Skip to content

R
rules
Commit 04c22d97 by Marc Rivero López Committed by GitHub
Options

Update APT_Careto.yar 

Fixed rule style
parent 00795bcc
Showing with 20 additions and 4 deletions
malware/APT_Careto.yar
...@@ -4,59 +4,75 @@ ...@@ -4,59 +4,75 @@
import "pe" import "pe"
rule Careto_SGH : APT Careto { rule Careto_SGH
{
meta: meta:
author = "AlienVault (Alberto Ortega)" author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto SGH component signature" description = "TheMask / Careto SGH component signature"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
date = "2014/02/11" date = "2014/02/11"
strings: strings:
$m1 = "PGPsdkDriver" ascii wide fullword $m1 = "PGPsdkDriver" ascii wide fullword
$m2 = "jpeg1x32" ascii wide fullword $m2 = "jpeg1x32" ascii wide fullword
$m3 = "SkypeIE6Plugin" ascii wide fullword $m3 = "SkypeIE6Plugin" ascii wide fullword
$m4 = "CDllUninstall" ascii wide fullword $m4 = "CDllUninstall" ascii wide fullword
condition: condition:
2 of them 2 of them
} }
rule Careto_OSX_SBD : APT Careto { rule Careto_OSX_SBD
{
meta: meta:
author = "AlienVault (Alberto Ortega)" author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto OSX component signature" description = "TheMask / Careto OSX component signature"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
date = "2014/02/11" date = "2014/02/11"
strings: strings:
/* XORed "/dev/null strdup() setuid(geteuid())" */ /* XORed "/dev/null strdup() setuid(geteuid())" */
$1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12} $1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
condition: condition:
all of them all of them
} }
rule Careto_CnC : APT Careto { rule Careto_CnC
{
meta: meta:
author = "AlienVault (Alberto Ortega)" author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto CnC communication signature" description = "TheMask / Careto CnC communication signature"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
date = "2014/02/11" date = "2014/02/11"
strings: strings:
$1 = "cgi-bin/commcgi.cgi" ascii wide $1 = "cgi-bin/commcgi.cgi" ascii wide
$2 = "Group" ascii wide $2 = "Group" ascii wide
$3 = "Install" ascii wide $3 = "Install" ascii wide
$4 = "Bn" ascii wide $4 = "Bn" ascii wide
condition: condition:
all of them all of them
} }
rule Careto_CnC_domains : APT Careto { rule Careto_CnC_domains
{
meta: meta:
author = "AlienVault (Alberto Ortega)" author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto known command and control domains" description = "TheMask / Careto known command and control domains"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
date = "2014/02/11" date = "2014/02/11"
strings: strings:
$1 = "linkconf.net" ascii wide nocase $1 = "linkconf.net" ascii wide nocase
$2 = "redirserver.net" ascii wide nocase $2 = "redirserver.net" ascii wide nocase
$3 = "swupdt.com" ascii wide nocase $3 = "swupdt.com" ascii wide nocase
condition: condition:
any of them any of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment