1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule FE_LEGALSTRIKE_MACRO {
meta:version=".1"
filetype="MACRO"
author="Ian.Ahl@fireeye.com @TekDefense"
date="2017-06-02"
description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
strings:
// OBSFUCATION
$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
$ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide
$ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide
$ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide
$ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide
$ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide
$ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide
$ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide
$obreg1 = /(\w{5}\s&\s){7}\w{5}/
$obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/
// wscript
$wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
$wsobj2 = "Obj.Run " ascii wide
condition:
(
(
(uint16(0) != 0x5A4D)
)
and
(
all of ($wsobj*) and 3 of ($ob*)
or
all of ($wsobj*) and all of ($obreg*)
)
)
}
rule FE_LEGALSTRIKE_MACRO_2 {
meta:version=".1"
filetype="MACRO"
author="Ian.Ahl@fireeye.com @TekDefense"
date="2017-06-02"
description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4."
strings:
// Setting the environment
$env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide
$env2 = "windir = Environ(\"windir\")" ascii wide
$env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide
// powershell command fragments
$ps1 = "-NoP" ascii wide
$ps2 = "-NonI" ascii wide
$ps3 = "-W Hidden" ascii wide
$ps4 = "-Command" ascii wide
$ps5 = "New-Object IO.StreamReader" ascii wide
$ps6 = "IO.Compression.DeflateStream" ascii wide
$ps7 = "IO.MemoryStream" ascii wide
$ps8 = ",$([Convert]::FromBase64String" ascii wide
$ps9 = "ReadToEnd();" ascii wide
$psregex1 = /\W\w+\s+\s\".+\"/
condition:
(
(
(uint16(0) != 0x5A4D)
)
and
(
all of ($env*) and 6 of ($ps*)
or
all of ($env*) and 4 of ($ps*) and all of ($psregex*)
)
)
}
rule FE_LEGALSTRIKE_RTF {
meta:
version=".1"
filetype="MACRO"
author="joshua.kim@FireEye.com"
date="2017-06-02"
description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
strings:
$header = "{\\rt"
$lnkinfo = "4c0069006e006b0049006e0066006f"
$encoded1 = "4f4c45324c696e6b"
$encoded2 = "52006f006f007400200045006e007400720079"
$encoded3 = "4f0062006a0049006e0066006f"
$encoded4 = "4f006c0065"
$http1 = "68{"
$http2 = "74{"
$http3 = "07{"
// 2bunny.com
$domain1 = "32{\\"
$domain2 = "62{\\"
$domain3 = "75{\\"
$domain4 = "6e{\\"
$domain5 = "79{\\"
$domain6 = "2e{\\"
$domain7 = "63{\\"
$domain8 = "6f{\\"
$domain9 = "6d{\\"
$datastore = "\\*\\datastore"
condition:
$header at 0 and all of them
}