Skip to content

R
rules
Switch branch/tag
Find file
BlameHistoryPermalink
MALW_Rebirth_Vulcan_ELF.yar 2.73 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 
/* Yara rule to detect ELF Linux malware Rebirth Vulcan (Torlus next-gen) generic 
   This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
   and  open to any user or organization, as long as you use it under this license.
*/

private rule is__str_Rebirth_gen3 {
	meta:
		description = "Generic detection for Vulcan branch Rebirth or Katrina from Torlus nextgen"
		reference = "https://imgur.com/a/SSKmu"
		reference = "https://www.reddit.com/r/LinuxMalware/comments/7rprnx/vulcan_aka_linuxrebirth_or_katrina_variant_of/"
		author = "unixfreaxjp"
		org = "MalwareMustDie"
		date = "2018-01-21"
	strings:
        	$str01 = "/usr/bin/python" fullword nocase wide ascii
        	$str02 = "nameserver 8.8.8.8\nnameserver 8.8.4.4\n" fullword nocase wide ascii
        	$str03 = "Telnet Range %d->%d" fullword nocase wide ascii
        	$str04 = "Mirai Range %d->%d" fullword nocase wide ascii
        	$str05 = "[Updating] [%s:%s]" fullword nocase wide ascii
        	$str06 = "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*" fullword nocase wide ascii
		$str07 = "\x1B[96m[DEVICE] \x1B[97mConnected" fullword nocase wide ascii
	condition:
        	4 of them
}

private rule is__hex_Rebirth_gen3 {
	meta:
		author = "unixfreaxjp"
		date = "2018-01-21"
	strings:
		$hex01 = { 0D C0 A0 E1 00 D8 2D E9 }
		$hex02 = { 3C 1C 00 06 27 9C 97 98 }
		$hex03 = { 94 21 EF 80 7C 08 02 A6 }
		$hex04 = { E6 2F 22 4F 76 91 18 3F }
		$hex05 = { 06 00 1C 3C 20 98 9C 27 }
		$hex06 = { 55 89 E5 81 EC ?? 10 00 }
		$hex07 = { 55 48 89 E5 48 81 EC 90 }
		$hex08 = { 6F 67 69 6E 00 }
	condition:
        	2 of them 
}

private rule is__bot_Rebirth_gen3 {
	meta:
		author = "unixfreaxjp"
		date = "2018-01-21"
	strings:
        	$bot01 = "MIRAITEST" fullword nocase wide ascii
        	$bot02 = "TELNETTEST" fullword nocase wide ascii
        	$bot03 = "UPDATE" fullword nocase wide ascii
        	$bot04 = "PHONE" fullword nocase wide ascii
        	$bot05 = "RANGE" fullword nocase wide ascii
		$bot06 = "KILLATTK" fullword nocase wide ascii
		$bot07 = "STD" fullword nocase wide ascii
        	$bot08 = "BCM" fullword nocase wide ascii
		$bot09 = "NETIS" fullword nocase wide ascii
		$bot10 = "FASTLOAD" fullword nocase wide ascii
	condition:
        	6 of them
}

rule MALW_Rebirth_Vulcan_ELF {
	meta:
		description = "Detects Rebirth Vulcan variant a torlus NextGen MALW"
		description = "Just adjust or omit below two strings for next version they code :) @unixfreaxjp"
		date = "2018-01-21"
	strings:
                $spec01 = "vulcan.sh" fullword nocase wide ascii
		$spec02 = "Vulcan" fullword nocase wide ascii
	condition:
                all of them
		and is__elf
		and is__str_Rebirth_gen3
		and is__hex_Rebirth_gen3
		and is__bot_Rebirth_gen3
		and filesize < 300KB 
}