = "NvSmartMax.dll" fullword ascii
$s1 = "NvSmartMax.dll.url" fullword ascii
$s2 = "Nv.exe" fullword ascii
$s4 = "CryptProtectMemory failed" fullword ascii
$s5 = "CryptUnprotectMemory failed" fullword ascii
$s7 = "r%.*s(%d)%s" fullword wide
$s8 = " %s CRC " fullword wide
$op0 = { c6 05 26 49 42 00 01 eb 4a 8d 85 00 f8 ff ff 50 } /* Opcode */
$op1 = { 8d 85 c8 fe ff ff 50 8d 45 c8 50 c6 45 47 00 e8 } /* Opcode */
$op2 = { e8 e6 65 00 00 50 68 10 43 41 00 e8 56 84 00 00 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*)
}
rule IronTiger_PlugX_DosEmulator
{
meta:
author = "Cyber Safety Solutions, Trend Micro - modified by Florian Roth"
description = "Iron Tiger Malware - PlugX DosEmulator"
reference = "http://goo.gl/T5fSJC"
id = "e601d91d-49e6-5fe9-b70b-fb1fb6c4f059"
strings:
$str1 = "Dos Emluator Ver" wide ascii
$str2 = "\\PIPE\\FASTDOS" wide ascii
$str3 = "FastDos.cpp" wide ascii
$str4 = "fail,error code = %d." wide ascii
condition:
uint16(0) == 0x5a4d and 2 of ($str*)
}
rule IronTiger_PlugX_FastProxy
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - PlugX FastProxy"
reference = "http://goo.gl/T5fSJC"
id = "14e05823-6288-5f02-8060-add51084c446"
strings:
$str1 = "SAFEPROXY HTServerTimer Quit!" wide ascii
$str2 = "Useage: %s pid" wide ascii
$str3 = "%s PORT[%d] TO PORT[%d] SUCCESS!" wide ascii
$str4 = "p0: port for listener" wide ascii
$str5 = "\\users\\whg\\desktop\\plug\\" wide ascii
$str6 = "[+Y] cwnd : %3d, fligth:" wide ascii
condition:
uint16(0) == 0x5a4d and (any of ($str*))
}
rule IronTiger_PlugX_Server
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - PlugX Server"
reference = "http://goo.gl/T5fSJC"
id = "38011a23-3ed7-5f58-a814-2551526b27f3"
strings:
$str1 = "\\UnitFrmManagerKeyLog.pas" wide ascii
$str2 = "\\UnitFrmManagerRegister.pas" wide ascii
$str3 = "Input Name..." wide ascii
$str4 = "New Value#" wide ascii
$str5 = "TThreadRControl.Execute SEH!!!" wide ascii
$str6 = "\\UnitFrmRControl.pas" wide ascii
$str7 = "OnSocket(event is error)!" wide ascii
$str8 = "Make 3F Version Ok!!!" wide ascii
$str9 = "PELEASE DO NOT CHANGE THE DOCAMENT" wide ascii
$str10 = "Press [Ok] Continue Run, Press [Cancel] Exit" wide ascii
condition:
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule APT_Area1_SSF_PlugX {
meta:
description = "Detects send tool used in phishing campaign reported by Area 1 in December 2018"
reference = "https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf"
date = "2018-12-19"
author = "Area 1"
id = "a5b4e781-f0d1-55df-926c-2d321aa48139"
strings:
$feature_call = { 8b 0? 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ??
