Skip to content

R
rules
Commit 780d0f6c by Marc Rivero López Committed by GitHub
Options

Update APT_Sauron

parent 82e44482
Showing with 55 additions and 67 deletions
malware/APT_Sauron
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
Warning: Don't use this rule set without excluding the false positive hashes listed in the file falsepositive-hashes.txt from https://github.com/Neo23x0/Loki/blob/master/signatures/falsepositive-hashes.txt
*/
import "pe" import "pe"
import "math" import "math"
rule apt_ProjectSauron_pipe_backdoor { rule apt_ProjectSauron_pipe_backdoor
meta: {
meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron pipe backdoors" description = "Rule to detect ProjectSauron pipe backdoors"
version = "1.0" version = "1.0"
reference = "https://securelist.com/blog/" reference = "https://securelist.com/blog/"
strings: strings:
$a1 = "CreateNamedPipeW" fullword ascii $a1 = "CreateNamedPipeW" fullword ascii
$a2 = "SetSecurityDescriptorDacl" fullword ascii $a2 = "SetSecurityDescriptorDacl" fullword ascii
$a3 = "GetOverlappedResult" fullword ascii $a3 = "GetOverlappedResult" fullword ascii
$a4 = "TerminateThread" fullword ascii $a4 = "TerminateThread" fullword ascii
$a5 = "%s%s%X" fullword wide $a5 = "%s%s%X" fullword wide
condition:
condition: uint16(0) == 0x5A4D and (all of ($a*)) and filesize < 100000
uint16(0) == 0x5A4D
and (all of ($a*))
and filesize < 100000
} }
rule apt_ProjectSauron_encrypted_LSA { rule apt_ProjectSauron_encrypted_LSA
meta: {
meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron encrypted LSA samples" description = "Rule to detect ProjectSauron encrypted LSA samples"
version = "1.0" version = "1.0"
reference = "https://securelist.com/blog/" reference = "https://securelist.com/blog/"
strings: strings:
$a1 = "EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492" fullword ascii $a1 = "EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492" fullword ascii
$a2 = "\\Device\\NdisRaw_" fullword ascii $a2 = "\\Device\\NdisRaw_" fullword ascii
$a3 = "\\\\.\\GLOBALROOT\\Device\\{8EDB44DC-86F0-4E0E-8068-BD2CABA4057A}" fullword wide $a3 = "\\\\.\\GLOBALROOT\\Device\\{8EDB44DC-86F0-4E0E-8068-BD2CABA4057A}" fullword wide
...@@ -40,102 +45,85 @@ strings: ...@@ -40,102 +45,85 @@ strings:
$a6 = {8945D08D8598FEFFFF2BD08945D88D45BC83C20450C745C0030000008975C48955DCFF55FC8BF88D8F0000003A83F90977305333DB53FF15} $a6 = {8945D08D8598FEFFFF2BD08945D88D45BC83C20450C745C0030000008975C48955DCFF55FC8BF88D8F0000003A83F90977305333DB53FF15}
$a7 = {488D4C24304889442450488D452044886424304889442460488D4520C7442434030000002BD848897C243844896C244083C308895C246841FFD68D880000003A8BD883F909772DFF} $a7 = {488D4C24304889442450488D452044886424304889442460488D4520C7442434030000002BD848897C243844896C244083C308895C246841FFD68D880000003A8BD883F909772DFF}
condition:
condition: uint16(0) == 0x5A4D and (any of ($a*) or ( pe.exports("InitializeChangeNotify") and pe.exports("PasswordChangeNotify") and math.entropy(0x400, filesize) >= 7.5 )) and filesize < 1000000
uint16(0) == 0x5A4D
and (any of ($a*) or
(
pe.exports("InitializeChangeNotify") and
pe.exports("PasswordChangeNotify") and
math.entropy(0x400, filesize) >= 7.5
))
and filesize < 1000000
} }
rule apt_ProjectSauron_encrypted_SSPI { rule apt_ProjectSauron_encrypted_SSPI
meta: {
meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect encrypted ProjectSauron SSPI samples" description = "Rule to detect encrypted ProjectSauron SSPI samples"
version = "1.0" version = "1.0"
reference = "https://securelist.com/blog/" reference = "https://securelist.com/blog/"
condition: condition:
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and filesize < 1000000 and pe.exports("InitSecurityInterfaceA") and pe.characteristics & pe.DLL and (pe.machine == pe.MACHINE_AMD64 or pe.machine == pe.MACHINE_IA64) and math.entropy(0x400, filesize) >= 7.5 }
filesize < 1000000 and
pe.exports("InitSecurityInterfaceA") and rule apt_ProjectSauron_MyTrampoline
pe.characteristics & pe.DLL and {
(pe.machine == pe.MACHINE_AMD64 or pe.machine == pe.MACHINE_IA64) and
math.entropy(0x400, filesize) >= 7.5
}
rule apt_ProjectSauron_MyTrampoline { meta:
meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron MyTrampoline module" description = "Rule to detect ProjectSauron MyTrampoline module"
version = "1.0" version = "1.0"
reference = "https://securelist.com/blog/" reference = "https://securelist.com/blog/"
strings: strings:
$a1 = ":\\System Volume Information\\{" wide $a1 = ":\\System Volume Information\\{" wide
$a2 = "\\\\.\\PhysicalDrive%d" wide $a2 = "\\\\.\\PhysicalDrive%d" wide
$a3 = "DMWndClassX%d" $a3 = "DMWndClassX%d"
$b1 = "{774476DF-C00F-4e3a-BF4A-6D8618CFA532}" ascii wide $b1 = "{774476DF-C00F-4e3a-BF4A-6D8618CFA532}" ascii wide
$b2 = "{820C02A4-578A-4750-A409-62C98F5E9237}" ascii wide $b2 = "{820C02A4-578A-4750-A409-62C98F5E9237}" ascii wide
condition: condition:
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and filesize < 5000000 and (all of ($a*) or any of ($b*)) }
filesize < 5000000 and
(all of ($a*) or any of ($b*)) rule apt_ProjectSauron_encrypted_container
} {
rule apt_ProjectSauron_encrypted_container { meta:
meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron samples encrypted container" description = "Rule to detect ProjectSauron samples encrypted container"
version = "1.0" version = "1.0"
reference = "https://securelist.com/blog/" reference = "https://securelist.com/blog/"
strings: strings:
$vfs_header = {02 AA 02 C1 02 0?} $vfs_header = {02 AA 02 C1 02 0?}
$salt = {91 0A E0 CC 0D FE CE 36 78 48 9B 9C 97 F7 F5 55} $salt = {91 0A E0 CC 0D FE CE 36 78 48 9B 9C 97 F7 F5 55}
condition: condition:
uint16(0) == 0x5A4D uint16(0) == 0x5A4D and ((@vfs_header < 0x4000) or $salt) and math.entropy(0x400, filesize) >= 6.5 and (filesize > 0x400) and filesize < 10000000 }
and ((@vfs_header < 0x4000) or $salt) and
math.entropy(0x400, filesize) >= 6.5 and
(filesize > 0x400) and filesize < 10000000
}
rule apt_ProjectSauron_encryption { rule apt_ProjectSauron_encryption
meta: {
meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron string encryption" description = "Rule to detect ProjectSauron string encryption"
version = "1.0" version = "1.0"
reference = "https://securelist.com/blog/" reference = "https://securelist.com/blog/"
strings:
strings:
$a1 = {81??02AA02C175??8B??0685} $a1 = {81??02AA02C175??8B??0685}
$a2 = {918D9A94CDCC939A93939BD18B9AB8DE9C908DAF8D9B9BBE8C8C9AFF} $a2 = {918D9A94CDCC939A93939BD18B9AB8DE9C908DAF8D9B9BBE8C8C9AFF}
$a3 = {803E225775??807E019F75??807E02BE75??807E0309} $a3 = {803E225775??807E019F75??807E02BE75??807E0309}
condition: condition:
filesize < 5000000 and filesize < 5000000 and any of ($a*)
any of ($a*)
} }
rule apt_ProjectSauron_generic_pipe_backdoor { rule apt_ProjectSauron_generic_pipe_backdoor
meta: {
meta:
copyright = "Kaspersky Lab" copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron generic pipe backdoors" description = "Rule to detect ProjectSauron generic pipe backdoors"
version = "1.0" version = "1.0"
reference = "https://securelist.com/blog/" reference = "https://securelist.com/blog/"
strings: strings:
$a = { C7 [2-3] 32 32 32 32 E8 } $a = { C7 [2-3] 32 32 32 32 E8 }
$b = { 42 12 67 6B } $b = { 42 12 67 6B }
$c = { 25 31 5F 73 } $c = { 25 31 5F 73 }
...@@ -143,7 +131,7 @@ strings: ...@@ -143,7 +131,7 @@ strings:
$e = "WS2_32" $e = "WS2_32"
condition: condition:
uint16(0) == 0x5A4D and uint16(0) == 0x5A4D and (all of them) and filesize < 400000
(all of them) and
filesize < 400000
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment