Skip to content

R
rules
Commit 04c22d97 by Marc Rivero López Committed by GitHub
Options

Update APT_Careto.yar 

Fixed rule style
parent 00795bcc
Showing with 65 additions and 49 deletions
malware/APT_Careto.yar
...@@ -4,59 +4,75 @@ ...@@ -4,59 +4,75 @@
import "pe" import "pe"
rule Careto_SGH : APT Careto { rule Careto_SGH
meta: {
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto SGH component signature" meta:
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" author = "AlienVault (Alberto Ortega)"
date = "2014/02/11" description = "TheMask / Careto SGH component signature"
strings: reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
$m1 = "PGPsdkDriver" ascii wide fullword date = "2014/02/11"
$m2 = "jpeg1x32" ascii wide fullword
$m3 = "SkypeIE6Plugin" ascii wide fullword strings:
$m4 = "CDllUninstall" ascii wide fullword $m1 = "PGPsdkDriver" ascii wide fullword
condition: $m2 = "jpeg1x32" ascii wide fullword
2 of them $m3 = "SkypeIE6Plugin" ascii wide fullword
$m4 = "CDllUninstall" ascii wide fullword
condition:
2 of them
} }
rule Careto_OSX_SBD : APT Careto { rule Careto_OSX_SBD
meta: {
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto OSX component signature" meta:
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" author = "AlienVault (Alberto Ortega)"
date = "2014/02/11" description = "TheMask / Careto OSX component signature"
strings: reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
/* XORed "/dev/null strdup() setuid(geteuid())" */ date = "2014/02/11"
$1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
condition: strings:
all of them /* XORed "/dev/null strdup() setuid(geteuid())" */
$1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
condition:
all of them
} }
rule Careto_CnC : APT Careto { rule Careto_CnC
meta: {
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto CnC communication signature" meta:
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" author = "AlienVault (Alberto Ortega)"
date = "2014/02/11" description = "TheMask / Careto CnC communication signature"
strings: reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
$1 = "cgi-bin/commcgi.cgi" ascii wide date = "2014/02/11"
$2 = "Group" ascii wide
$3 = "Install" ascii wide strings:
$4 = "Bn" ascii wide $1 = "cgi-bin/commcgi.cgi" ascii wide
condition: $2 = "Group" ascii wide
all of them $3 = "Install" ascii wide
$4 = "Bn" ascii wide
condition:
all of them
} }
rule Careto_CnC_domains : APT Careto { rule Careto_CnC_domains
meta: {
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto known command and control domains" meta:
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" author = "AlienVault (Alberto Ortega)"
date = "2014/02/11" description = "TheMask / Careto known command and control domains"
strings: reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
$1 = "linkconf.net" ascii wide nocase date = "2014/02/11"
$2 = "redirserver.net" ascii wide nocase
$3 = "swupdt.com" ascii wide nocase strings:
condition: $1 = "linkconf.net" ascii wide nocase
any of them $2 = "redirserver.net" ascii wide nocase
$3 = "swupdt.com" ascii wide nocase
condition:
any of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment