Skip to content

R
rules
Commit a6f78737 by Marc Rivero López Committed by GitHub
Options

Update APT_Sofacy_Bundestag.yar

parent 2752849c
Showing with 27 additions and 12 deletions
malware/APT_Sofacy_Bundestag.yar
......@@ -2,11 +2,15 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule apt_sofacy_xtunnel : APT28 Sofacy {
rule apt_sofacy_xtunnel
{
meta:
author = "Claudio Guarnieri"
description = "Sofacy Malware - German Bundestag"
score = 75
strings:
$xaps = ":\\PROJECT\\XAPS_"
$variant11 = "XAPS_OBJECTIVE.dll" $variant12 = "start"
......@@ -20,11 +24,14 @@ rule apt_sofacy_xtunnel : APT28 Sofacy {
$mix7 = "i`m wait"
$mix8 = "hello"
$mix9 = "OpenSSL 1.0.1e 11 Feb 2013" $mix10 = "Xtunnel.exe"
condition:
((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*)))
}
rule Sofacy_Bundestag_Winexe : APT28 Sofacy {
rule Sofacy_Bundestag_Winexe
{
meta:
description = "Winexe tool used by Sofacy group in Bundestag APT"
author = "Florian Roth"
......@@ -32,14 +39,18 @@ rule Sofacy_Bundestag_Winexe : APT28 Sofacy {
date = "2015-06-19"
hash = "5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d"
score = 70
strings:
$s1 = "\\\\.\\pipe\\ahexec" fullword ascii
$s2 = "implevel" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 115KB and all of them
}
rule Sofacy_Bundestag_Mal2 : APT28 Sofacy {
rule Sofacy_Bundestag_Mal2
{
meta:
description = "Sofacy Group Malware Sample 2"
author = "Florian Roth"
......@@ -47,16 +58,19 @@ rule Sofacy_Bundestag_Mal2 : APT28 Sofacy {
date = "2015-06-19"
hash = "566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092"
score = 70
strings:
$x1 = "PROJECT\\XAPS_OBJECTIVE_DLL\\" ascii
$x2 = "XAPS_OBJECTIVE.dll" fullword ascii
$s1 = "i`m wait" fullword ascii
condition:
uint16(0) == 0x5a4d and ( 1 of ($x*) ) and $s1
}
rule Sofacy_Bundestag_Mal3 : APT28 Sofacy {
rule Sofacy_Bundestag_Mal3
{
meta:
description = "Sofacy Group Malware Sample 3"
author = "Florian Roth"
......@@ -64,6 +78,7 @@ rule Sofacy_Bundestag_Mal3 : APT28 Sofacy {
date = "2015-06-19"
hash = "5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1"
score = 70
strings:
$s1 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" fullword ascii
$s2 = ".?AVAgentModuleRemoteKeyLogger@@" fullword ascii
......@@ -74,29 +89,29 @@ rule Sofacy_Bundestag_Mal3 : APT28 Sofacy {
$s7 = ".microsoft.checkwinframe.com" fullword ascii
$s8 = "adobeincorp.com" fullword wide
$s9 = "# EXC: HttpSender - Cannot create Get Channel!" fullword ascii
$x1 = "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/" wide
$x2 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2" wide
$x3 = "C:\\Windows\\System32\\cmd.exe" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
2 of ($s*) or
( 1 of ($s*) and all of ($x*) )
)
uint16(0) == 0x5a4d and filesize < 300KB and ( 2 of ($s*) or ( 1 of ($s*) and all of ($x*) ))
}
rule Sofacy_Bundestag_Batch : APT28 Sofacy {
rule Sofacy_Bundestag_Batch
{
meta:
description = "Sofacy Bundestags APT Batch Script"
author = "Florian Roth"
reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
date = "2015-06-19"
score = 70
strings:
$s1 = "for %%G in (.pdf, .xls, .xlsx, .doc, .docx) do (" ascii
$s2 = "cmd /c copy"
$s3 = "forfiles"
condition:
filesize < 10KB and all of them
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment