rule APT_Backdoor_Win_DShell_1
{
meta:
description = "This rule is looking for sections of an integer array which contains the encoded payload along with a selection of Windows functions that are present within a DShell payload"
md5 = "152fc2320790aa16ef9b6126f47c3cca"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
strings:
$e0 = ",0,"
$e1 = ",1,"
$e2 = ",2,"
$e3 = ",3,"
$e4 = ",4,"
$e5 = ",5,"
$e6 = ",6,"
$e7 = ",7,"
$e8 = ",8,"
$e9 = ",9,"
$e10 = ",10,"
$e11 = ",11,"
$e12 = ",12,"
$e13 = ",13,"
$e14 = ",14,"
$e15 = ",15,"
$e16 = ",16,"
$e17 = ",17,"
$e18 = ",18,"
$e19 = ",19,"
$e20 = ",20,"
$e21 = ",21,"
$e22 = ",22,"
$e23 = ",23,"
$e24 = ",24,"
$e25 = ",25,"
$e26 = ",26,"
$e27 = ",27,"
$e28 = ",28,"
$e29 = ",29,"
$e30 = ",30,"
$e31 = ",31,"
$e32 = ",32,"
$e33 = ",33,"
$e34 = ",34,"
$e35 = ",35,"
$e36 = ",36,"
$e37 = ",37,"
$e38 = ",38,"
$e39 = ",39,"
$e40 = ",40,"
$e41 = ",41,"
$e42 = ",42,"
$e43 = ",43,"
$e44 = ",44,"
$e45 = ",45,"
$e46 = ",46,"
$e47 = ",47,"
$e48 = ",48,"
$e49 = ",49,"
$e50 = ",50,"
$e51 = ",51,"
$e52 = ",52,"
$e53 = ",53,"
$e54 = ",54,"
$e55 = ",55,"
$e56 = ",56,"
$e57 = ",57,"
$e58 = ",58,"
$e59 = ",59,"
$e60 = ",60,"
$e61 = ",61,"
$e62 = ",62,"
$e63 = ",63,"
$e64 = ",64,"
$s1 = "GetACP"
$s2 = "GetOEMCP"
$s3 = "GetCPInfo"
$s4 = "WriteConsoleA"
$s5 = "FindFirstFileA"
$s6 = "FileTimeToDosDateTime"
$s7 = "FindNextFileA"
$s8 = "GetStringTypeA"
$s9 = "GetFileType"
$s10 = "CreateFileA"
$s11 = "GlobalAlloc"
$s12 = "GlobalFree"
$s13 = "GetTickCount"
$s14 = "GetProcessHeap"
$s15 = "UnhandledExceptionFilter"
$s16 = "ExitProcess"
$s17 = "GetModuleFileNameA"
$s18 = "LCMapStringA"
$s19 = "GetLocalTime"
$s20 = "CreateThread"
$s21 = "ExitThread"
$s22 = "SetConsoleCtrlHandler"
$s23 = "FreeEnvironmentStringsA"
$s24 = "GetVersion"
$s25 = "GetEnvironmentStrings"
$s26 = "SetHandleCount"
$s27 = "SetFilePointer"
$s28 = "DeleteFileA"
$s29 = "HeapAlloc"
$s30 = "HeapReAlloc"
$s31 = "HeapFree"
$s32 = "GetCommandLineA"
$s33 = "GetThreadContext"
$s34 = "SuspendThread"
$s35 = "FindFirstFileW"
$s36 = "FindNextFileW"
$s37 = "FindClose"
$s38 = "CreateSemaphoreA"
$s39 = "ReleaseSemaphore"
$s40 = "ExpandEnvironmentStringsW"
$s41 = "lstrlenW"
$s42 = "GetModuleHandleA"
$s43 = "GetEnvironmentVariableA"
$s44 = "RtlCaptureContext"
$s45 = "GlobalMemoryStatus"
$s46 = "VirtualAlloc"
$s47 = "Sleep"
$s48 = "SystemTimeToTzSpecificLocalTime"
$s49 = "TzSpecificLocalTimeToSystemTime"
$s50 = "GetTimeZoneInformation"
$s51 = "TryEnterCriticalSection"
$s52 = "LoadLibraryA"
$s53 = "VirtualFree"
$s54 = "GetExitCodeThread"
$s55 = "WaitForSingleObject"
$s56 = "ResumeThread"
$s57 = "DuplicateHandle"
$s58 = "GetCurrentProcess"
$s59 = "GetCurrentThread"
$s60 = "GetCurrentThreadId"
$s61 = "InitializeCriticalSection"
$s62 = "DeleteCriticalSection"
$s63 = "SwitchToThread"
$s64 = "LeaveCriticalSection"
$s65 = "EnterCriticalSection"
$s66 = "FormatMessageW"
$s67 = "SetLastError"
$s68 = "GetEnvironmentVariableW"
$s69 = "FreeEnvironmentStringsW"
$s70 = "GetEnvironmentStringsW"
$s71 = "SetEnvironmentVariableW"
$s72 = "GetSystemInfo"
$s73 = "QueryPerformanceFrequency"
$s74 = "QueryPerformanceCounter"
$s75 = "CreateProcessW"
$s76 = "GetStdHandle"
$s77 = "GetHandleInformation"
$s78 = "SetHandleInformation"
$s79 = "WriteFile"
$s80 = "GetConsoleOutputCP"
$s81 = "FreeLibrary"
$s82 = "GetConsoleScreenBufferInfo"
$s83 = "MultiByteToWideChar"
$s84 = "RaiseException"
$s85 = "RtlUnwind"
$s86 = "GetCurrentDirectoryW"
$s87 = "IsDebuggerPresent"
$s88 = "LocalFree"
$s89 = "WideCharToMultiByte"
$s90 = "GetCommandLineW"
$s91 = "ReadFile"
$s92 = "GetFileSize"
$s93 = "CloseHandle"
$s94 = "CreateFileW"
$s95 = "LoadLibraryW"
$s96 = "GetProcAddress"
$s97 = "GetFileAttributesW"
$s98 = "GetLastError"
$s99 = "CommandLineToArgvW"
$s100 = "MessageBoxA"
$s101 = "RegEnumValueW"
$s102 = "RegEnumKeyExW"
$s103 = "RegDeleteValueW"
$s104 = "RegFlushKey"
$s105 = "RegQueryInfoKeyW"
$s106 = "RegDeleteKeyW"
$s107 = "RegQueryValueExW"
$s108 = "RegSetValueExW"
$s109 = "RegOpenKeyW"
$s110 = "RegOpenKeyExW"
$s111 = "RegCreateKeyExW"
$s112 = "RegCloseKey"
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize > 500KB and 105 of ($s*) and $s112 in (3000..4000) and 40 of ($e*)
}
rule APT_Backdoor_Win_DShell_2
{
meta:
description = "This rule looks for strings specific to the D programming language in combination with a selection of Windows functions that are present within a DShell payload"
md5 = "e0683f8ee787313cfd2c61cd0995a830"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
strings:
$dlang1 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\utf.d" ascii wide
$dlang2 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\file.d" ascii wide
$dlang3 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\format.d" ascii wide
$dlang4 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\base64.d" ascii wide
$dlang5 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide
$dlang6 = "\\..\\..\\src\\phobos\\std\\utf.d" ascii wide
$dlang7 = "\\..\\..\\src\\phobos\\std\\file.d" ascii wide
$dlang8 = "\\..\\..\\src\\phobos\\std\\format.d" ascii wide
$dlang9 = "\\..\\..\\src\\phobos\\std\\base64.d" ascii wide
$dlang10 = "\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide
$dlang11 = "Unexpected '\\n' when converting from type const(char)[] to type int" ascii wide
$ign1 = "--strip-comments"
$ign2 = "Usage: rdmd [RDMD AND DMD OPTIONS]"
$s1 = "CloseHandle"
$s2 = "CommandLineToArgvW"
$s3 = "CreateFileA"
$s4 = "CreateSemaphoreA"
$s5 = "CreateThread"
$s6 = "DeleteCriticalSection"
$s7 = "DeleteFileA"
$s8 = "DuplicateHandle"
$s9 = "EnterCriticalSection"
$s10 = "ExitProcess"
$s11 = "ExitThread"
$s12 = "ExpandEnvironmentStringsW"
$s13 = "FileTimeToDosDateTime"
$s14 = "FindClose"
$s15 = "FindFirstFileA"
$s16 = "FindFirstFileW"
$s17 = "FindNextFileA"
$s18 = "FindNextFileW"
$s19 = "FormatMessageW"