6a 07 6a ff ff d0 8b f0 85 f6 74 14 }
$keylogger_reg = { 8b 4d 08 6a 0c 6a 01 8d 55 f4 52 c7 45 f4 01 00 06 00
c7 45 f8 00 01 00 00 89 4d fc ff d0 85 c0 75 1d }
$file_op = { 55 8b ec 83 ec 20 0f b7 56 18 8b 46 10 66 8b 4e 14 89 45 e4
8d 44 32 10 66 89 4d f0 0f b7 4e 1a 57 89 45 e8 33 ff 8d 45 e0 8d 54
31 10 50 89 7d e0 89 55 ec c7 45 fa ?? ?? ?? ?? 89 7d f2 89 7d f6 ff
15 1c 43 02 10 }
$ver_cmp = { 0f b6 8d b0 fe ff ff 0f b6 95 b4 fe ff ff 66 c1 e1 08 0f b7
c1 0b c2 3d 02 05 00 00 7f 2c }
$regedit = { c7 06 23 01 12 20 c7 46 04 01 90 00 00 89 5e 0c 89 5e 08 e8
51 fb ff ff 8b 4d 08 8b 50 38 68 30 75 00 00 56 51 ff d2 }
$get_device_caps = { 8b 1d ?? ?? ?? ?? 6a 08 50 ff d3 0f b7 56 12 8b c8 0f af ca
b8 1f 85 eb 51 f7 e9 c1 fa 05 8b c2 c1 e8 1f 03 c2 89 45 f8 8b 45 f0 6a 0a 50 ff d3
0f b7 56 14 8b c8 0f af ca b8 1f 85 eb 51 }
condition:
3 of them
}
rule Codoso_PlugX_3 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3"
id = "55066812-3a8e-5099-afb4-ff7a59f1ccb2"
strings:
$s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide
$s2 = "mcs.exe" fullword ascii
$s3 = "McAltLib.dll" fullword ascii
$s4 = "WinRAR self-extracting archive" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1200KB and all of them
}
rule Codoso_PlugX_2 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb"
id = "0402a0ff-5664-52db-a739-51c5181853f8"
strings:
$s1 = "%TEMP%\\HID" fullword wide
$s2 = "%s\\hid.dll" fullword wide
$s3 = "%s\\SOUNDMAN.exe" fullword wide
$s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide
$s5 = "%s\\HID.dllx" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them
}
rule Codoso_PlugX_1 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b"
hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8"
hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2"
id = "af777818-5cff-5571-b5e9-0f5a4c8b08ff"
strings:
$s1 = "GETPASSWORD1" fullword ascii
$s2 = "NvSmartMax.dll" fullword ascii
$s3 = "LICENSEDLG" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
rule PLUGX_RedLeaves {
meta:
author = "US-CERT Code Analysis Team"
date = "03.04.2017"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
incident = "10118538"
date = "2017-04-03"
MD5_1 = "598FF82EA4FB52717ACAFB227C83D474"
MD5_2 = "7D10708A518B26CC8C3CBFBAA224E032"
MD5_3 = "AF406D35C77B1E0DF17F839E36BCE630"
MD5_4 = "6EB9E889B091A5647F6095DCD4DE7C83"
MD5_5 = "566291B277534B63EAFC938CDAAB8A399E41AF7D"
description = "Detects specific RedLeaves and PlugX binaries"
id = "ede8ad8f-31cf-5314-9777-bddd60e499f2"
strings:
$s0 = { 80343057403D2FD0010072F433C08BFF80343024403D2FD0010072F4 }
$s1 = "C:\\Users\\user\\Desktop\\my_OK_2014\\bit9\\runsna\\Release\\runsna.pdb"
$s2 = "d:\\work\\plug4.0(shellcode)"
$s3 = "\\shellcode\\shellcode\\XSetting.h"
$s4 = { 42AFF4276A45AA58474D4C4BE03D5B395566BEBCBDEDE9972872C5C4C5498228 }
$s5 = { 8AD32AD002D180C23830140E413BCB7CEF6A006A006A00566A006A00 }
$s6 = { EB055F8BC7EB05E8F6FFFFFF558BEC81ECC8040000535657 }
