Update APT_HiddenCobra.yar

Adding all rules from https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity

malware/APT_HiddenCobra.yar

@@ -4,7 +4,7 @@ meta:
 
 	description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure" 
 	author = "US-CERT"
-	url = "https://www.us-cert.gov/ncas/alerts/TA17-164A?platform=hootsuite"
+	url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
 
 strings:
 
@@ -35,7 +35,7 @@ meta:
 
     description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure" 
     author = "US-CERT"
-    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A?platform=hootsuite"
+    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
 
 strings:
 
@@ -56,7 +56,7 @@ meta:
 
     description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure" 
     author = "US-CERT"
-    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A?platform=hootsuite"
+    url = "https://www.us-cert.gov/ncas/alerts/TA17-164A"
 
 strings:
 
@@ -65,3 +65,105 @@ $randomUrlBuilder = { 83 EC 48 53 55 56 57 8B 3D ?? ?? ?? ?? 33 C0 C7 44 24 28 B
 condition: 
     $randomUrlBuilder
 }
+
+
+rule Malware_Updater
+{
+meta:
+	Author="US-CERT Code Analysis Team"
+	Date="2017/08/02"
+	Incident="10132963"
+	MD5_1="8F4FC2E10B6EC15A01E0AF24529040DD"
+	MD5_2="584AC94142F0B7C0DF3D0ADDE6E661ED"
+	Info="Malware may be used to update multiple systems with secondary payloads"
+	super_rule=1
+	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10132963.pdf"
+	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
+strings:
+	$s0 = { 8A4C040480F15D80C171884C04044083F8107CEC }
+	$s1 = { 8A4D0080F19580E97C884D00454B75F0 }
+condition: 
+	any of them
+} 
+
+rule Unauthorized_Proxy_Server_RAT
+{
+meta:
+	Author="US-CERT Code Analysis Team"
+	Incident="10135536"
+	MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"
+	MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"
+	Info="Detects Proxy Server RAT"
+	super_rule = 1
+	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF"
+	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
+strings:
+	$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}
+	$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}
+	$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}
+	$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}
+	$s4 = {B91A7900008A140780F29A8810404975F4}
+	$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9FD19CA59F7E9F539CEF9F029F969C6C9E5C9D949FC99F}
+	$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}
+	$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}
+	$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}
+	$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}
+	$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}
+	$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}
+	$s12 = {448BE8B84FECC44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}
+	$s13 = {8A0A80F9627C2380F9797F1E80F9647C0A80F96D7F0580C10BEB0D80F96F7C0A80F9787F05}
+condition:
+	any of them
+} 
+
+rule NK_SSL_PROXY{
+meta:
+	Author = "US-CERT Code Analysis Team"
+	Date = "2018/01/09"
+	MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
+	MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
+	Info= "Detects NK SSL PROXY"
+	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF"
+	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
+strings:
+	$s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E}
+	$s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}
+	$s2 = {4775401F713435747975366867766869375E2524736466}
+	$s3 = {67686667686A75797566676467667472}
+	$s4 = {6D2A5E265E676866676534776572}
+	$s5 = {3171617A5853444332337765}
+	$s6 = "ghfghjuyufgdgftr"
+	$s7 = "q45tyu6hgvhi7^%$sdf"
+	$s8 = "m*^&^ghfge4wer"
+condition:
+	($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)
+} 
+
+rule r4_wiper_1
+{
+meta:
+	source = "NCCIC Partner"
+	date = "2017-12-12"
+	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
+	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
+strings:
+	$mbr_code = { 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 5D 7C 33 C9 41 81 F9 00 ?? 74 24 B4 43 B0 00 CD 13 FE C2 80 FA 84 7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 83 55 06 00 EB D5 BE 4D 7C B4 43 B0 00 CD 13 33 C9 BE 5D 7C EB C5 }
+	$controlServiceFoundlnBoth = { 83 EC 1C 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 44 8B 44 24 24 53 56 6A 24 50 57 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F0 85 F6 74 1C 8D 4C 24 0C 51 6A 01 56 FF 15 ?? ?? ?? ?? 68 E8 03 00 00 FF 15 ?? ?? ?? ?? 56 FF D3 57 FF D3 5E 5B 33 C0 5F 83 C4 1C C3 33 C0 5F 83 C4 1C C3 }
+condition:
+	uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and any of them
+}
+
+rule r4_wiper_2
+{
+meta:
+	source = "NCCIC Partner"
+	date = "2017-12-12"
+	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
+	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
+strings:
+	// BIOS Extended Write
+	$PhysicalDriveSTR = "\\\\.\\PhysicalDrive" wide
+	$ExtendedWrite = { B4 43 B0 00 CD 13 }
+condition:
+	uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and all of them
+}