$s20 = "FreeEnvironmentStringsA"
$s21 = "FreeEnvironmentStringsW"
$s22 = "FreeLibrary"
$s23 = "GetACP"
$s24 = "GetCPInfo"
$s25 = "GetCommandLineA"
$s26 = "GetCommandLineW"
$s27 = "GetConsoleOutputCP"
$s28 = "GetConsoleScreenBufferInfo"
$s29 = "GetCurrentProcess"
$s30 = "GetCurrentThread"
$s31 = "GetCurrentThreadId"
$s32 = "GetEnvironmentStrings"
$s33 = "GetEnvironmentStringsW"
$s34 = "GetEnvironmentVariableA"
$s35 = "GetEnvironmentVariableW"
$s36 = "GetExitCodeThread"
$s37 = "GetFileAttributesW"
$s38 = "GetFileType"
$s39 = "GetLastError"
$s40 = "GetModuleFileNameA"
$s41 = "GetModuleHandleA"
$s42 = "GetOEMCP"
$s43 = "GetProcAddress"
$s44 = "GetProcessHeap"
$s45 = "GetStdHandle"
$s46 = "GetStringTypeA"
$s47 = "GetSystemInfo"
$s48 = "GetThreadContext"
$s49 = "GetTickCount"
$s50 = "GetTimeZoneInformation"
$s51 = "GetVersion"
$s52 = "GlobalAlloc"
$s53 = "GlobalFree"
$s54 = "GlobalMemoryStatus"
$s55 = "HeapAlloc"
$s56 = "HeapFree"
$s57 = "HeapReAlloc"
$s58 = "InitializeCriticalSection"
$s59 = "IsDebuggerPresent"
$s60 = "LCMapStringA"
$s61 = "LeaveCriticalSection"
$s62 = "LoadLibraryA"
$s63 = "LoadLibraryW"
$s64 = "LocalFree"
$s65 = "MessageBoxA"
$s66 = "MultiByteToWideChar"
$s67 = "QueryPerformanceCounter"
$s68 = "QueryPerformanceFrequency"
$s69 = "RaiseException"
$s70 = "ReadFile"
$s71 = "RegCloseKey"
$s72 = "RegCreateKeyExW"
$s73 = "RegDeleteKeyW"
$s74 = "RegDeleteValueW"
$s75 = "RegEnumKeyExW"
$s76 = "RegEnumValueW"
$s77 = "RegFlushKey"
$s78 = "RegOpenKeyExW"
$s79 = "RegOpenKeyW"
$s80 = "RegQueryInfoKeyW"
$s81 = "RegQueryValueExW"
$s82 = "RegSetValueExW"
$s83 = "ReleaseSemaphore"
$s84 = "ResumeThread"
$s85 = "RtlCaptureContext"
$s86 = "RtlUnwind"
$s87 = "SetConsoleCtrlHandler"
$s88 = "SetEnvironmentVariableW"
$s89 = "SetFilePointer"
$s90 = "SetHandleCount"
$s91 = "SetLastError"
$s92 = "Sleep"
$s93 = "SuspendThread"
$s94 = "SwitchToThread"
$s95 = "SystemTimeToTzSpecificLocalTime"
$s96 = "TryEnterCriticalSection"
$s97 = "TzSpecificLocalTimeToSystemTime"
$s98 = "UnhandledExceptionFilter"
$s99 = "VirtualAlloc"
$s100 = "VirtualFree"
$s101 = "WaitForSingleObject"
$s102 = "WideCharToMultiByte"
$s103 = "WriteConsoleA"
$s104 = "WriteFile"
$s105 = "lstrlenW"
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize > 500KB and filesize > 700KB and all of ($s*) and 1 of ($dlang*) and not $ign1 and not $ign2
}
rule APT_Backdoor_Win_DShell_3
{
meta:
description = "This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell"
md5 = "cf752e9cd2eccbda5b8e4c29ab5554b6"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "31717164-9876-58f8-af27-d27c81d20fba"
strings:
$dlang1 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\utf.d" ascii wide
$dlang2 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\file.d" ascii wide
$dlang3 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\format.d" ascii wide
$dlang4 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\base64.d" ascii wide
$dlang5 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide
$dlang6 = "\\..\\..\\src\\phobos\\std\\utf.d" ascii wide
$dlang7 = "\\..\\..\\src\\phobos\\std\\file.d" ascii wide
$dlang8 = "\\..\\..\\src\\phobos\\std\\format.d" ascii wide
$dlang9 = "\\..\\..\\src\\phobos\\std\\base64.d" ascii wide
$dlang10 = "\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide
$dlang11 = "Unexpected '\\n' when converting from type const(char)[] to type int" ascii wide
$e0 = ",0,"
$e1 = ",1,"
$e2 = ",2,"
$e3 = ",3,"
$e4 = ",4,"
$e5 = ",5,"
$e6 = ",6,"
$e7 = ",7,"
$e8 = ",8,"
$e9 = ",9,"
$e10 = ",10,"
$e11 = ",11,"
$e12 = ",12,"
$e13 = ",13,"
$e14 = ",14,"
$e15 = ",15,"
$e16 = ",16,"
$e17 = ",17,"
$e18 = ",18,"
$e19 = ",19,"
$e20 = ",20,"
$e21 = ",21,"
$e22 = ",22,"
$e23 = ",23,"
$e24 = ",24,"
$e25 = ",25,"
$e26 = ",26,"
$e27 = ",27,"
$e28 = ",28,"
$e29 = ",29,"
$e30 = ",30,"
$e31 = ",31,"
$e32 = ",32,"
$e33 = ",33,"
$e34 = ",34,"
$e35 = ",35,"
$e36 = ",36,"
$e37 = ",37,"
$e38 = ",38,"
$e39 = ",39,"
$e40 = ",40,"
$e41 = ",41,"
$e42 = ",42,"
$e43 = ",43,"
$e44 = ",44,"
$e45 = ",45,"
$e46 = ",46,"
$e47 = ",47,"
$e48 = ",48,"
$e49 = ",49,"
$e50 = ",50,"
$e51 = ",51,"
$e52 = ",52,"
$e53 = ",53,"
$e54 = ",54,"
$e55 = ",55,"
$e56 = ",56,"
$e57 = ",57,"
$e58 = ",58,"
$e59 = ",59,"
$e60 = ",60,"
$e61 = ",61,"
$e62 = ",62,"
$e63 = ",63,"
$e64 = ",64,"
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize > 500KB and filesize < 1500KB and 40 of ($e*) and 1 of ($dlang*)
}
rule APT_Backdoor_Win_GORAT_1
{
meta:
description = "This detects if a sample is less than 50KB and has a number of strings found in the Gorat shellcode (stage0 loader). The loader contains an embedded DLL (stage0.dll) that contains a number of unique strings. The 'Cookie' string found in this loader is important as this cookie is needed by the C2 server to download the Gorat implant (stage1 payload)."
md5 = "66cdaa156e4d372cfa3dea0137850d20"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "5ac84cf1-49fb-533d-b211-b1a92239063b"
strings:
$s1 = "httpComms.dll" ascii wide
$s2 = "Cookie: SID1=%s" ascii wide
$s3 = "Global\\" ascii wide
$s4 = "stage0.dll" ascii wide
$s5 = "runCommand" ascii wide
$s6 = "getData" ascii wide
$s7 = "initialize" ascii wide
$s8 = "Windows NT %d.%d;" ascii wide
$s9 = "!This program cannot be run in DOS mode." ascii wide
condition:
filesize < 50KB and all of them
}
rule APT_Backdoor_Win_GORAT_2
{
meta:
description = "Verifies that the sample is a Windows PE that is less than 10MB in size and has the Go build ID strings. Then checks for various strings known to be in the Gorat implant including strings used in C2 json, names of methods, and the unique string 'murica' used in C2 comms. A check is done to ensure the string 'rat' appears in the binary over 1000 times as it is the name of the project used by the implant and is present well over 2000 times."
md5 = "f59095f0ab15f26a1ead7eed8cdb4902"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "e2c47711-d088-5cb4-8d21-f8199a865a28"
strings:
$go1 = "go.buildid" ascii wide
$go2 = "Go build" ascii wide
$json1 = "json:\"pid\"" ascii wide
$json2 = "json:\"key\"" ascii wide
$json3 = "json:\"agent_time\"" ascii wide
$json4 = "json:\"rid\"" ascii wide
$json5 = "json:\"ports\"" ascii wide
$json6 = "json:\"agent_platform\"" ascii wide
$rat = "rat" ascii wide
$str1 = "handleCommand" ascii wide
$str2 = "sendBeacon" ascii wide
$str3 = "rat.AgentVersion" ascii wide
$str4 = "rat.Core" ascii wide
$str5 = "rat/log" ascii wide
$str6 = "rat/comms" ascii wide
$str7 = "rat/modules" ascii wide
$str8 = "murica" ascii wide
$str9 = "master secret" ascii wide
$str10 = "TaskID" ascii wide
$str11 = "rat.New" ascii wide
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10MB and all of ($go*) and all of ($json*) and all of ($str*) and #rat > 1000
}
rule APT_Backdoor_Win_GORAT_3
{
meta:
description = "This rule uses the same logic as FE_APT_Trojan_Win_GORAT_1_FEBeta with the addition of one check, to look for strings that are known to be in the Gorat implant when a certain cleaning script is not run against it."
md5 = "995120b35db9d2f36d7d0ae0bfc9c10d"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "94c195b5-b8e8-56a7-bc11-dbbe2f969b06"
strings:
$dirty1 = "fireeye" ascii nocase wide
$dirty2 = "kulinacs" ascii nocase wide
$dirty3 = "RedFlare" ascii nocase wide
$dirty4 = "gorat" ascii nocase wide
$dirty5 = "flare" ascii nocase wide
$go1 = "go.buildid" ascii wide
$go2 = "Go build" ascii wide
$json1 = "json:\"pid\"" ascii wide
$json2 = "json:\"key\"" ascii wide
$json3 = "json:\"agent_time\"" ascii wide
$json4 = "json:\"rid\"" ascii wide
$json5 = "json:\"ports\"" ascii wide
$json6 = "json:\"agent_platform\"" ascii wide
$rat = "rat" ascii wide
$str1 = "handleCommand" ascii wide
$str2 = "sendBeacon" ascii wide
$str3 = "rat.AgentVersion" ascii wide
$str4 = "rat.Core" ascii wide
$str5 = "rat/log" ascii wide
$str6 = "rat/comms" ascii wide
$str7 = "rat/modules" ascii wide
$str8 = "murica" ascii wide
$str9 = "master secret" ascii wide
$str10 = "TaskID" ascii wide
$str11 = "rat.New" ascii wide
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10MB and all of ($go*) and all of ($json*) and all of ($str*) and #rat > 1000 and any of ($dirty*)
}
rule APT_Backdoor_Win_GORAT_4
{
meta:
description = "Verifies that the sample is a Windows PE that is less than 10MB in size and exports numerous functions that are known to be exported by the Gorat implant. This is done in an effort to provide detection for packed samples that may not have other strings but will need to replicate exports to maintain functionality."
md5 = "f59095f0ab15f26a1ead7eed8cdb4902"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "ae67445c-e7fd-5858-be8b-7ee84a16a031"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10MB and pe.exports("MemoryCallEntryPoint") and pe.exports("MemoryDefaultAlloc") and pe.exports("MemoryDefaultFree") and pe.exports("MemoryDefaultFreeLibrary") and pe.exports("MemoryDefaultGetProcAddress") and pe.exports("MemoryDefaultLoadLibrary") and pe.exports("MemoryFindResource") and pe.exports("MemoryFindResourceEx") and pe.exports("MemoryFreeLibrary") and pe.exports("MemoryGetProcAddress") and pe.exports("MemoryLoadLibrary") and pe.exports("MemoryLoadLibraryEx") and pe.exports("MemoryLoadResource") and pe.exports("MemoryLoadString") and pe.exports("MemoryLoadStringEx") and pe.exports("MemorySizeofResource") and pe.exports("callback") and pe.exports("crosscall2") and pe.exports("crosscall_386")
}
rule APT_Backdoor_Win_GORAT_5
{
meta:
date = "2020-12-02"
modified = "2020-12-02"
md5 = "cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "73102bd2-7b94-5c7b-b9a4-cfc9cf5e3212"
strings:
$1 = "comms.BeaconData" fullword
$2 = "comms.CommandResponse" fullword
$3 = "rat.BaseChannel" fullword
$4 = "rat.Config" fullword
$5 = "rat.Core" fullword
$6 = "platforms.AgentPlatform" fullword
$7 = "GetHostID" fullword
$8 = "/rat/cmd/gorat_shared/dllmain.go" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule APT_Backdoor_Win_GoRat_Memory
{
meta:
description = "Identifies GoRat malware in memory based on strings."
md5 = "3b926b5762e13ceec7ac3a61e85c93bb"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "4fcdd98f-1873-58e1-a9f5-73ee0aa5a69f"
strings:
/* $murica = "murica" fullword */
$rat1 = "rat/modules/socks.(*HTTPProxyClient).beacon" fullword
$rat2 = "rat.(*Core).generateBeacon" fullword
$rat3 = "rat.gJitter" fullword
$rat4 = "rat/comms.(*protectedChannel).SendCmdResponse" fullword
$rat5 = "rat/modules/filemgmt.(*acquire).NewCommandExecution" fullword
$rat6 = "rat/modules/latlisten.(*latlistensrv).handleCmd" fullword
$rat7 = "rat/modules/netsweeper.(*netsweeperRunner).runSweep" fullword
$rat8 = "rat/modules/netsweeper.(*Pinger).listen" fullword
$rat9 = "rat/modules/socks.(*HTTPProxyClient).beacon" fullword
$rat10 = "rat/platforms/win/dyloader.(*memoryLoader).ExecutePluginFunction" fullword
$rat11 = "rat/platforms/win/modules/namedpipe.(*dummy).Open" fullword
$winblows = "rat/platforms/win.(*winblows).GetStage" fullword
condition:
$winblows or
// #murica > 10 or
3 of ($rat*)
}
rule APT_CN_APT27_Compromised_Certficate_Jan22_1 {
meta:
description = "Detects compromised certifcates used by APT27 malware"
author = "Florian Roth (Nextron Systems)"
date = "2022-01-29"
score = 80
reference = "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf"
id = "f2f015af-219d-51ab-9529-01687a879ebb"
condition:
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "DigiCert SHA2 Assured ID Code Signing CA" and
pe.signatures[i].serial == "08:68:70:51:50:f1:cf:c1:fc:c3:fc:91:a4:49:49:a6"
)
}
rule APT_CN_Group_Loader_Jan20_1 {
meta:
description = "Detects loaders used by Chinese groups"
author = "Vitali Kremez"
reference = "https://twitter.com/VK_Intel/status/1223411369367785472?s=20"
date = "2020-02-01"
score = 80
id = "c85ae499-4f76-56ff-877d-887e1a7fc077"
strings:
$xc1 = { 8B C3 C1 E3 10 C1 E8 10 03 D8 6B DB 77 83 C3 13 }
condition:
1 of them
}
rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_1 {
meta:
description = "Detects Red Delta samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556"
date = "2020-10-14"
hash1 = "30b2bbce0ca4cb066721c94a64e2c37b7825dd72fc19c20eb0ab156bea0f8efc"
hash2 = "42ed73b1d5cc49e09136ec05befabe0860002c97eb94e9bad145e4ea5b8be2e2"
hash3 = "480a8c883006232361c5812af85de9799b1182f1b52145ccfced4fa21b6daafa"
hash4 = "7ea7c6406c5a80d3c15511c4d97ec1e45813e9c58431f386710d0486c4898b98"
id = "47417488-e843-5346-9baa-fcce30b884d1"
strings:
$x1 = "InjectShellCode" ascii fullword
$s1 = "DotNetLoader.exe" wide ascii fullword
$s2 = "clipboardinject" ascii fullword
$s3 = "download.php?raw=1" wide
$s4 = "Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\Levint" wide
$s5 = "FlashUpdate.exe" wide
$s6 = "raw_cc_url" ascii fullword
$op1 = { 48 8b 4c 24 78 48 89 01 e9 1a ff ff ff 48 8b 44 }
$op2 = { ff ff 00 00 77 2a 8b 44 24 38 8b 8c 24 98 }
condition:
uint16(0) == 0x5a4d and
filesize < 200KB and
$x1 or 3 of them
}
rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2 {
meta:
description = "Detects Red Delta samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556"
date = "2020-10-14"
hash1 = "260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b"
hash2 = "9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5"
hash3 = "b3fd750484fca838813e814db7d6491fea36abe889787fb7cf3fb29d9d9f5429"
id = "acb1024a-64af-51ac-84c8-7fe9a5bd4538"
strings:
$x1 = "\\CLRLoader.exe" wide fullword
$x2 = "/callback.php?token=%s&computername=%s&username=%s" ascii fullword
$s1 = "DotNetLoader.Program" wide fullword
$s2 = "/download.php?api=40" ascii fullword
$s3 = "get %d URLDir" ascii fullword
$s4 = "Read code failed" ascii fullword
$s5 = "OpenFile fail!" wide fullword
$s6 = "Writefile success" wide fullword
$op1 = { 4c 8d 45 e0 49 8b cc 41 8d 51 c3 e8 34 77 02 00 }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and
1 of ($x*) or 4 of them
}
rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_3 {
meta:
description = "Detects Red Delta samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556"
date = "2020-10-14"
modified = "2022-12-21"
hash1 = "740992d40b84b10aa9640214a4a490e989ea7b869cea27dbbdef544bb33b1048"
id = "b52836bb-cdef-5416-a8e1-72d0b2298546"
strings:
$s1 = "Taskschd.dll" ascii fullword
$s2 = "AddTaskPlanDllVerson.dll" ascii fullword
$s3 = "\\FlashUpdate.exe" ascii
$s4 = "D:\\Project\\FBIRedTeam" ascii fullword
$s5 = "Error %s:%d, ErrorCode: %x" ascii fullword
condition:
uint16(0) == 0x5a4d and
filesize < 400KB and
4 of them
}
rule APT_CN_TwistedPanda_64bit_Loader {
meta:
author = "Check Point Research"
description = "Detects the 64bit Loader DLL used by TwistedPanda"
date = "2022-04-14"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
score = 80
hash1 = "e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f"
id = "2172dd33-204b-5a05-ad26-534a0c1d7a17"
strings:
// 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2]
// 48 8B C1 mov rax, rcx
// 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h
// 72 ?? jb short loc_7FFDF0BA1B48
$path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 }
// 48 8B D0 mov rdx, rax ; lpBuffer
// 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead
// 48 8B CF mov rcx, rdi ; hFile
// 48 8B D8 mov rbx, rax
// FF ?? ?? ?? ?? call cs:ReadFile
$shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF}
// BA F0 16 00 00 mov edx, 16F0h ; dwSize
// 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect
// 33 C9 xor ecx, ecx ; lpAddress
// 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType
// FF ?? ?? ?? ?? ?? call cs:VirtualAlloc
$shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and $path_check and $shellcode_allocate and $shellcode_read
}
rule APT_CN_TwistedPanda_SPINNER_1 {
meta:
author = "Check Point Research"
description = "Detects the obfuscated variant of SPINNER payload used by TwistedPanda"
date = "2022-04-14"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
score = 80
hash1 = "a9fb7bb40de8508606a318866e0e5ff79b98f314e782f26c7044622939dfde81"
id = "0b44013d-0caa-5ea2-ab08-e2a6a5732c03"
strings:
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C6 mov byte ptr [eax], 0
$config_init = { C7 ?? ?? ?? 00 00 00 C7 ?? ?? ?? 00 00 00 C6 }
$c2_cmd_1 = { 01 00 03 10}
$c2_cmd_2 = { 02 00 01 10}
$c2_cmd_3 = { 01 00 01 10}
// 8D 83 ?? ?? ?? ?? lea eax, xor_key[ebx]
// 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h
// 89 F1 mov ecx, esi ; this
// 6A 01 push 1 ; Size
// 50 push eax ; Src
// E8 ?? ?? ?? ?? call str_append
// 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h
$decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8 [4] 80 B3 }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
}
rule APT_CN_TwistedPanda_SPINNER_2 {
meta:
author = "Check Point Research"
description = "Detects an older variant of SPINNER payload used by TwistedPanda"
date = "2022-04-14"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
score = 80
hash1 = "28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8"
id = "bbbf3af1-127f-5d32-967f-bdb94311d1d6"
strings:
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C6 mov byte ptr [eax], 0
$config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 }
$c2_cmd_1 = { 01 00 03 10 }
$c2_cmd_2 = { 02 00 01 10 }
$c2_cmd_3 = { 01 00 01 10 }
$c2_cmd_4 = { 01 00 00 10 }
$c2_cmd_5 = { 02 00 00 10 }
// 80 B3 ?? ?? ?? ?? ?? xor ds:dd_encrypted_url[ebx], 50h
// 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx]
// 8B 56 14 mov edx, [esi+14h]
// 8B C2 mov eax, edx
// 8B 4E 10 mov ecx, [esi+10h]
// 2B C1 sub eax, ecx
// 83 F8 01 cmp eax, 1
$decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
}
rule APT_CN_TwistedPanda_droppers {
meta:
author = "Check Point Research"
description = "Detects droppers used by TwistedPanda"
date = "2022-04-14"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
score = 80
hash1 = "59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291"
hash2 = "8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248"
hash3 = "f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66"
id = "f61c8b97-5870-5837-942f-f1650870960a"
strings:
// 81 FA ?? ?? ?? ?? cmp edx, 4BED1896h
// 75 ?? jnz short loc_140001829
// E8 ?? ?? ?? ?? call sub_1400019D0
// 48 89 05 ?? ?? ?? ?? mov cs:qword_14001ED38, rax
// E? ?? ?? ?? ?? jmp loc_1400018DD
$switch_control = { 81 FA [4] 75 ?? E8 [4] 48 89 05 [4] E? }
// 41 0F ?? ?? movsx edx, byte ptr [r9]
// 44 ?? ?? or r8d, edx
// 41 ?? ?? 03 rol r8d, 3
// 41 81 ?? ?? ?? ?? ?? xor r8d, 0EF112233h
// 41 ?? ?? mov eax, r10d
$byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41 81 [5] 41 }
// %public%
$stack_strings_1 = { 25 00 70 00 }
$stack_strings_2 = { 75 00 62 00 }
$stack_strings_3 = { 6C 00 69 00 }
$stack_strings_4 = { 63 00 25 00 }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and #switch_control > 8 and all of ($stack_strings_*) and $byte_manipulation
}
rule APT_CN_TwistedPanda_loader {
meta:
author = "Check Point Research"
description = "Detects loader used by TwistedPanda"
date = "2022-04-14"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
score = 80
hash1 = "5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0"
hash2 = "efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198"
id = "a10f6019-f069-579c-b112-18537a7d8fd8"
strings:
// 6A 40 push 40h ; '@'
// 68 00 30 00 00 push 3000h
$seq1 = { 6A 40 68 00 30 00 00 }
// 6A 00 push 0 ; lpOverlapped
// 50 push eax ; lpNumberOfBytesRead
// 6A 14 push 14h ; nNumberOfBytesToRead
// 8D ?? ?? ?? ?? ?? lea eax, [ebp+Buffer]
// 50 push eax ; lpBuffer
// 53 push ebx ; hFile
// FF 15 04 D0 4C 70 call ds:ReadFile
$seq2 = { 6A 00 50 6A 14 8D ?? ?? ?? ?? ?? 50 53 FF }
// 6A 00 push 0
// 6A 00 push 0
// 6A 03 push 3
// 6A 00 push 0
// 6A 03 push 3
// 68 00 00 00 80 push 80000000h
$seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 }
// Decryption sequence
$decryption = { 8B C? [2-3] F6 D? 1A C? [4-6] 30 0? ?? 4? }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and all of ($seq*) and $decryption
}
rule APT_IN_TA397_wmRAT {
meta:
author = "Proofpoint"
description = "track wmRAT based on socket usage, odd error handling, and reused strings"
date = "2024-11-20"
category = "hunting"
malfamily = "wmRAT"
version = "1.0"
score = 75
reference = "https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats"
hash = "3bf4bbd5564f4381820fb8da5810bd4d9718b5c80a7e8f055961007c6f30da2b"
hash = "3e9a08972b8ec9c2e64eeb46ce1db92ae3c40bc8de48d278ba4d436fc3c8b3a4"
hash = "40ddb4463be9d8131f363fd78e21d9de5d838a3ec4044526aea45a473d6ddd61"
hash = "4836cb7eed0b20da50acb26472f918b180917101c026ce36074e0e879b604308"
hash = "4e3e4d476810c95c34b6f2aa9c735f8e57e85e3b7a97c709adc5d6ee4a5f6ccc"
hash = "5ab76cf85ade810b7ae449e3dff8a19a018174ced45d37062c86568d9b7633f9"
hash = "811741d9df51a9f16272a64ec7eb8ff12f8f26794368b1ff4ad5d30a1f4bb42a"
hash = "b588a423b826b57dce72c9ab58f89be2ddc710a0367ed0eed001c047d8bef32a"
hash = "caf871247b7256945598816e9c5461d64b6bdb68a15ff9f8742ca31dc00865f8"
id = "c5855b30-3e75-570f-b327-498dfc382159"
strings:
$code_sleep_loop = {
6a 64 // push 0x64
ff d6 // call esi
6a 01 // push 0x1
e8 ?? ?? ?? ?? // call operator new
83 c4 04 // add esp, 0x4
3b c7 // cmp eax, edi
}
$code_error_handling = {
88 19 // mov byte [ecx], bl
4a // dec edx
41 // inc ecx
47 // inc edi
4e // dec esi
85 d2 // test edx, edx
?? ?? // jne 0x401070
5f // pop edi {__saved_edi}
49 // dec ecx
5e // pop esi {__saved_esi}
b8 7a 00 07 80 // mov eax, 0x8007007a
}
$code_socket_recv_parsing = {
// 8b 15 20 55 41 00 mov edx, dword [data_415520]
6a 00 // push 0x0
b8 04 00 00 00 // mov eax, 0x4
2b c6 // sub eax, esi
50 // push eax {var_10_1}
8d 0c 3e // lea ecx, [esi+edi]
51 // push ecx {var_14_1}
52 // push edx {var_18_1}
ff ?? // call ebx
83 f8 ff // cmp eax, 0xffffffff
?? ?? // je 0x4082e3
03 f0 // add esi, eax
83 fe 04 // cmp esi, 0x4
}
$str1 = "-.-.-." ascii
$str2 = "PATH" ascii
$str3 = "Path=" ascii
$str4 = "https://microsoft.com" ascii
$str5 = "%s%ld M" ascii
$str6 = "%s%ld K" ascii
$str7 = "%s(%ld)" ascii
$str8 = "RFOX" ascii
$str9 = "1llll" ascii
$str10 = "%d result(s)" ascii
$str11 = "%s%ld MB" ascii
$str12 = "%s%ld KB" ascii
$str13 = "%.1f" ascii
$str14 = "%02d-%02d-%d %02d:%02d" ascii
condition:
uint16be(0x0) == 0x4d5a and
(2 of ($code*) or 10 of ($str*))
}
rule APT_MAL_CN_Unit78020_Sep15 {
meta:
description = "Detects malware used by Unit78020"
author = "Florian Roth (Nextron Systems)"
reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
date = "2015-09-24"
modified = "2023-01-31"
score = 80
old_rule_name = "Unit78020_Malware_Gen1"
hash1 = "2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72"
hash2 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd"
hash3 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
hash4 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac"
hash5 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
hash6 = "88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790"
id = "d26d401f-3806-5a0b-bdb3-87d5d8af209c"
strings:
$x1 = "greensky27.vicp.net" fullword wide
$x2 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
$x3 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
/* additional strings based on PDF report - not found in samples */
$x4 = "serch.vicp.net" fullword wide
$x5 = "greensky27.vicp.net" fullword wide
$x6 = "greensky27.vicp.net.as" fullword wide
$x7 = "greensky27.vcip.net" fullword wide
$x8 = "pnoc-ec.vicp.net" fullword wide
$x9 = "aseanph.vicp.net" fullword wide
$x10 = "pnoc.vicp.net" fullword wide
$sa1 = "dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)" wide fullword
$sa2 = "x-www-form-urlencoded/r/n" wide fullword
$sa3 = "/%d%s%d" ascii fullword
$sa4 = "dMozilla" wide fullword
$sa5 = "Accept-Language:En-us" wide fullword
$sb1 = "%USERPROFILE%\\Application Data\\Mozilla\\Firefox\\Profiles" wide fullword
$sb2 = "\\Office Start.lnk" wide fullword
$sb3 = "%02d-%02d-%02d %02d:%02d" wide fullword
$sc1 = "\\MSN Talk Start.lnk" wide fullword
$sc2 = "-GetModuleFileNameExW" ascii fullword
$sc3 = "dwError1 = %d" ascii fullword
condition:
uint16(0) == 0x5a4d and
filesize < 2000KB and (
1 of ($x*) or
all of ($sa*) or
all of ($sb*) or
all of ($sc*)
)
}
rule APT_MAL_CN_Wocao_Agent_Csharp {
meta:
description = "Strings from CSharp version of Agent"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "e5212226-a82d-558d-abb4-43ad7848764e"
strings:
$a = "mysend(client_sock, new byte[] { 0x16, 0x00 }, 2);" ascii wide
$b = "Dns.GetHostAddresses(sip.Remove(sip.Length - 1));" ascii wide
$c = "Port = 256 * buf[4] + buf[5];" ascii wide
$d = "Port = 256 * buf[AddrLen] + buf[AddrLen + 1];" ascii wide
$e = "StartTransData(CliSock" ascii wide
$f = "static void ForwardTransmit(object ft_data)" ascii wide
$key = "0x4c, 0x1b, 0x68, 0x0b, 0x6a, 0x18, 0x09, 0x41, 0x5a, 0x36, 0x1f, 0x56, 0x26, 0x2a, 0x03, 0x44, 0x7d, 0x5f, 0x03, 0x7b, 0x07, 0x6e, 0x03, 0x77, 0x30, 0x70, 0x52, 0x42, 0x53, 0x67, 0x0a, 0x2a" ascii wide
$key_raw = { 4c1b680b6a1809415a361f56262a03447d5f037b076e03773070524253670a2a }
condition:
1 of them
}
rule APT_MAL_CN_Wocao_agent_powershell_b64encoded {
meta:
description = "Piece of Base64 encoded data from Agent CSharp version"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "14e1702d-6229-5989-8bb7-cc9c0c321676"
strings:
$header = "LFNVT0hBBnVfVVJDSx0sU1VPSEEGdV9VUkNLCG9pHSxTVU9IQQZ1X1VSQ0sIZUlK"
condition:
all of them
}
rule APT_MAL_CN_Wocao_agent_powershell_dropper {
meta:
description = "Strings from PowerShell dropper of CSharp version of Agent"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "833ce607-56a9-5580-bbd1-e72392945fec"
strings:
$a = "function format([string]$source)"
$b = "foreach($c in $bb){$tt = $tt + [char]($c -bxor"
$c = "[agent]::Main($args);"
condition:
1 of them
}
rule APT_MAL_CN_Wocao_agent_py {
meta:
description = "Strings from Python version of Agent"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "ca30dd6a-b596-54ab-b4f0-50e6b1382f73"
strings:
$a = "vpshex.decode"
$b = "self._newsock.recv"
$c = "Rsock.connect"
$d = /MAX_DATALEN\s?=\s?10240/
$e = /LISTEN_MAXCOUNT\s?=\s?80/
$f = "ListenSock.listen(LISTEN_MAXCOUNT)"
$g = "nextsock.send(head)"
$h = "elif transnode"
$i = "infobuf[4:6]"
$key = "L\\x1bh\\x0bj\\x18\\tAZ6\\x1fV&*\\x03D}_\\x03{\\x07n\\x03w0pRBSg\\n*"
condition:
1 of them
}
rule APT_MAL_CN_Wocao_agent_py_b64encoded {
meta:
description = "Piece of Base64 encoded data from Agent Python version"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "eb2701e9-4358-5d24-bfcd-b4dde24f13bf"
strings:
$header = "QlpoOTFBWSZTWWDdHjgABDTfgHwQe////z/v/9+////6YA4cGPsAl2e8M9LSU128"
condition:
all of them
}
rule APT_MAL_CN_Wocao_checkadmin_bin {
meta:
description = "Checkadmin utility"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "2f819213-ade1-525b-af18-d77b7fc96093"
strings:
$a = "[-] %s * A system error has occurred: %d" ascii wide
$b = {
0D 00 0A 00 25 00 6C 00 64 00 20 00 72 00 65 00
73 00 75 00 6C 00 74 00 73 00 2E 00 0D 00 0A 00
}
$c = "%s\t<Access denied>" ascii wide
condition:
1 of them
}
rule APT_MAL_CN_Wocao_getos_py {
meta:
description = "Python getos utility"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "4a731dde-87e4-566a-b559-d23e0bef5841"
strings:
$smb_1 = {
00 00 00 85 ff 53 4d 42 72 00 00 00 00 18 53 c8
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe
00 00 ff b4 00 62 00 02 50 43 20 4e 45 54 57 4f
52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02
4c 41 4e 4d 41 4e 31 2e 30 00 02 57 69 6e 64 6f
77 73 20 66 6f 72 20 57 6f 72 6b 67 72 6f 75 70
73 20 33 2e 31 61 00 02 4c 4d 31 2e 32 58 30 30
32 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 02 4e 54
20 4c 4d 20 30 2e 31 32 00
}
$smb_2 = {
00 00 00 c8 ff 53 4d 42 73 00 00 00 00 18 03 c8
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe
00 00 3f b5 0c ff 00 c8 00 04 11 32 00 00 00 00
00 00 00 28 00 00 00 00 00 d4 00 00 a0 8d 00 4e
54 4c 4d 53 53 50 00 01 00 00 00 07 82 88 a2 00
00 00 00 28 00 00 00 00 00 00 00 28 00 00 00 05
01 28 0a 00 00 00 0f 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
}
$smbstr_1 = "\\x00\\x00\\x00\\x85\\xffSMBr\\x00\\x00\\x00\\x00\\x18S\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xfe\\x00\\x00\\xff\\xb4\\x00b\\x00\\x02PC NETWORK PROGRAM 1.0\\x00\\x02LANMAN1.0\\x00\\x02Windows for Workgroups 3.1a\\x00\\x02LM1.2X002\\x00\\x02LANMAN2.1\\x00\\x02NT LM 0.12\\x00"
$smbstr_2 = "\\x00\\x00\\x00\\xc8\\xffSMBs\\x00\\x00\\x00\\x00\\x18\\x03\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xfe\\x00\\x00?\\xb5\\x0c\\xff\\x00\\xc8\\x00\\x04\\x112\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\xd4\\x00\\x00\\xa0\\x8d\\x00NTLMSSP\\x00\\x01\\x00\\x00\\x00\\x07\\x82\\x88\\xa2\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x05\\x01(\\n\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
$code_1 = "return 'Other error.'" ascii wide
$code_2 = "sblob = buf[47:47 + sbl]" ascii wide
$code_3 = "re.split('[\\x00-,]+', y[-4])" ascii wide
$code_4 = "('').join(sblob[off:off + hlen].split('\\x00'))" ascii wide
$code_5 = "banner = '%s %s' % (hostname, native)" ascii wide
$code_6 = "banner = '%s\\\\%s %s' % (dm, hostname, native)" ascii wide
$tsk_1 = "PushTask" ascii wide
$tsk_2 = "parse_task" ascii wide
$tsk_3 = "commit_task" ascii wide
$str_1 = "Usage: getos.py <ip-range|ip-file>" ascii wide
$str_2 = "The path '%s' write fails." ascii wide
$str_3 = "Receive a signal %d," ascii wide
$str_4 = "Scan Complete!" ascii wide
$str_5 = "line: %d, %s: %s" ascii wide
$str_6 = "Other error." ascii wide
condition:
(all of ($smb_*)) or
(all of ($smbstr_*)) or
(3 of ($code_*)) or
(all of ($tsk_*)) or
(3 of ($str_*))
}
rule APT_MAL_CN_Wocao_info_vbs {
meta:
description = "Strings from the information grabber VBS"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "b719fb31-2836-5faf-a7c8-c361a14df2be"
strings:
$ = "Logger PingConnect"
$ = "Logger GetAdmins"
$ = "Logger InstallPro"
$ = "Logger Exec"
$ = "retstr = adminsName & \" Members\" & vbCrLf & _"
$ = "Logger VolumeName & \" (\" & objDrive.DriveLetter & \":)\" _"
$ = "txtRes = txtRes & machine & \" can"
$ = "retstr = \"PID SID Image Name\" & vbCrLf & \"===="
condition:
4 of them
}
rule APT_MAL_CN_Wocao_injector_bin {
meta:
description = "Process injector/launcher"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "389279f1-6531-594f-97b6-5adbc8fa4d3d"
strings:
$a = "%s{%04d-%02d%02d-%02d%02d-%d%ld}.tmp"
$b = "s% > s% c/ exe.d"
$c = {
48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 50 48
8B 71 08 48 8D 59 10 48 8B F9 48 8B CB FF 17 33
C9 48 8D 47 78 48 89 44 24 48 4C 8D 87 9C 03 00
00 48 89 5C 24 40 48 8D 97 90 00 00 00 4C 89 44
24 38 45 33 C9 48 89 4C 24 30 45 33 C0 89 4C 24
28 C7 44 24 20 01 00 00 00 66 89 4B 40 FF D6 48
8B 5C 24 60 33 C0 48 8B 74 24 68 48 83 C4 50 5F
C3
}
condition:
1 of them
}
rule APT_MAL_CN_Wocao_keylogger_file {
meta:
description = "Rule for finding keylogger output files"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "22e866b3-4b02-593a-b9a6-aa86870b6509"
strings:
$a = { 0d 0a 20 [3-10] 53 74 61 72 74 75 70 3a 20 [3] 20 [3] 20 [2] 20 [2] 3a [2] 3a [2] 20 }
condition:
all of them
}
rule APT_MAL_CN_Wocao_keylogger_py {
meta:
description = "Strings from Python keylogger"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "f7b5ec1b-669e-5e7d-a9d3-011d212eb363"
strings:
$a = "c:\\windows\\temp\\tap.tmp"
$b = "c:\\windows\\temp\\mrteeh.tmp"
$c = "GenFileName"
$d = "outfile"
$e = "[PASTE:%d]"
condition:
3 of them
}
rule APT_MAL_CN_Wocao_timeliner_bin {
meta:
description = "Timeliner utility"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "3d81a4ae-0ce0-5867-ac93-a706556481b6"
strings:
$a = "[+] Work completed." ascii wide
$b = "[-] Create a new file failed." ascii wide
$c = "[-] This is not a correct path." ascii wide
$d = "%s [TargetPath] <Num> <SavePath>" ascii wide
$e = "D\t%ld\t%ld\t%ld\t%d\t%d\t%s\t" ascii wide
$f = "D\t%ld\t%ld\t%ld\t-1\t%d\t%s\t" ascii wide
$g = "%s\t%ld\t%ld\t%ld\t%I64d\t%d\t%s\t%s" ascii wide
condition:
1 of them
}
rule APT_MAL_CN_Wocao_webshell_console_jsp {
meta:
description = "Strings from the console.jsp webshell"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "1afdfc34-d2e3-58c7-80ea-ee5632e42469"
strings:
$a = "String strLogo = request.getParameter(\"image\")"
$b = "!strLogo.equals(\"web.gif\")"
$c = "<font color=red>Save Failed!</font>"
$d = "<font color=red>Save Success!</font>"
$e = "Save path:<br><input type=text"
$f = "if (newfile.exists() && newfile.length()>0) { out.println"
condition:
1 of them
}
rule APT_MAL_CN_Wocao_webshell_index_jsp {
meta:
description = "Strings from the index.jsp socket tunnel"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "9c226ccd-6c69-523c-bca4-371e55274667"
strings:
$x1 = "X-CMD"
$x2 = "X-STATUS"
$x3 = "X-TARGET"
$x4 = "X-ERROR"
$a = "out.print(\"All seems fine.\");"
condition:
all of ($x*) and $a
}
rule APT_MAL_CN_Wocao_webshell_ver_jsp {
meta:
description = "Strings from the ver.jsp webshell"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "b2828b84-8934-5111-9345-683a07025070"
strings:
$a = "String strLogo = request.getParameter(\"id\")"
$b = "!strLogo.equals(\"256\")"
$c = "boolean chkos = msg.startsWith"
$d = "while((c = er.read()) != -1)"
$e = "out.print((char)c);}in.close()"
$f = "out.print((char)c);}er.close()"
condition:
1 of them
}
rule APT_MAL_CN_Wocao_webshell_webinfo {
meta:
description = "Generic strings from webinfo.war webshells"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "b8477f62-f3f6-5526-b0e3-9b794fefaa1f"
strings:
$var1 = "String strLogo = request.getParameter"
$var2 = "String content = request.getParameter(\"content\");"
$var3 = "String basePath=request.getScheme()"
$var4 = "!strLogo.equals("
$var5 = "if(path!=null && !path.equals(\"\") && content!=null"
$var6 = "File newfile=new File(path);"
$str1 = "Save Success!"
$str2 = "Save Failed!"
condition:
2 of ($var*) or (all of ($str*) and 1 of ($var*))
}
rule APT_MAL_CN_Wocao_xserver_csharp {
meta:
description = "Strings from the CSharp version of XServer"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "48f4c88d-fb56-54ca-84e2-38f88804a50f"
strings:
$a = "static void ServerX(int ListenPort)" ascii wide
$b = "public class xserver" ascii wide
$c = "[xserver]::Main($args);" ascii wide
$d = "add rule name=powershell dir=in localport=47000 action=allow" ascii wide
$e = "string TempFile = file_path + \".CT\";" ascii wide
$f = "Port = 256 * RecvBuf[AddrLen + 5] + RecvBuf[AddrLen + 6];"
$g = "CliSock.Send(new byte[] { 0x05, 0x00 });"
condition:
1 of them
}
rule APT_MAL_CN_Wocao_xserver_powershell_b64encoded {
meta:
description = "Piece of Base64 encoded data from the XServer PowerShell dropper"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "01e38cfb-b245-5398-b037-6d1d2fb726ee"
strings:
$header_47000 = "5T39c9u2kr/nr2A0Ny2VKIzkfLRJntuJHafPN/nwWG777rUZDy3BNq8UqSEpx26b"
$header_25667 = "5T1rc9u2st/zKxjNmZZKFEZyErdJ6nZsx+nxnTjxWGp77mkzHlqCbd5SpIak/Gjr"
condition:
any of them
}
rule APT_MAL_CN_Wocao_xserver_powershell_dropper {
meta:
description = "Strings from the PowerShell dropper of XServer"
author = "Fox-IT SRT"
reference = "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
id = "97169ab4-d68d-5137-83de-d9cac975747e"
strings:
$encfile = "New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encfile)"
condition:
all of them
}
rule APT_MAL_HP_iLO_Firmware_Dec21_1 {
meta:
description = "Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021"
author = "Florian Roth (Nextron Systems)"
reference = "https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/"
date = "2021-12-28"
score = 80
id = "7f5fa905-07a3-55da-b644-c5ab882b4a9d"
strings:
$s1 = ".newelf.elf.text" ascii
$s2 = ".newelf.elf.libc.so.data" ascii
$s3 = ".newelf.elf.Initial.stack" ascii
$s4 = ".newelf.elf.libevlog.so.data" ascii
condition:
filesize < 5MB and 2 of them or
all of them
}
rule APT_MAL_IR_DruidFly_Wiper_Jun25 {
meta:
description = "Detects Wiper used by the Iranian DruidFly group"
author = "Florian Roth"
reference = "https://x.com/threatintel/status/1936049254432231444"
date = "2025-06-21"
score = 80
hash1 = "81eb22828306f3197b35fef2035cef2c548f587f8511902852964850023389d7"
strings:
$xc1 = { 2E 62 61 63 6B 75 70 00 2E 63 6F 6E 66 69 67 00 // .backup .config
2E 64 62 00 00 00 00 00 2E 73 71 6C 69 74 65 00 } // // .db.... .sqlite
$xc2 = { 00 5C 5C 2E 5C 25 63 3A 00 25 63 3A 5C 00 00 00
00 4E 54 46 53 00 00 00 00 5C } // \\.\%c: %c:\0\0\0 NTFS\0\0\0\
$x1 = "%s:%d:%s(): [+] Overwriting \"%s\" \"..." ascii
$s1 = "C:\\Windows\\System32\\drivers\\beep.sys" ascii fullword
$s2 = "\\DosDevices\\sectorio" wide fullword
condition:
uint16(0) == 0x5a4d
and filesize < 2000KB
and (
1 of ($x*)
or 2 of them
)
or 3 of them
}
rule APT_MAL_NK_3CX_ICONIC_Stealer_Mar23_1 {
meta:
description = "Detects ICONIC stealer payload used in the 3CX incident"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/attachments/iconicstealer.7z"
date = "2023-03-31"
score = 80
hash1 = "8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423"
id = "e92b5b90-1146-5235-9711-a4d42689c49b"
strings:
$s1 = "{\"HostName\": \"%s\", \"DomainName\": \"%s\", \"OsVersion\": \"%d.%d.%d\"}" wide fullword
$s2 = "******************************** %s ******************************" wide fullword
$s3 = "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data" wide fullword
$s4 = "AppData\\Roaming\\Mozilla\\Firefox\\Profiles" wide fullword
$s5 = "SELECT url, title FROM urls ORDER BY id DESC LIMIT 500" wide fullword
$s6 = "TEXT value in %s.%s" ascii fullword
$op1 = { 48 63 d1 48 63 ce 49 03 d1 49 03 cd 4c 63 c7 e8 87 1f 09 00 8b 45 d0 44 8d 04 37 }
$op2 = { 48 8b c8 8b 56 f0 48 89 46 d8 e8 78 8f f8 ff e9 ec 13 00 00 c7 46 20 ff ff ff ff e9 e0 13 00 00 33 ff }
condition:
uint16(0) == 0x5a4d
and filesize < 4000KB
and 4 of them
or 6 of them
}
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 {
meta:
description = "Detects malicious DLLs related to 3CX compromise"
author = "X__Junior, Florian Roth (Nextron Systems)"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
date = "2023-03-29"
modified = "2023-04-20"
score = 85
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
hash3 = "cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2"
id = "a6ea3299-fde5-5206-b5db-eb3a3f5944d9"
strings:
$opa1 = { 4C 89 F1 4C 89 EA 41 B8 40 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 4C 89 F0 FF 15 ?? ?? ?? ?? 4C 8D 4C 24 ?? 45 8B 01 4C 89 F1 4C 89 EA FF 15 } /* VirtualProtect and execute payload*/
$opa2 = { 48 C7 44 24 ?? 00 00 00 00 4C 8D 7C 24 ?? 48 89 F9 48 89 C2 41 89 E8 4D 89 F9 FF 15 ?? ?? ?? ?? 41 83 3F 00 0F 84 ?? ?? ?? ?? 0F B7 03 3D 4D 5A 00 00} /* ReadFile and MZ compare*/
$opa3 = { 41 80 7C 00 ?? FE 75 ?? 41 80 7C 00 ?? ED 75 ?? 41 80 7C 00 ?? FA 75 ?? 41 80 3C 00 CE} /* marker */
$opa4 = { 44 0F B6 CD 46 8A 8C 0C ?? ?? ?? ?? 45 30 0C 0E 48 FF C1} /* xor part in RC4 decryption*/
$opb1 = { 41 B8 40 00 00 00 49 8B D5 49 8B CC FF 15 ?? ?? ?? ?? 85 C0 74 ?? 41 FF D4 44 8B 45 ?? 4C 8D 4D ?? 49 8B D5 49 8B CC FF 15 } /* VirtualProtect and execute payload */
$opb2 = { 44 8B C3 48 89 44 24 ?? 48 8B 5C 24 ?? 4C 8D 4D ?? 48 8B CB 48 89 74 24 ?? 48 8B D0 4C 8B F8 FF 15 } /* ReadFile and MZ compare*/
$opb3 = { 80 78 ?? FE 75 ?? 80 78 ?? ED 75 ?? 80 38 FA 75 ?? 80 78 ?? CE } /* marker */
$opb4 = { 49 63 C1 44 0F B6 44 05 ?? 44 88 5C 05 ?? 44 88 02 0F B6 54 05 ?? 49 03 D0 0F B6 C2 0F B6 54 05 ?? 41 30 12} /* xor part in RC4 decryption*/
condition:
uint16(0) == 0x5a4d
and filesize < 5MB
and pe.characteristics & pe.DLL
and ( 2 of ($opa*) or 2 of ($opb*) )
}
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_2 {
meta:
description = "Detects malicious DLLs related to 3CX compromise (decrypted payload)"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/dan__mayer/status/1641170769194672128?s=20"
