Skip to content

R
rules
Commit ff29528e by Marc Rivero López Committed by GitHub
Options

Update APT_Turla_RUAG.yar

parent c47b4d51
Showing with 53 additions and 25 deletions
malware/APT_Turla_RUAG.yar
...@@ -3,7 +3,9 @@ ...@@ -3,7 +3,9 @@
*/ */
rule Turla_APT_srsvc { rule Turla_APT_srsvc
{
meta: meta:
description = "Detects Turla malware (based on sample used in the RUAG APT case)" description = "Detects Turla malware (based on sample used in the RUAG APT case)"
author = "Florian Roth" author = "Florian Roth"
...@@ -12,19 +14,21 @@ rule Turla_APT_srsvc { ...@@ -12,19 +14,21 @@ rule Turla_APT_srsvc {
date = "2016-06-09" date = "2016-06-09"
hash1 = "65996f266166dbb479a42a15a236e6564f0b322d5d68ee546244d7740a21b8f7" hash1 = "65996f266166dbb479a42a15a236e6564f0b322d5d68ee546244d7740a21b8f7"
hash2 = "25c7ff1eb16984a741948f2ec675ab122869b6edea3691b01d69842a53aa3bac" hash2 = "25c7ff1eb16984a741948f2ec675ab122869b6edea3691b01d69842a53aa3bac"
strings: strings:
$x1 = "SVCHostServiceDll.dll" fullword ascii $x1 = "SVCHostServiceDll.dll" fullword ascii
$s2 = "msimghlp.dll" fullword wide $s2 = "msimghlp.dll" fullword wide
$s3 = "srservice" fullword wide $s3 = "srservice" fullword wide
$s4 = "ModStart" fullword ascii $s4 = "ModStart" fullword ascii
$s5 = "ModStop" fullword ascii $s5 = "ModStop" fullword ascii
condition: condition:
( uint16(0) == 0x5a4d and filesize < 20KB and ( 1 of ($x*) or all of ($s*) ) ) ( uint16(0) == 0x5a4d and filesize < 20KB and ( 1 of ($x*) or all of ($s*) ) ) or ( all of them )
or ( all of them )
} }
rule Turla_APT_Malware_Gen1 { rule Turla_APT_Malware_Gen1
{
meta: meta:
description = "Detects Turla malware (based on sample used in the RUAG APT case)" description = "Detects Turla malware (based on sample used in the RUAG APT case)"
author = "Florian Roth" author = "Florian Roth"
...@@ -41,12 +45,12 @@ rule Turla_APT_Malware_Gen1 { ...@@ -41,12 +45,12 @@ rule Turla_APT_Malware_Gen1 {
hash8 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98" hash8 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98"
hash9 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f" hash9 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f"
hash10 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2" hash10 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2"
strings: strings:
$x1 = "too long data for this type of transport" fullword ascii $x1 = "too long data for this type of transport" fullword ascii
$x2 = "not enough server resources to complete operation" fullword ascii $x2 = "not enough server resources to complete operation" fullword ascii
$x3 = "Task not execute. Arg file failed." fullword ascii $x3 = "Task not execute. Arg file failed." fullword ascii
$x4 = "Global\\MSCTF.Shared.MUTEX.ZRX" fullword ascii $x4 = "Global\\MSCTF.Shared.MUTEX.ZRX" fullword ascii
$s1 = "peer has closed the connection" fullword ascii $s1 = "peer has closed the connection" fullword ascii
$s2 = "tcpdump.exe" fullword ascii $s2 = "tcpdump.exe" fullword ascii
$s3 = "windump.exe" fullword ascii $s3 = "windump.exe" fullword ascii
...@@ -57,12 +61,14 @@ rule Turla_APT_Malware_Gen1 { ...@@ -57,12 +61,14 @@ rule Turla_APT_Malware_Gen1 {
$s8 = "ettercap.exe" fullword ascii $s8 = "ettercap.exe" fullword ascii
$s9 = "miniport.dat" fullword ascii $s9 = "miniport.dat" fullword ascii
$s10 = "net_password=%s" fullword ascii $s10 = "net_password=%s" fullword ascii
condition: condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 2 of ($x*) or 8 of ($s*) ) ) ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 2 of ($x*) or 8 of ($s*) ) ) or ( 12 of them )
or ( 12 of them )
} }
rule Turla_APT_Malware_Gen2 { rule Turla_APT_Malware_Gen2
{
meta: meta:
description = "Detects Turla malware (based on sample used in the RUAG APT case)" description = "Detects Turla malware (based on sample used in the RUAG APT case)"
author = "Florian Roth" author = "Florian Roth"
...@@ -73,6 +79,7 @@ rule Turla_APT_Malware_Gen2 { ...@@ -73,6 +79,7 @@ rule Turla_APT_Malware_Gen2 {
hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9" hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd" hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd"
hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4" hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"
strings: strings:
$x1 = "Internal command not support =((" fullword ascii $x1 = "Internal command not support =((" fullword ascii
$x2 = "L|-1|AS_CUR_USER:OpenProcessToken():%d, %s|" fullword ascii $x2 = "L|-1|AS_CUR_USER:OpenProcessToken():%d, %s|" fullword ascii
...@@ -84,7 +91,6 @@ rule Turla_APT_Malware_Gen2 { ...@@ -84,7 +91,6 @@ rule Turla_APT_Malware_Gen2 {
$x8 = "\\\\%s\\pipe\\comnode" fullword ascii $x8 = "\\\\%s\\pipe\\comnode" fullword ascii
$x9 = "Plugin dll stop failed." fullword ascii $x9 = "Plugin dll stop failed." fullword ascii
$x10 = "AS_USER:LogonUser():%d" fullword ascii $x10 = "AS_USER:LogonUser():%d" fullword ascii
$s1 = "MSIMGHLP.DLL" fullword wide $s1 = "MSIMGHLP.DLL" fullword wide
$s2 = "msimghlp.dll" fullword ascii $s2 = "msimghlp.dll" fullword ascii
$s3 = "ximarsh.dll" fullword ascii $s3 = "ximarsh.dll" fullword ascii
...@@ -92,12 +98,14 @@ rule Turla_APT_Malware_Gen2 { ...@@ -92,12 +98,14 @@ rule Turla_APT_Malware_Gen2 {
$s5 = "INTERNAL.dll" fullword ascii $s5 = "INTERNAL.dll" fullword ascii
$s6 = "\\\\.\\Global\\PIPE\\" fullword ascii $s6 = "\\\\.\\Global\\PIPE\\" fullword ascii
$s7 = "ieuser.exe" fullword ascii $s7 = "ieuser.exe" fullword ascii
condition: condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 5 of ($s*) ) ) ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 5 of ($s*) ) ) or ( 10 of them )
or ( 10 of them )
} }
rule Turla_APT_Malware_Gen3 { rule Turla_APT_Malware_Gen3
{
meta: meta:
description = "Detects Turla malware (based on sample used in the RUAG APT case)" description = "Detects Turla malware (based on sample used in the RUAG APT case)"
author = "Florian Roth" author = "Florian Roth"
...@@ -113,6 +121,7 @@ rule Turla_APT_Malware_Gen3 { ...@@ -113,6 +121,7 @@ rule Turla_APT_Malware_Gen3 {
hash7 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2" hash7 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2"
hash8 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9" hash8 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
hash9 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348" hash9 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
strings: strings:
$x1 = "\\\\.\\pipe\\sdlrpc" fullword ascii $x1 = "\\\\.\\pipe\\sdlrpc" fullword ascii
$x2 = "WaitMutex Abandoned %p" fullword ascii $x2 = "WaitMutex Abandoned %p" fullword ascii
...@@ -122,7 +131,6 @@ rule Turla_APT_Malware_Gen3 { ...@@ -122,7 +131,6 @@ rule Turla_APT_Malware_Gen3 {
$x6 = "Trans task %d obj %s ACTIVE fail robj %s" fullword ascii $x6 = "Trans task %d obj %s ACTIVE fail robj %s" fullword ascii
$x7 = "OPER|Wrong config: no auth|" fullword ascii $x7 = "OPER|Wrong config: no auth|" fullword ascii
$x8 = "OPER|Sniffer '%s' running... ooopppsss...|" fullword ascii $x8 = "OPER|Sniffer '%s' running... ooopppsss...|" fullword ascii
$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform" fullword ascii $s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform" fullword ascii
$s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform" fullword ascii $s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform" fullword ascii
$s3 = "www.yahoo.com" fullword ascii $s3 = "www.yahoo.com" fullword ascii
...@@ -132,9 +140,9 @@ rule Turla_APT_Malware_Gen3 { ...@@ -132,9 +140,9 @@ rule Turla_APT_Malware_Gen3 {
$s7 = "/javascript/view.php" fullword ascii $s7 = "/javascript/view.php" fullword ascii
$s8 = "Task %d failed %s,%d" fullword ascii $s8 = "Task %d failed %s,%d" fullword ascii
$s9 = "Mozilla/4.0 (compatible; MSIE %d.0; " fullword ascii $s9 = "Mozilla/4.0 (compatible; MSIE %d.0; " fullword ascii
condition: condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 6 of ($s*) ) ) ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 6 of ($s*) ) ) or ( 10 of them )
or ( 10 of them )
} }
/* /*
Yara Rule Set Yara Rule Set
...@@ -144,52 +152,65 @@ rule Turla_APT_Malware_Gen3 { ...@@ -144,52 +152,65 @@ rule Turla_APT_Malware_Gen3 {
Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
*/ */
rule RUAG_Tavdig_Malformed_Executable { rule RUAG_Tavdig_Malformed_Executable
{
meta: meta:
description = "Detects an embedded executable with a malformed header - known from Tavdig malware" description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
author = "Florian Roth" author = "Florian Roth"
reference = "https://goo.gl/N5MEj0" reference = "https://goo.gl/N5MEj0"
score = 60 score = 60
condition: condition:
uint16(0) == 0x5a4d and /* MZ Header */ /* MZ Header and malformed PE header > 0x0bad */
uint32(uint32(0x3C)) == 0x0000AD0B /* malformed PE header > 0x0bad */ uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x0000AD0B
} }
rule RUAG_Bot_Config_File { rule RUAG_Bot_Config_File
{
meta: meta:
description = "Detects a specific config file used by malware in RUAG APT case" description = "Detects a specific config file used by malware in RUAG APT case"
author = "Florian Roth" author = "Florian Roth"
reference = "https://goo.gl/N5MEj0" reference = "https://goo.gl/N5MEj0"
score = 60 score = 60
strings: strings:
$s1 = "[CONFIG]" ascii $s1 = "[CONFIG]" ascii
$s2 = "name = " ascii $s2 = "name = " ascii
$s3 = "exe = cmd.exe" ascii $s3 = "exe = cmd.exe" ascii
condition: condition:
$s1 at 0 and $s2 and $s3 and filesize < 160 $s1 at 0 and $s2 and $s3 and filesize < 160
} }
rule RUAG_Cobra_Malware { rule RUAG_Cobra_Malware
{
meta: meta:
description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra" description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
author = "Florian Roth" author = "Florian Roth"
reference = "https://goo.gl/N5MEj0" reference = "https://goo.gl/N5MEj0"
score = 60 score = 60
strings: strings:
$s1 = "\\Cobra\\Release\\Cobra.pdb" ascii $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
condition: condition:
uint16(0) == 0x5a4d and $s1 uint16(0) == 0x5a4d and $s1
} }
rule RUAG_Cobra_Config_File { rule RUAG_Cobra_Config_File
{
meta: meta:
description = "Detects a config text file used by malware Cobra in RUAG case" description = "Detects a config text file used by malware Cobra in RUAG case"
author = "Florian Roth" author = "Florian Roth"
reference = "https://goo.gl/N5MEj0" reference = "https://goo.gl/N5MEj0"
score = 60 score = 60
strings: strings:
$h1 = "[NAME]" ascii $h1 = "[NAME]" ascii
$s1 = "object_id=" ascii $s1 = "object_id=" ascii
$s2 = "[TIME]" ascii fullword $s2 = "[TIME]" ascii fullword
$s3 = "lastconnect" ascii $s3 = "lastconnect" ascii
...@@ -200,24 +221,28 @@ rule RUAG_Cobra_Config_File { ...@@ -200,24 +221,28 @@ rule RUAG_Cobra_Config_File {
$s8 = "run_task_system" ascii $s8 = "run_task_system" ascii
$s9 = "[WORKDATA]" ascii $s9 = "[WORKDATA]" ascii
$s10 = "address1" ascii $s10 = "address1" ascii
condition: condition:
$h1 at 0 and 8 of ($s*) and filesize < 5KB $h1 at 0 and 8 of ($s*) and filesize < 5KB
} }
rule RUAG_Exfil_Config_File { rule RUAG_Exfil_Config_File
{
meta: meta:
description = "Detects a config text file used in data exfiltration in RUAG case" description = "Detects a config text file used in data exfiltration in RUAG case"
author = "Florian Roth" author = "Florian Roth"
reference = "https://goo.gl/N5MEj0" reference = "https://goo.gl/N5MEj0"
score = 60 score = 60
strings: strings:
$h1 = "[TRANSPORT]" ascii $h1 = "[TRANSPORT]" ascii
$s1 = "system_pipe" ascii $s1 = "system_pipe" ascii
$s2 = "spstatus" ascii $s2 = "spstatus" ascii
$s3 = "adaptable" ascii $s3 = "adaptable" ascii
$s4 = "post_frag" ascii $s4 = "post_frag" ascii
$s5 = "pfsgrowperiod" ascii $s5 = "pfsgrowperiod" ascii
condition: condition:
$h1 at 0 and all of ($s*) and filesize < 1KB $h1 at 0 and all of ($s*) and filesize < 1KB
} }
...@@ -230,6 +255,7 @@ import "pe" ...@@ -230,6 +255,7 @@ import "pe"
rule WaterBug_turla_dll rule WaterBug_turla_dll
{ {
meta: meta:
description = "Symantec Waterbug Attack - Trojan Turla DLL" description = "Symantec Waterbug Attack - Trojan Turla DLL"
author = "Symantec Security Response" author = "Symantec Security Response"
...@@ -242,8 +268,10 @@ rule WaterBug_turla_dll ...@@ -242,8 +268,10 @@ rule WaterBug_turla_dll
condition: condition:
pe.exports("ee") and $a pe.exports("ee") and $a
} }
rule turla_dropper rule turla_dropper
{ {
meta: meta:
maltype = "turla dropper" maltype = "turla dropper"
ref = "https://github.com/reed1713" ref = "https://github.com/reed1713"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment