Initial Java support (particularly credential stealers) (#679)

* Initial support for Java * run gofumpt * Initial support for Java * rename rule
chainguard-dev · Dec 8, 2024 · c1a5736 · c1a5736
1 parent 6d0a8e4
commit c1a5736
Show file tree

Hide file tree

Showing 88 changed files with 469 additions and 41 deletions.
diff --git a/pkg/action/archive.go b/pkg/action/archive.go
@@ -34,9 +34,9 @@ var archiveMap = map[string]bool{
 	".gz":     true,
 	".jar":    true,
 	".rpm":    true,
+	".tar":    true,
 	".tar.gz": true,
 	".tar.xz": true,
-	".tar":    true,
 	".tgz":    true,
 	".whl":    true,
 	".xz":     true,

diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
@@ -961,6 +961,17 @@
                     "ID": "fs/file/delete_forcibly",
                     "RuleName": "rm_force"
                 },
+                {
+                    "Description": "opens files",
+                    "MatchStrings": [
+                        "openFile"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open",
+                    "ID": "fs/file/open",
+                    "RuleName": "java_open"
+                },
                 {
                     "Description": "reads files",
                     "MatchStrings": [
@@ -1972,6 +1983,18 @@
                     "ID": "net/http/2",
                     "RuleName": "http2"
                 },
+                {
+                    "Description": "accepts binary files via HTTP",
+                    "MatchStrings": [
+                        "Accept",
+                        "application/octet-stream"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary",
+                    "ID": "net/http/accept",
+                    "RuleName": "http_accept_binary"
+                },
                 {
                     "Description": "set HTTP response encoding format (example: gzip)",
                     "MatchStrings": [
@@ -2038,10 +2061,14 @@
                 {
                     "Description": "submits content to websites",
                     "MatchStrings": [
-                        "Content-Type",
+                        "Content-Type for PUTeach colon",
+                        "Content-Type headerdid not find expected alp",
+                        "Content-Type isn",
+                        "Content-Type: text/plain",
+                        "Content-TypeCookie.Valuecontent",
+                        "Content-Typenet/http: timeout awaiting respo",
                         "HTTP",
-                        "POST",
-                        "http"
+                        "POST"
                     ],
                     "RiskScore": 2,
                     "RiskLevel": "MEDIUM",

diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go
@@ -107,6 +107,7 @@ var rulesWithWarnings = map[string]bool{
 	"macho_opaque_binary_long_str":          true,
 	"long_str":                              true,
 	"macho_backdoor_libc_signature":         true,
+	"http_accept":                           true,
 }
 
 func Recursive(ctx context.Context, fss []fs.FS) (*yara.Rules, error) {

diff --git a/pkg/programkind/programkind.go b/pkg/programkind/programkind.go
@@ -24,6 +24,7 @@ var supportedKind = map[string]string{
 	"bin":     "application/octet-stream",
 	"c":       "text/x-c",
 	"cc":      "text/x-c",
+	"class":   "application/java-vm",
 	"com":     "application/octet-stream",
 	"cpp":     "text/x-c",
 	"cron":    "text/x-cron",

diff --git a/rules/anti-behavior/random_behavior.yara b/rules/anti-behavior/random_behavior.yara
@@ -28,3 +28,14 @@ rule setuptools_random: critical {
   condition:
     random_behavior_pythonSetup and $ref and none of ($not*)
 }
+
+rule java_random: low {
+  meta:
+    description = "exhibits random behavior"
+
+  strings:
+    $ref = "java/util/Random"
+
+  condition:
+    any of them
+}
diff --git a/rules/anti-static/macho/tiny.yara b/rules/anti-static/macho/tiny.yara
@@ -3,10 +3,8 @@ rule impossibly_small_macho_program: medium {
     description = "machO binary is unusually small"
 
   strings:
-    $not_jar   = "META-INF/"
-    $not_dwarf = "_DWARF"
-    $not_kext  = "_.SYMDEF SORTED"
+    $stub_helper = "__stub_helper"
 
