YARA rules for VPNFilter
3 rules · scoped to tool · back to VPNFilter
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule MAL_ELF_VPNFilter_1 {
meta:
description = "Detects VPNFilter malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-05-24"
hash1 = "f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344"
id = "dc50cb37-a6e7-5eb5-9581-31d7fd005e47"
strings:
$s1 = "Login=" fullword ascii
$s2 = "Password=" fullword ascii
$s3 = "%s/rep_%u.bin" fullword ascii
$s4 = "%s:%uh->%s:%hu" fullword ascii
$s5 = "Password required" fullword ascii /* Goodware String - occured 1 times */
$s6 = "password=" fullword ascii /* Goodware String - occured 2 times */
$s7 = "Authorization: Basic" fullword ascii /* Goodware String - occured 2 times */
$s8 = "/tmUnblock.cgi" fullword ascii
condition:
uint16(0) == 0x457f and filesize < 100KB and all of them
}
rule MAL_ELF_VPNFilter_2 {
meta:
description = "Detects VPNFilter malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-05-24"
hash1 = "50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec"
id = "95356303-e8ba-585d-b2fc-af9e10b0b93f"
strings:
$s1 = "User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)" fullword ascii
$s2 = "passwordPASSWORDpassword" fullword ascii
$s3 = "/tmp/client.key" fullword ascii
condition:
uint16(0) == 0x457f and filesize < 1000KB and all of them
}
rule MAL_ELF_VPNFilter_3 {
meta:
description = "Detects VPNFilter malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-05-24"
hash1 = "0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92"
hash2 = "9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17"
hash3 = "37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4"
hash4 = "0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b"
hash5 = "4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b"
hash6 = "8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1"
hash7 = "776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d"
id = "020603bf-fbce-5de1-82b9-5a2dfacfada3"
strings:
$sx1 = "User-Agent: Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)" fullword ascii
$sx2 = "Execute by shell[%d]:" fullword ascii
$sx3 = "CONFIG.TOR.name:" fullword ascii
$s1 = "Executing command: %s %s..." fullword ascii
$s2 = "/proc/%d/cmdline" fullword ascii
$a1 = "Mozilla/5.0 Firefox/50.0" fullword ascii
$a2 = "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0" fullword ascii
$a3 = "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" fullword ascii
condition:
uint16(0) == 0x457f and filesize < 1000KB and ( 1 of ($sx*) or 2 of ($s*) or 2 of ($a*) )
}