1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule apt_hellsing_implantstrings
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing implants"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="the file uploaded failed !"
$a2="ping 127.0.0.1"
$b1="the file downloaded failed !"
$b2="common.asp"
$c="xweber_server.exe"
$d="action="
$debugpath1="d:\\Hellsing\\release\\msger\\" nocase
$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase
$debugpath3="D:\\Hellsing\\release\\exe\\" nocase
$debugpath4="d:\\hellsing\\sys\\xkat\\" nocase
$debugpath5="e:\\Hellsing\\release\\clare" nocase
$debugpath6="e:\\Hellsing\\release\\irene\\" nocase
$debugpath7="d:\\hellsing\\sys\\irene\\" nocase
$e="msger_server.dll"
$f="ServiceMain"
condition:
($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
}
rule apt_hellsing_installer
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing xweber/msger installers"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
$a1="xweber_install_uac.exe"
$a2="system32\\cmd.exe" wide
$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
$a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
$a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
$a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
$a10="%SystemRoot%\\system32\\cmd.exe" wide
$a11="msger_install.dll"
$a12={00 65 78 2E 64 6C 6C 00}
condition:
($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
}
rule apt_hellsing_proxytool
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing proxy testing tool"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="PROXY_INFO: automatic proxy url => %s "
$a2="PROXY_INFO: connection type => %d "
$a3="PROXY_INFO: proxy server => %s "
$a4="PROXY_INFO: bypass list => %s "
$a5="InternetQueryOption failed with GetLastError() %d"
$a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
condition:
($mz at 0) and (2 of ($a*)) and filesize < 300000
}
rule apt_hellsing_xkat
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing xKat tool"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="\\Dbgv.sys"
$a2="XKAT_BIN"
$a3="release sys file error."
$a4="driver_load error. "
$a5="driver_create error."
$a6="delete file:%s error."
$a7="delete file:%s ok."
$a8="kill pid:%d error."
$a9="kill pid:%d ok."
$a10="-pid-delete"
$a11="kill and delete pid:%d error."
$a12="kill and delete pid:%d ok."
condition:
($mz at 0) and (6 of ($a*)) and filesize < 300000
}
rule apt_hellsing_msgertype2
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing msger type 2 implants"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="%s\\system\\%d.txt"
$a2="_msger"
$a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
$a4="http://%s/data/%s.1000001000"
$a5="/lib/common.asp?action=user_upload&file="
$a6="%02X-%02X-%02X-%02X-%02X-%02X"
condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000
}
rule apt_hellsing_irene
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing msger irene installer"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="\\Drivers\\usbmgr.tmp" wide
$a2="\\Drivers\\usbmgr.sys" wide
$a3="common_loadDriver CreateFile error! "
$a4="common_loadDriver StartService error && GetLastError():%d! "
$a5="irene" wide
$a6="aPLib v0.43 - the smaller the better"
condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000
}