malware/APT_EnergeticBear_backdoored_ssh.yar · ac4c76d07715e4afb2c3c433492ff243f5a55450 · fact-depend / rules · GitLab

Blame History Permalink

Create APT_EnergeticBear_backdoored_ssh.yar · e6d94dcb
```
from https://securelist.com/energetic-bear-crouching-yeti/85345/
```
Mike Worth authored 7 years ago
e6d94dcb

APT_EnergeticBear_backdoored_ssh.yar 299 Bytes

1 2 3 4 5 6 7 8 9 10 11 12

rule Backdoored_ssh {
meta:
author = "Kaspersky"
reference = "https://securelist.com/energetic-bear-crouching-yeti/85345/"
actor = "Energetic Bear/Crouching Yeti"
strings:
$a1 = "OpenSSH"
$a2 = "usage: ssh"
$a3 = "HISTFILE"
condition:
uint32(0) == 0x464c457f and filesize<1000000 and all of ($a*)
}