   condition:
-    filesize < 16384 and (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178) and none of ($not*)
+    filesize < 16384 and (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca) and $stub_helper
 }
diff --git a/rules/c2/tool_transfer/download.yara b/rules/c2/tool_transfer/download.yara
@@ -7,6 +7,9 @@ rule download_sites: high {
     $d_privatebin    = /[\w\.]+privatebin[\w\.]{1,4}\//
     $d_pastecode_dot = /pastecode\.[\w\.]{2,16}/
     $d_paste_dot     = /\/paste\.[\w\.]{2,3}\//
+    $d_api_paste_dot = /\/api\.paste\.[\w\.]{2,3}\//
+    $d_storj         = /link\.storjshare\.io[\/\w\.]{0,64}/
+
     $d_discord       = "cdn.discordapp.com"
     $d_pastebinger   = "paste.bingner.com"
     $d_transfer_sh   = "transfer.sh"

diff --git a/rules/credential/gaming/minecraft.yara b/rules/credential/gaming/minecraft.yara
@@ -3,10 +3,34 @@ rule minecraft: medium {
     description = "Has references to Minecraft"
 
   strings:
-    $val1 = "minecraft" fullword
-    $val2 = "Minecraft" fullword
-    $val3 = "MINECRAFT" fullword
+    $val1 = "minecraft"
+    $val2 = "Minecraft"
+    $val3 = "MINECRAFT"
 
   condition:
     any of them
 }
+
+rule hidden_minecraft: medium {
+  meta:
+    description = "accesses minecraft configuration data"
+
+  strings:
+    $val1 = ".minecraft" fullword
+
+  condition:
+    any of them
+}
+
+rule essential_microsoft_accounts: high {
+  meta:
+    description = "accesses Minecraft credentials"
+
+  strings:
+    $ = "microsoft_accounts.json"
+    $ = "essential"
+
+  condition:
+    all of them
+}
+
diff --git a/rules/credential/gaming/minecraft_feather.yara b/rules/credential/gaming/minecraft_feather.yara
@@ -0,0 +1,11 @@
+rule minecraft_feather: high {
+  meta:
+    description = "accesses Minecraft credentials (Feather)"
+
+  strings:
+    $ = ".feather"
+    $ = "accounts.json"
+
+  condition:
+    all of them
+}
diff --git a/rules/credential/gaming/minecraft_meteor.yara b/rules/credential/gaming/minecraft_meteor.yara
@@ -0,0 +1,11 @@
+rule minecraft_meteor: high {
+  meta:
+    description = "accesses Minecraft credentials (Meteor)"
+
+  strings:
+    $ = ".meteor-client"
+    $ = "accounts.nbt"
+
+  condition:
+    all of them
+}
diff --git a/rules/crypto/uuid.yara b/rules/crypto/uuid.yara
@@ -8,3 +8,14 @@ rule random_uuid: medium {
   condition:
     any of them
 }
+
+rule uuid: harmless {
+  meta:
+    description = "generates a random UUID"
+
+  strings:
+    $java = "java/util/UUID"
+
+  condition:
+    any of them
+}
diff --git a/rules/data/base64/base64-encode.yara b/rules/data/base64/base64-encode.yara
@@ -0,0 +1,68 @@
+rule base64_encode: medium python {
+  meta:
+    description = "encode base64 strings"
+    ref         = "https://docs.python.org/3/library/base64.html"
+
+  strings:
+    $b64encode = "b64encode"
+
+  condition:
+    any of them
+}
+
+rule py_base64_encode: medium php {
+  meta:
+    description = "encode base64 strings"
+
+  strings:
+    $b64encode = "base64_encode"
+
+  condition:
+    any of them
+}
+
+rule ruby_base64_encode: medium ruby {
+  meta:
+    description = "encode base64 strings"
+
+  strings:
+    $b64encode = /[\._]encode64/
+
+  condition:
+    any of them
+}
+
+rule urlsafe_encode64: medium ruby {
+  meta:
+    description = "encode base64 strings"
+    ref         = "https://ruby-doc.org/3.3.0/stdlibs/base64/Base64.html"
+
+  strings:
+    $urlsafe_encode64_ruby = "urlsafe_encode64"
+
+  condition:
+    any of them
+}
+
+rule powershell_encode: medium {
+  meta:
+    description = "encode base64 strings"
+    ref         = "https://learn.microsoft.com/en-us/dotnet/api/system.convert.frombase64string?view=net-8.0"
+
+  strings:
+    $ref = /System\.Convert[\]: ]+ToBase64String/ ascii
+
+  condition:
+    any of them
+}
+
+rule java_base64_encode: medium {
+  meta:
+    description = "encode base64 strings"
+
+  strings:
+    $ref = "Base64$Encoder"
+
+  condition:
+    any of them
+}
diff --git a/rules/evasion/mimicry/fake-library.yara b/rules/evasion/mimicry/fake-library.yara
@@ -28,7 +28,7 @@ rule libc_fake_number_val: high {
     description = "references a non-standard libc library (normally libc.so.6)"
 
   strings:
-    $ref            = /libc.so.[2345789]/
+    $ref            = /libc.so.[234589]/
     $not_go_example = "libc.so.96.1"
 
   condition:

diff --git a/rules/exec/dylib/replace.yara b/rules/exec/dylib/replace.yara
@@ -0,0 +1,11 @@
+rule java_replacement_class: medium java {
+  meta:
+    description = "runtime override of a class"
+    filetypes   = "class,java"
+
+  strings:
+    $replace = "loadReplacementClass"
+
+  condition:
+    any of them
+}
diff --git a/rules/exec/program/opaque.yara b/rules/exec/program/opaque.yara
@@ -1,6 +1,9 @@
 private rule program_small_macho {
+  strings:
+    $stub_helper = "__stub_helper"
+
   condition:
-    filesize < 1MB and (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962)
+    filesize < 1MB and (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and $stub_helper
 }
 
 import "math"

diff --git a/rules/exec/shell/command.yara b/rules/exec/shell/command.yara
@@ -13,6 +13,18 @@ rule system: medium {
     all of them in (1000..3000)
 }
 
+rule generic: medium {
+  meta:
+    description = "run a command"
+
+  strings:
+    $runCommand  = "runCommand" fullword
+    $RUN_COMMAND = "RUN_COMMAND" fullword
+
+  condition:
+    any of them
+}
+
 rule generic_shell_exec: medium {
   meta:
     description = "execute a shell command"

diff --git a/rules/exfil/stealer/browser.yara b/rules/exfil/stealer/browser.yara
@@ -1,3 +1,15 @@
+rule cookies: medium {
+  meta:
+    description = "may access cookies"
+
+  strings:
+    $Cookies = "Cookies"
+    $cookies = "cookies"
+
+  condition:
+    filesize < 128KB and any of them
+}
+
 rule multiple_browser_credentials: high {
   meta:
     description = "accesses credentials from multiple browsers"
@@ -236,3 +248,15 @@ rule select_chrome_logins: high {
   condition:
     filesize < 128KB and all of them
 }
+
+rule cookie_crawler: high {
+  meta:
+    description = "crawls directories looking for application cookies"
+
+  strings:
+    $crawlCookies = "crawlCookies"
+    $appdata      = "appData"
+
+  condition:
+    filesize < 1MB and all of them
+}
diff --git a/rules/exfil/stealer/userdata.yara b/rules/exfil/stealer/userdata.yara
@@ -0,0 +1,11 @@
+rule userdata_crawler: high {
+  meta:
+    description = "crawls directories looking for application data"
+
+  strings:
+    $crawlCookies = "crawlUserData"
+    $appdata      = "appData"
+
+  condition:
+    filesize < 1MB and all of them
+}
diff --git a/rules/fs/directory/directory-create.yara b/rules/fs/directory/directory-create.yara
@@ -9,6 +9,7 @@ rule mkdir {
     $createFolder = "createFolder" fullword
     $py           = "os.makedirs" fullword
     $win          = /CreateDirectory\w{0,8}/
+    $java         = "createDirectories"
 
   condition:
     any of them

diff --git a/rules/fs/directory/directory-list.yara b/rules/fs/directory/directory-list.yara
@@ -66,3 +66,16 @@ rule PythonListDir {
   condition:
     any of them
 }
+
+rule java_listdir {
+  meta:
+    description = "lists contents of a directory"
+    pledge      = "rpath"
+    filetypes   = "class,java"
+
+  strings:
+    $listFiles = "listFiles"
+
+  condition:
+    any of them
+}