Skip to content

R
rules
Commit 3dddf413 by Marc Rivero López Committed by GitHub
Options

Update APT_Derusbi.yar 

Fixed style and space
parent cce235cc
Showing with 59 additions and 35 deletions
malware/APT_Derusbi.yar
...@@ -3,12 +3,12 @@ ...@@ -3,12 +3,12 @@
*/ */
import "pe" rule apt_nix_elf_derusbi
rule apt_nix_elf_derusbi : APT Derusbi ELF
{ {
meta: meta:
Author = "@seifreed" Author = "@seifreed"
strings: strings:
$ = "LxMain" $ = "LxMain"
$ = "execve" $ = "execve"
...@@ -51,10 +51,13 @@ rule apt_nix_elf_derusbi : APT Derusbi ELF ...@@ -51,10 +51,13 @@ rule apt_nix_elf_derusbi : APT Derusbi ELF
condition: condition:
(uint32(0) == 0x4464c457f) and (all of them) (uint32(0) == 0x4464c457f) and (all of them)
} }
rule apt_nix_elf_derusbi_kernelModule : APT Derusbi ELF
rule apt_nix_elf_derusbi_kernelModule
{ {
meta: meta:
Author = "@seifreed" Author = "@seifreed"
strings: strings:
$ = "__this_module" $ = "__this_module"
$ = "init_module" $ = "init_module"
...@@ -80,20 +83,26 @@ rule apt_nix_elf_derusbi_kernelModule : APT Derusbi ELF ...@@ -80,20 +83,26 @@ rule apt_nix_elf_derusbi_kernelModule : APT Derusbi ELF
condition: condition:
(uint32(0) == 0x4464c457f) and (all of them) (uint32(0) == 0x4464c457f) and (all of them)
} }
rule apt_nix_elf_Derusbi_Linux_SharedMemCreation : APT Derusbi ELF rule apt_nix_elf_Derusbi_Linux_SharedMemCreation : APT Derusbi ELF
{ {
meta: meta:
Author = "@seifreed" Author = "@seifreed"
strings: strings:
$byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 } $byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 }
condition: condition:
(uint32(0) == 0x464C457F) and (any of them) (uint32(0) == 0x464C457F) and (any of them)
} }
rule apt_nix_elf_Derusbi_Linux_Strings : APT Derusbi ELF rule apt_nix_elf_Derusbi_Linux_Strings
{ {
meta: meta:
Author = "@seifreed" Author = "@seifreed"
strings: strings:
$a1 = "loadso" wide ascii fullword $a1 = "loadso" wide ascii fullword
$a2 = "\nuname -a\n\n" wide ascii $a2 = "\nuname -a\n\n" wide ascii
...@@ -109,18 +118,17 @@ rule apt_nix_elf_Derusbi_Linux_Strings : APT Derusbi ELF ...@@ -109,18 +118,17 @@ rule apt_nix_elf_Derusbi_Linux_Strings : APT Derusbi ELF
$b7 = "cp -a %s %s" wide ascii $b7 = "cp -a %s %s" wide ascii
$c1 = "/dev/pts/4" wide ascii fullword $c1 = "/dev/pts/4" wide ascii fullword
$c2 = "/tmp/1408.log" wide ascii fullword $c2 = "/tmp/1408.log" wide ascii fullword
condition: condition:
uint32(0) == 0x464C457F and uint32(0) == 0x464C457F and ((1 of ($a*) and 4 of ($b*)) or (1 of ($a*) and 1 of ($c*)) or 2 of ($a*) or all of ($b*))
((1 of ($a*) and 4 of ($b*)) or
(1 of ($a*) and 1 of ($c*)) or
2 of ($a*) or
all of ($b*))
} }
rule apt_win_exe_trojan_derusbi : APT Derusbi rule apt_win_exe_trojan_derusbi
{ {
meta: meta:
Author = "@seifreed" Author = "@seifreed"
strings: strings:
$sa_1 = "USB" wide ascii $sa_1 = "USB" wide ascii
$sa_2 = "RAM" wide ascii $sa_2 = "RAM" wide ascii
...@@ -143,7 +151,6 @@ rule apt_win_exe_trojan_derusbi : APT Derusbi ...@@ -143,7 +151,6 @@ rule apt_win_exe_trojan_derusbi : APT Derusbi
$sa_19 = "DllRegisterServer" $sa_19 = "DllRegisterServer"
$sa_20 = "DllUnregisterServer" $sa_20 = "DllUnregisterServer"
$sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver $sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver
$sb_1 = "PCC_CMD_PACKET" $sb_1 = "PCC_CMD_PACKET"
$sb_2 = "PCC_CMD" $sb_2 = "PCC_CMD"
$sb_3 = "PCC_BASEMOD" $sb_3 = "PCC_BASEMOD"
...@@ -152,18 +159,15 @@ rule apt_win_exe_trojan_derusbi : APT Derusbi ...@@ -152,18 +159,15 @@ rule apt_win_exe_trojan_derusbi : APT Derusbi
$sb_6 = "PCC_PROCESS" $sb_6 = "PCC_PROCESS"
$sb_7 = "PCC_FILE" $sb_7 = "PCC_FILE"
$sb_8 = "PCC_SOCK" $sb_8 = "PCC_SOCK"
$sc_1 = "bcdedit -set testsigning" wide ascii $sc_1 = "bcdedit -set testsigning" wide ascii
$sc_2 = "update.microsoft.com" wide ascii $sc_2 = "update.microsoft.com" wide ascii
$sc_3 = "_crt_debugger_hook" wide ascii $sc_3 = "_crt_debugger_hook" wide ascii
$sc_4 = "ue8G5" wide ascii $sc_4 = "ue8G5" wide ascii
$sd_1 = "NET" wide ascii $sd_1 = "NET" wide ascii
$sd_2 = "\\\\.\\pipe\\%s" wide ascii $sd_2 = "\\\\.\\pipe\\%s" wide ascii
$sd_3 = ".dat" wide ascii $sd_3 = ".dat" wide ascii
$sd_4 = "CONNECT %s:%d" wide ascii $sd_4 = "CONNECT %s:%d" wide ascii
$sd_5 = "\\Device\\" wide ascii $sd_5 = "\\Device\\" wide ascii
$se_1 = "-%s-%04d" wide ascii $se_1 = "-%s-%04d" wide ascii
$se_2 = "-%04d" wide ascii $se_2 = "-%04d" wide ascii
$se_3 = "FAL" wide ascii $se_3 = "FAL" wide ascii
...@@ -172,14 +176,13 @@ rule apt_win_exe_trojan_derusbi : APT Derusbi ...@@ -172,14 +176,13 @@ rule apt_win_exe_trojan_derusbi : APT Derusbi
$se_6 = "XXXXXXXXXXXXXXX" wide ascii $se_6 = "XXXXXXXXXXXXXXX" wide ascii
condition: condition:
(uint16(0) == 0x5A4D) and ( (all of ($sa_*)) or ( (uint16(0) == 0x5A4D) and ( (all of ($sa_*)) or ((13 of ($sa_*)) and ( (5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or ( (1 of ($sc_*)) and (all of ($se_*)) ) ) ) )
(13 of ($sa_*)) and
( (5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or
( (1 of ($sc_*)) and (all of ($se_*)) ) ) ) )
} }
rule Trojan_Derusbi : APT Derusbi { rule Trojan_Derusbi
{
meta: meta:
Author = "RSA_IR" Author = "RSA_IR"
Date = "4Sept13" Date = "4Sept13"
...@@ -200,22 +203,27 @@ rule Trojan_Derusbi : APT Derusbi { ...@@ -200,22 +203,27 @@ rule Trojan_Derusbi : APT Derusbi {
2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8) 2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
} }
rule APT_Derusbi_DeepPanda : APT Derusbi ELF DeepPanda rule APT_Derusbi_DeepPanda
{ {
meta: meta:
author = "ThreatConnect Intelligence Research Team" author = "ThreatConnect Intelligence Research Team"
reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf" reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf"
strings: strings:
$D = "Dom4!nUserP4ss" wide ascii $D = "Dom4!nUserP4ss" wide ascii
condition: condition:
$D $D
} }
rule APT_Derusbi_Gen : APT Derusbi rule APT_Derusbi_Gen
{ {
meta: meta:
author = "ThreatConnect Intelligence Research Team" author = "ThreatConnect Intelligence Research Team"
strings: strings:
$2 = "273ce6-b29f-90d618c0" wide ascii $2 = "273ce6-b29f-90d618c0" wide ascii
$A = "Ace123dx" fullword wide ascii $A = "Ace123dx" fullword wide ascii
...@@ -229,9 +237,11 @@ strings: ...@@ -229,9 +237,11 @@ strings:
$ph = "/photoe/photo.asp HTTP" wide ascii $ph = "/photoe/photo.asp HTTP" wide ascii
$PO = "POST /photos/photo.asp" wide ascii $PO = "POST /photos/photo.asp" wide ascii
$PC = "PCC_IDENT" wide ascii $PC = "PCC_IDENT" wide ascii
condition: condition:
any of them any of them
} }
/* /*
Yara Rule Set Yara Rule Set
Author: Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud Author: Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud
...@@ -240,34 +250,40 @@ condition: ...@@ -240,34 +250,40 @@ condition:
Identifier: Derusbi Dez 2015 Identifier: Derusbi Dez 2015
*/ */
rule derusbi_kernel : APT Derusbi rule derusbi_kernel
{ {
meta: meta:
description = "Derusbi Driver version" description = "Derusbi Driver version"
date = "2015-12-09" date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud" author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
strings: strings:
$token1 = "$$$--Hello" $token1 = "$$$--Hello"
$token2 = "Wrod--$$$" $token2 = "Wrod--$$$"
$cfg = "XXXXXXXXXXXXXXX" $cfg = "XXXXXXXXXXXXXXX"
$class = ".?AVPCC_BASEMOD@@" $class = ".?AVPCC_BASEMOD@@"
$MZ = "MZ" $MZ = "MZ"
condition: condition:
$MZ at 0 and $token1 and $token2 and $cfg and $class $MZ at 0 and $token1 and $token2 and $cfg and $class
} }
rule derusbi_linux : APT Derusbi ELF rule derusbi_linux
{ {
meta: meta:
description = "Derusbi Server Linux version" description = "Derusbi Server Linux version"
date = "2015-12-09" date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud" author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
strings: strings:
$PS1 = "PS1=RK# \\u@\\h:\\w \\$" $PS1 = "PS1=RK# \\u@\\h:\\w \\$"
$cmd = "unset LS_OPTIONS;uname -a" $cmd = "unset LS_OPTIONS;uname -a"
$pname = "[diskio]" $pname = "[diskio]"
$rkfile = "/tmp/.secure" $rkfile = "/tmp/.secure"
$ELF = "\x7fELF" $ELF = "\x7fELF"
condition: condition:
$ELF at 0 and $PS1 and $cmd and $pname and $rkfile $ELF at 0 and $PS1 and $cmd and $pname and $rkfile
} }
...@@ -279,7 +295,9 @@ rule derusbi_linux : APT Derusbi ELF ...@@ -279,7 +295,9 @@ rule derusbi_linux : APT Derusbi ELF
Identifier: Derusbi Dez 2015 Identifier: Derusbi Dez 2015
*/ */
rule Derusbi_Kernel_Driver_WD_UDFS : APT Derusbi { rule Derusbi_Kernel_Driver_WD_UDFS
{
meta: meta:
description = "Detects Derusbi Kernel Driver" description = "Detects Derusbi Kernel Driver"
author = "Florian Roth" author = "Florian Roth"
...@@ -290,6 +308,7 @@ rule Derusbi_Kernel_Driver_WD_UDFS : APT Derusbi { ...@@ -290,6 +308,7 @@ rule Derusbi_Kernel_Driver_WD_UDFS : APT Derusbi {
hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a" hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58" hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59" hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59"
strings: strings:
$x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide $x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide
$x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide $x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide
...@@ -297,41 +316,45 @@ rule Derusbi_Kernel_Driver_WD_UDFS : APT Derusbi { ...@@ -297,41 +316,45 @@ rule Derusbi_Kernel_Driver_WD_UDFS : APT Derusbi {
$x4 = "\\??\\pipe\\usbpcg%d" fullword wide $x4 = "\\??\\pipe\\usbpcg%d" fullword wide
$x5 = "$$$--Hello" fullword ascii $x5 = "$$$--Hello" fullword ascii
$x6 = "Wrod--$$$" fullword ascii $x6 = "Wrod--$$$" fullword ascii
$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide $s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
$s2 = "Update.dll" fullword ascii $s2 = "Update.dll" fullword ascii
$s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide $s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide
$s4 = "\\Driver\\nsiproxy" fullword wide $s4 = "\\Driver\\nsiproxy" fullword wide
$s5 = "HOST: %s" fullword ascii $s5 = "HOST: %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and condition:
( uint16(0) == 0x5a4d and filesize < 800KB and (2 of ($x*) or all of ($s*))
2 of ($x*) or all of ($s*)
)
} }
rule Derusbi_Code_Signing_Cert : APT Derusbi { rule Derusbi_Code_Signing_Cert
{
meta: meta:
description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious" description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
author = "Florian Roth" author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family" reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15" date = "2015-12-15"
score = 40 score = 40
strings: strings:
$s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii $s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii
$s2 = "XL Games Co.,Ltd.0" fullword ascii $s2 = "XL Games Co.,Ltd.0" fullword ascii
$s3 = "Wemade Entertainment co.,Ltd0" fullword ascii $s3 = "Wemade Entertainment co.,Ltd0" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 800KB and 1 of them uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
} }
rule XOR_4byte_Key : APT Derusbi { rule XOR_4byte_Key
{
meta: meta:
description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)" description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
author = "Florian Roth" author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family" reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15" date = "2015-12-15"
score = 60 score = 60
strings: strings:
/* Op Code */ /* Op Code */
$s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 } $s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 }
...@@ -344,16 +367,18 @@ rule XOR_4byte_Key : APT Derusbi { ...@@ -344,16 +367,18 @@ rule XOR_4byte_Key : APT Derusbi {
dec ecx dec ecx
jmp short loc_590162 jmp short loc_590162
*/ */
condition: condition:
uint16(0) == 0x5a4d and filesize < 900KB and all of them uint16(0) == 0x5a4d and filesize < 900KB and all of them
} }
rule apt_win32_dll_bergard_pgv_pvid_variant : Win32 Derusbi rule apt_win32_dll_bergard_pgv_pvid_variant
{ {
meta: meta:
copyright = "Fidelis Cybersecurity" copyright = "Fidelis Cybersecurity"
reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html" reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
strings: strings:
$ = "Accept:" $ = "Accept:"
$ = "User-Agent: %s" $ = "User-Agent: %s"
...@@ -369,6 +394,5 @@ rule apt_win32_dll_bergard_pgv_pvid_variant : Win32 Derusbi ...@@ -369,6 +394,5 @@ rule apt_win32_dll_bergard_pgv_pvid_variant : Win32 Derusbi
$ = "HTTP/1.0" $ = "HTTP/1.0"
condition: condition:
(uint16(0) == 0x5A4D) and (all of them) (uint16(0) == 0x5A4D) and (all of them)
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment