Create APT_EnergeticBear_backdoored_ssh.yar

from https://securelist.com/energetic-bear-crouching-yeti/85345/

Create APT_EnergeticBear_backdoored_ssh.yar
from https://securelist.com/energetic-bear-crouching-yeti/85345/
e6d94dcb · Mike Worth · GitHub · 7966196c · e6d94dcb
Unverified Commit e6d94dcb authored Apr 24, 2018 by Mike Worth Committed by GitHub Apr 24, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

APT_EnergeticBear_backdoored_ssh.yar malware/APT_EnergeticBear_backdoored_ssh.yar +12 -0

No files found.
--- a/malware/APT_EnergeticBear_backdoored_ssh.yar
+++ b/malware/APT_EnergeticBear_backdoored_ssh.yar
+rule Backdoored_ssh {
+meta:
+author = "Kaspersky"
+reference = "https://securelist.com/energetic-bear-crouching-yeti/85345/"
+actor = "Energetic Bear/Crouching Yeti"
+strings:
+$a1 = "OpenSSH"
+$a2 = "usage: ssh"
+$a3 = "HISTFILE"
+condition:
+uint32(0) == 0x464c457f and filesize<1000000 and all of ($a*)
+}