YARA rules for Gazer
3 rules · scoped to tool · back to Gazer
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule Gazer_certificate_subject {
meta:
description = "Detects Tura's Gazer malware"
author = "ESET"
reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/"
date = "30.08.2017"
id = "4eace653-003e-5cae-9db8-f26502f35fc4"
condition:
for any i in (0..pe.number_of_signatures - 1):
(
pe.signatures[i].subject contains "Solid Loop" or
pe.signatures[i].subject contains "Ultimate Computer Support"
)
}
rule Gazer_certificate {
meta:
description = "Detects Tura's Gazer malware"
author = "ESET"
reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/"
date = "30.08.2017"
id = "4eace653-003e-5cae-9db8-f26502f35fc4"
strings:
$certif1 = { 52 76 a4 53 cd 70 9c 18 da 65 15 7e 5f 1f de 02 }
$certif2 = { 12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c }
condition:
uint16(0) == 0x5a4d and 1 of them and filesize < 2MB
}
rule Gazer_logfile_name {
meta:
description = "Detects Tura's Gazer malware"
author = "ESET"
reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/"
date = "30.08.2017"
id = "c10d440f-dc9e-54c8-b329-9f22cba05e86"
strings:
$s1 = "CVRG72B5.tmp.cvr"
$s2 = "CVRG1A6B.tmp.cvr"
$s3 = "CVRG38D9.tmp.cvr"
condition:
uint16(0) == 0x5a4d and 1 of them
}