$s7 = { 8A043233C932043983C10288043283F90A7CF242890D18AA00103BD37CE2891514AA00106A006A006A0056 }
$s8 = { 293537675A402A333557B05E04D09CB05EB3ADA4A4A40ED0B7DAB7935F5B5B08 }
$s9 = "RedLeavesCMDSimulatorMutex"
condition:
$s0 or $s1 or $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8 or $s9
}
rule PlugX_J16_Gen {
meta:
description = "Detects PlugX Malware samples from June 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "VT Research"
date = "2016-06-08"
id = "13ef1e80-7090-5a1e-bca7-8d3de0dc2247"
strings:
$x1 = "%WINDIR%\\SYSTEM32\\SERVICES.EXE" fullword wide
$x2 = "\\\\.\\PIPE\\RUN_AS_USER(%d)" fullword wide
$x3 = "LdrLoadShellcode" fullword ascii
$x4 = "Protocol:[%4s], Host: [%s:%d], Proxy: [%d:%s:%d:%s:%s]" fullword ascii
$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Post Platform" fullword wide
$s2 = "%s\\msiexec.exe %d %d" fullword wide
$s3 = "l%s\\sysprep\\CRYPTBASE.DLL" fullword wide
$s4 = "%s\\msiexec.exe UAC" fullword wide
$s5 = "CRYPTBASE.DLL" fullword wide
$s6 = "%ALLUSERSPROFILE%\\SxS" fullword wide
$s7 = "%s\\sysprep\\sysprep.exe" fullword wide
$s8 = "\\\\.\\pipe\\a%d" fullword wide
$s9 = "\\\\.\\pipe\\b%d" fullword wide
$s10 = "EName:%s,EAddr:0x%p,ECode:0x%p,EAX:%p,EBX:%p,ECX:%p,EDX:%p,ESI:%p,EDI:%p,EBP:%p,ESP:%p,EIP:%p" fullword ascii
$s11 = "Mozilla/4.0 (compatible; MSIE " fullword wide
$s12 = "; Windows NT %d.%d" fullword wide
$s13 = "SOFTWARE\\Microsoft\\Internet Explorer\\Version Vector" fullword wide
$s14 = "\\bug.log" wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 4 of ($s*) ) ) or ( 8 of them )
}
rule PlugX_J16_Gen2 {
meta:
description = "Detects PlugX Malware Samples from June 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "VT Research"
date = "2016-06-08"
id = "28e9cbb9-cd60-555d-b033-4e2bf293adf2"
strings:
$s1 = "XPlugKeyLogger.cpp" fullword ascii
$s2 = "XPlugProcess.cpp" fullword ascii
$s4 = "XPlgLoader.cpp" fullword ascii
$s5 = "XPlugPortMap.cpp" fullword ascii
$s8 = "XPlugShell.cpp" fullword ascii
$s11 = "file: %s, line: %d, error: [%d]%s" fullword ascii
$s12 = "XInstall.cpp" fullword ascii
$s13 = "XPlugTelnet.cpp" fullword ascii
$s14 = "XInstallUAC.cpp" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 2 of ($s*) ) ) or ( 5 of them )
}
rule Korplug_FAST {
meta:
description = "Rule to detect Korplug/PlugX FAST variant"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015-08-20"
hash = "c437465db42268332543fbf6fd6a560ca010f19e0fd56562fb83fb704824b371"
id = "85c6c460-2902-5bfa-be58-a2b62e3b882e"
strings:
$x1 = "%s\\rundll32.exe \"%s\", ShadowPlay" fullword ascii
$a1 = "ShadowPlay" fullword ascii
$s1 = "%s\\rundll32.exe \"%s\"," fullword ascii
$s2 = "nvdisps.dll" fullword ascii
$s3 = "%snvdisps.dll" fullword ascii
$s4 = "\\winhlp32.exe" ascii
$s5 = "nvdisps_user.dat" fullword ascii
$s6 = "%snvdisps_user.dat" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and
(
$x1 or
($a1 and 1 of ($s*)) or
4 of ($s*)
)
}