-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathAPT_APT15.yar
214 lines (200 loc) · 7.42 KB
/
APT_APT15.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
import "pe"
rule clean_apt15_patchedcmd{
meta:
author = "Ahmed Zaki"
description = "This is a patched CMD. This is the CMD that RoyalCli uses."
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
sha256 = "90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f"
strings:
$ = "eisableCMD" wide
$ = "%WINDOWS_COPYRIGHT%" wide
$ = "Cmd.Exe" wide
$ = "Windows Command Processor" wide
condition:
all of them
}
rule malware_apt15_royalcli_1{
meta:
description = "Generic strings found in the Royal CLI tool"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
author = "David Cannings"
sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
strings:
$ = "%s~clitemp%08x.tmp" fullword
$ = "qg.tmp" fullword
$ = "%s /c %s>%s" fullword
$ = "hkcmd.exe" fullword
$ = "%snewcmd.exe" fullword
$ = "%shkcmd.exe" fullword
$ = "%s~clitemp%08x.ini" fullword
$ = "myRObject" fullword
$ = "myWObject" fullword
$ = "10 %d %x\x0D\x0A"
$ = "4 %s %d\x0D\x0A"
$ = "6 %s %d\x0D\x0A"
$ = "1 %s %d\x0D\x0A"
$ = "3 %s %d\x0D\x0A"
$ = "5 %s %d\x0D\x0A"
$ = "2 %s %d 0 %d\x0D\x0A"
$ = "2 %s %d 1 %d\x0D\x0A"
$ = "%s file not exist" fullword
condition:
5 of them
}
rule malware_apt15_royalcli_2{
meta:
author = "Nikolaos Pantazopoulos"
description = "APT15 RoyalCli backdoor"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
strings:
$string1 = "%shkcmd.exe" fullword
$string2 = "myRObject" fullword
$string3 = "%snewcmd.exe" fullword
$string4 = "%s~clitemp%08x.tmp" fullword
$string5 = "hkcmd.exe" fullword
$string6 = "myWObject" fullword
condition:
uint16(0) == 0x5A4D and 2 of them
}
rule malware_apt15_bs2005{
meta:
author = "Ahmed Zaki"
md5 = "ed21ce2beee56f0a0b1c5a62a80c128b"
description = "APT15 bs2005"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
strings:
$ = "%s&%s&%s&%s" wide ascii
$ = "%s\\%s" wide ascii
$ = "WarOnPostRedirect" wide ascii fullword
$ = "WarnonZoneCrossing" wide ascii fullword
$ = "^^^^^" wide ascii fullword
/*
"%s" /C "%s > "%s\tmp.txt" 2>&1 "
*/
$ = /"?%s\s*"?\s*\/C\s*"?%s\s*>\s*\\?"?%s\\(\w+\.\w+)?"\s*2>&1\s*"?/
$ ="IEharden" wide ascii fullword
$ ="DEPOff" wide ascii fullword
$ ="ShownVerifyBalloon" wide ascii fullword
$ ="IEHardenIENoWarn" wide ascii fullword
condition:
(uint16(0) == 0x5A4D and 5 of them) or
( uint16(0) == 0x5A4D and 3 of them and
( pe.imports("advapi32.dll", "CryptDecrypt") and pe.imports("advapi32.dll", "CryptEncrypt") and
pe.imports("ole32.dll", "CoCreateInstance")))}
rule malware_apt15_royaldll{
meta:
author = "David Cannings"
description = "DLL implant, originally rights.dll and runs as a service"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
strings:
/*
56 push esi
B8 A7 C6 67 4E mov eax, 4E67C6A7h
83 C1 02 add ecx, 2
BA 04 00 00 00 mov edx, 4
57 push edi
90 nop
*/
// JSHash implementation (Justin Sobel's hash algorithm)
$opcodes_jshash = { B8 A7 C6 67 4E 83 C1 02 BA 04 00 00 00 57 90 }
/*
0F B6 1C 03 movzx ebx, byte ptr [ebx+eax]
8B 55 08 mov edx, [ebp+arg_0]
30 1C 17 xor [edi+edx], bl
47 inc edi
3B 7D 0C cmp edi, [ebp+arg_4]
72 A4 jb short loc_10003F31
*/
// Encode loop, used to "encrypt" data before DNS request
$opcodes_encode = { 0F B6 1C 03 8B 55 08 30 1C 17 47 3B 7D 0C }
/*
68 88 13 00 00 push 5000 # Also seen 3000, included below
FF D6 call esi ; Sleep
4F dec edi
75 F6 jnz short loc_10001554
*/
// Sleep loop
$opcodes_sleep_loop = { 68 (88|B8) (13|0B) 00 00 FF D6 4F 75 F6 }
// Generic strings
$ = "Nwsapagent" fullword
$ = "\"%s\">>\"%s\"\\s.txt"
$ = "myWObject" fullword
$ = "del c:\\windows\\temp\\r.exe /f /q"
$ = "del c:\\windows\\temp\\r.ini /f /q"
condition:
3 of them
}
rule malware_apt15_royaldll_2 {
meta:
author = "Ahmed Zaki"
sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
description = "DNS backdoor used by APT15"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
strings:
$= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii
$= "netsvcs" wide ascii fullword
$= "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide ascii fullword
$= "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
$= "myWObject" wide ascii
condition:
uint16(0) == 0x5A4D and all of them
and pe.exports("ServiceMain")
and filesize > 50KB and filesize < 600KB
}
rule malware_apt15_exchange_tool {
meta:
author = "Ahmed Zaki"
md5 = "d21a7e349e796064ce10f2f6ede31c71"
description = "This is a an exchange enumeration/hijacking tool used by an APT 15"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
strings:
$s1= "subjectname" fullword
$s2= "sendername" fullword
$s3= "WebCredentials" fullword
$s4= "ExchangeVersion" fullword
$s5= "ExchangeCredentials" fullword
$s6= "slfilename" fullword
$s7= "EnumMail" fullword
$s8= "EnumFolder" fullword
$s9= "set_Credentials" fullword
$s10 = "/de" wide
$s11 = "/sn" wide
$s12 = "/sbn" wide
$s13 = "/list" wide
$s14 = "/enum" wide
$s15 = "/save" wide
$s16 = "/ao" wide
$s17 = "/sl" wide
$s18 = "/v or /t is null" wide
$s19 = "2007" wide
$s20 = "2010" wide
$s21 = "2010sp1" wide
$s22 = "2010sp2" wide
$s23 = "2013" wide
$s24 = "2013sp1" wide
condition:
uint16(0) == 0x5A4D and 15 of ($s*)
}
rule malware_apt15_generic {
meta:
author = "David Cannings"
description = "Find generic data potentially relating to AP15 tools"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
strings:
// Appears to be from copy/paste code
$str01 = "myWObject" fullword
$str02 = "myRObject" fullword
/*
6A 02 push 2 ; dwCreationDisposition
6A 00 push 0 ; lpSecurityAttributes
6A 00 push 0 ; dwShareMode
68 00 00 00 C0 push 0C0000000h ; dwDesiredAccess
50 push eax ; lpFileName
FF 15 44 F0 00 10 call ds:CreateFileA
*/
// Arguments for CreateFileA
$opcodes01 = { 6A (02|03) 6A 00 6A 00 68 00 00 00 C0 50 FF 15 }
condition:
2 of them
}