date = "2023-03-29"
score = 80
hash1 = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973"
id = "bf3597ff-d62b-5d21-9c9b-e46e685284cf"
strings:
$s1 = "raw.githubusercontent.com/IconStorages/images/main/icon%d.ico" wide fullword
$s2 = "https://raw.githubusercontent.com/IconStorages" wide fullword
$s3 = "icon%d.ico" wide fullword
$s4 = "__tutmc" ascii fullword
$op1 = { 2d ee a1 00 00 c5 fa e6 f5 e9 40 fe ff ff 0f 1f 44 00 00 75 2e c5 fb 10 0d 46 a0 00 00 44 8b 05 7f a2 00 00 e8 0a 0e 00 00 }
$op4 = { 4c 8d 5c 24 71 0f 57 c0 48 89 44 24 60 89 44 24 68 41 b9 15 cd 5b 07 0f 11 44 24 70 b8 b1 68 de 3a 41 ba a4 7b 93 02 }
$op5 = { f7 f3 03 d5 69 ca e8 03 00 00 ff 15 c9 0a 02 00 48 8d 44 24 30 45 33 c0 4c 8d 4c 24 38 48 89 44 24 20 }
condition:
uint16(0) == 0x5a4d and
filesize < 900KB and 3 of them
or 5 of them
}
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_3 {
meta:
description = "Detects malicious DLLs related to 3CX compromise (decrypted payload)"
author = "Florian Roth , X__Junior (Nextron Systems)"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
date = "2023-03-29"
score = 80
hash1 = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973"
id = "d2d361b6-8485-57eb-b6eb-88785f42e93e"
strings:
$opa1 = { 41 81 C0 ?? ?? ?? ?? 02 C8 49 C1 E9 ?? 41 88 4B ?? 4D 03 D1 8B C8 45 8B CA C1 E1 ?? 33 C1 41 69 D0 ?? ?? ?? ?? 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 81 C2 ?? ?? ?? ?? 33 C1 43 8D 0C 02 02 C8 49 C1 EA ?? 41 88 0B 8B C8 C1 E1 ?? 33 C1 44 69 C2 ?? ?? ?? ?? 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 41 81 C0 } /*lcg chunk */
$opa2 = { 8B C8 41 69 D1 ?? ?? ?? ?? C1 E1 ?? 33 C1 45 8B CA 8B C8 C1 E9 ?? 33 C1 81 C2 ?? ?? ?? ?? 8B C8 C1 E1 ?? 33 C1 41 8B C8 4C 0F AF CF 44 69 C2 ?? ?? ?? ?? 4C 03 C9 45 8B D1 4C 0F AF D7} /*lcg chunk */
$opb1 = { 45 33 C9 48 89 6C 24 ?? 48 8D 44 24 ?? 48 89 6C 24 ?? 8B D3 48 89 B4 24 ?? ?? ?? ?? 48 89 44 24 ?? 45 8D 41 ?? FF 15 } /* base64 decode */
$opb2 = { 44 8B 0F 45 8B C6 48 8B 4D ?? 49 8B D7 44 89 64 24 ?? 48 89 7C 24 ?? 44 89 4C 24 ?? 4C 8D 4D ?? 48 89 44 24 ?? 44 89 64 24 ?? 4C 89 64 24 ?? FF 15} /* AES decryption */
$opb3 = { 48 FF C2 66 44 39 2C 56 75 ?? 4C 8D 4C 24 ?? 45 33 C0 48 8B CE FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 44 0F B7 44 24 ?? 33 F6 48 8B 54 24 ?? 45 33 C9 48 8B 0B 48 89 74 24 ?? 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? 48 89 74 24 ?? FF 15 } /* internet connection */
$opb4 = { 33 C0 48 8D 6B ?? 4C 8D 4C 24 ?? 89 44 24 ?? BA ?? ?? ?? ?? 48 89 44 24 ?? 48 8B CD 89 44 24 ?? 44 8D 40 ?? 8B F8 FF 15} /* VirtualProtect */
condition:
( all of ($opa*) )
or
( 1 of ($opa*) and 1 of ($opb*) )
or
( 3 of ($opb*) )
}
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_4 {
meta:
author = "MalGamy (Nextron Systems)"
reference = "https://twitter.com/WhichbufferArda/status/1641404343323688964?s=20"
description = "Detects decrypted payload loaded inside 3CXDesktopApp.exe which downloads info stealer"
date = "2023-03-29"
hash = "851c2c99ebafd4e5e9e140cfe3f2d03533846ca16f8151ae8ee0e83c692884b7"
score = 80
id = "d11170df-570c-510c-80ec-39048acd0fbd"
strings:
$op1 = {41 69 D0 [4] 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 81 C2 [4] 33 C1 43 8D 0C 02 02 C8 49 C1 EA ?? 41 88 0B 8B C8 C1 E1 ?? 33 C1 44 69 C2 [4] 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 41 81 C0 [4] 33 C1 4C 0F AF CF 4D 03 CA 45 8B D1 4C 0F AF D7 41 8D 0C 11 49 C1 E9 ?? 02 C8} // // xor with mul operation
$op2 = {4D 0F AF CC 44 69 C2 [4] 4C 03 C9 45 8B D1 4D 0F AF D4 41 8D 0C 11 41 81 C0 [4] 02 C8 49 C1 E9 ?? 41 88 4B ?? 4D 03 D1 8B C8 45 8B CA C1 E1 ?? 33 C1} // xor with mul operation
$op3 = {33 C1 4C 0F AF C7 8B C8 C1 E1 ?? 4D 03 C2 33 C1} // shift operation
condition:
2 of them
}
rule APT_MAL_NK_3CX_macOS_Elextron_App_Mar23_1 {
meta:
description = "Detects macOS malware used in the 3CX incident"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2023-03-31"
score = 80
hash1 = "51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72"
hash2 = "f7ba7f9bf608128894196cf7314f68b78d2a6df10718c8e0cd64dbe3b86bc730"
id = "7a3755d4-37e5-5d3b-93aa-34edb557f2d5"
strings:
$a1 = "com.apple.security.cs.allow-unsigned-executable-memory" ascii
$a2 = "com.electron.3cx-desktop-app" ascii fullword
$s1 = "s8T/RXMlALbXfowom9qk15FgtdI=" ascii
$s2 = "o8NQKPJE6voVZUIGtXihq7lp0cY=" ascii
condition:
uint16(0) == 0xfacf and
filesize < 400KB and (
all of ($a*)
and 1 of ($s*)
)
}
rule APT_MAL_NK_Lazarus_VHD_Ransomware_Oct20_1 {
meta:
description = "Detects Lazarus VHD Ransomware"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
date = "2020-10-05"
hash1 = "52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6"
hash2 = "5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473"
hash3 = "6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306"
id = "5cb3c136-ec5c-5596-8dcc-e4c6ef33050a"
strings:
$s1 = "HowToDecrypt.txt" wide fullword
$s2 = "rsa.cpp" wide fullword
$s3 = "sc stop \"Microsoft Exchange Compliance Service\"" ascii fullword
$op1 = { 8b 8d bc fc ff ff 8b 94 bd 34 03 00 00 33 c0 50 }
$op2 = { 8b 8d 98 f9 ff ff 8d 64 24 00 8b 39 3b bc 85 34 }
$op3 = { 8b 94 85 34 03 00 00 89 11 40 83 c1 04 3b 06 7c }
condition:
uint16(0) == 0x5a4d and
filesize < 400KB and
2 of them
}
rule APT_MAL_NK_Lazarus_VHD_Ransomware_Oct20_2 {
meta:
description = "Detects Lazarus VHD Ransomware"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
date = "2020-10-05"
hash1 = "097ca829e051a4877bca093cee340180ff5f13a9c266ad4141b0be82aae1a39b"
hash2 = "73a10be31832c9f1cbbd798590411009da0881592a90feb472e80025dfb0ea79"
id = "b75668de-93e6-57e7-90f0-fa335295be7c"
strings:
$op1 = { f9 36 88 08 8d ad fc ff ff ff 66 ff c1 e9 72 86 }
$op2 = { c6 c4 58 0f a4 c8 12 8d ad ff ff ff ff 0f b6 44 }
$op3 = { 88 02 66 c1 f0 54 8d bf fc ff ff ff 0f ba e0 19 }
condition:
uint16(0) == 0x5a4d and
filesize < 9000KB and
all of them
}