YARA rules for BoomBox
3 rules · scoped to tool · back to BoomBox
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule APT_APT29_NOBELIUM_BoomBox_May21_1 {
meta:
description = "Detects BoomBox malware as described in APT29 NOBELIUM report"
author = "Florian Roth"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
modified = "2025-03-20"
score = 85
hash = "8199f309478e8ed3f03f75e7574a3e9bce09b4423bd7eb08bb5bff03af2b7c27"
id = "1a14dcf7-81be-5a74-a530-caf6268d1976"
strings:
// PowerShell tool - e1765eafb68fc6034575f126b014fcad6bb043c2961823b7cef5f711e9e01d1c
$a1 = "]::FromBase64String($" ascii wide
$xa1 = "123do3y4r378o5t34onf7t3o573tfo73" ascii wide fullword
$xa2 = "1233t04p7jn3n4rg" ascii wide fullword
$s1 = "\\Release\\BOOM.pdb" ascii
$s2 = "/files/upload" ascii
$s3 = "/tmp/readme.pdf" ascii fullword
$s4 = "/new/{0}" ascii fullword
$s5 = "(&(objectClass=user)(objectCategory=person))"
condition:
(
uint16(0) == 0x5a4d
or 1 of ($a*)
)
and (
1 of ($x*)
or 3 of ($s*)
)
}
rule APT_APT29_NOBELIUM_BoomBox_PDF_Masq_May21_1 {
meta:
description = "Detects PDF documents as used by BoomBox as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 70
id = "bdfb9600-edda-5c8c-ab23-14fb71c8e647"
strings:
$ah1 = { 25 50 44 46 2d 31 2e 33 0a 25 } /* PDF Header */
$af1 = { 0a 25 25 45 4f 46 0a } /* EOF */
$fp1 = "endobj" ascii
$fp2 = "endstream" ascii
$fp3 = { 20 6F 62 6A 0A } /* obj\x0a */
condition:
$ah1 at 0 and $af1 at (filesize-7) and filesize < 100KB
and not 1 of ($fp*)
and math.entropy(16,filesize) > 7
}
rule APT_APT29_NOBELIUM_BoomBox_May21_2 {
meta:
description = "Detects BoomBox malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "0acb884f2f4cfa75b726cb8290b20328c8ddbcd49f95a1d761b7d131b95bafec"
hash2 = "8199f309478e8ed3f03f75e7574a3e9bce09b4423bd7eb08bb5bff03af2b7c27"
hash3 = "cf1d992f776421f72eabc31d5afc2f2067ae856f1c9c1d6dc643a67cb9349d8c"
id = "a4144c00-48b2-5520-b773-5d0a5de95fb1"
strings:
$x1 = "\\Microsoft\\NativeCache\\NativeCacheSvc.dll" wide
$x2 = "\\NativeCacheSvc.dll _configNativeCache" wide
$a1 = "/content.dropboxapi.com" wide fullword
$s1 = "rundll32.exe {0} {1}" wide fullword
$s2 = "\\\\CertPKIProvider.dll" wide
$s3 = "/tmp/readme.pdf" wide
$s4 = "temp/[^\"]*)\"" wide fullword
$op1 = { 00 78 00 2d 00 41 00 50 00 49 00 2d 00 41 00 72 00 67 00 01 2f 4f 00 72 00 }
$op2 = { 25 72 98 01 00 70 6f 34 00 00 0a 25 6f 35 00 00 0a 72 71 02 00 70 72 }
$op3 = { 4d 05 20 00 12 80 91 04 20 01 08 0e 04 20 00 12 }
condition:
uint16(0) == 0x5a4d and
filesize < 40KB and
3 of them or 4 of them
}