Added rules of Operation poisoned handover

Added rules of Operation poisoned handover

Added rules of Operation poisoned handover
fccbc46a · j0sm1 · e99fd474 · fccbc46a
Commit fccbc46a authored May 26, 2015 by j0sm1
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 0 deletions

Miscelanea.yar malware/Miscelanea.yar +32 -0

No files found.
--- a/malware/Miscelanea.yar
+++ b/malware/Miscelanea.yar
@@ -1044,3 +1044,35 @@ rule spyeye_plugins : banker
 	condition:
 		any of them
 }
+
+rule callTogether_certificate
+{
+    meta:
+        Author      = "Fireeye Labs"
+        Date        = "2014/11/03" 
+        Description = "detects binaries signed with the CallTogether certificate"
+        Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
+
+    strings:
+        $serial = { 45 21 56 C3 B3 FB 01 76 36 5B DB 5B 77 15 BC 4C }
+        $o = "CallTogether, Inc."
+
+    condition:
+        $serial and $o
+}
+
+rule qti_certificate
+{
+    meta:
+        Author      = "Fireeye Labs"
+        Date        = "2014/11/03" 
+        Description = "detects binaries signed with the QTI International Inc certificate"
+        Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
+
+    strings:
+        $cn = "QTI International Inc"
+        $serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 }
+
+    condition:
+        $cn and $serial
+}