More coverage improvements for MalwareBazaar (#618)

* More coverage improvements for MalwareBazaar * rule tuning * rule tuning
chainguard-dev · Nov 13, 2024 · 29fb875 · 29fb875
1 parent 4b74b78
commit 29fb875
Show file tree

Hide file tree

Showing 58 changed files with 386 additions and 88 deletions.
diff --git a/rules/anti-static/obfuscation/js.yara b/rules/anti-static/obfuscation/js.yara
@@ -7,6 +7,8 @@ private rule probably_js {
     $f_return   = "return" fullword
     $f_var      = "var" fullword
     $f_Array    = "Array.prototype" fullword
+    $f_true     = "true);"
+    $f_run      = ".run("
 
   condition:
     filesize < 1MB and 3 of ($f*)
@@ -238,6 +240,17 @@ rule var_filler: high {
     #ref > 25
 }
 
+rule large_random_variables: high {
+  meta:
+    description = "contains large random variable names"
+
+  strings:
+    $ref = /var [a-zA-Z_]{32,256} = '.{4}/ fullword
+
+  condition:
+    probably_js and #ref > 1
+}
+
 rule large_obfuscated_array: high {
   meta:
     description = "contains large obfuscated arrays"

diff --git a/rules/anti-static/packer/nuitka.yara b/rules/anti-static/packer/nuitka.yara
@@ -0,0 +1,13 @@
+import "math"
+
+rule nuitka: critical {
+  meta:
+    description = "packed with Nuitka (Python compiler)"
+
+  strings:
+    $old = "onefile_%PID%_%TIME%"
+    $new = "{TEMP}/onefile_{PID}_{TIME}"
+
+  condition:
+    filesize < 25MB and any of them and math.entropy(0, filesize) > 7
+}
diff --git a/rules/anti-static/packer/pe.yara b/rules/anti-static/packer/pe.yara
@@ -0,0 +1,9 @@
+import "math"
+
+rule pe_packed: high windows {
+  meta:
+    description = "packed PE file (Windows EXE) with high entropy (>7)"
+
+  condition:
+    uint16(0) == 0x5a4d and math.entropy(0, filesize) > 7
+}
diff --git a/rules/c2/addr/server.yara b/rules/c2/addr/server.yara
@@ -21,16 +21,17 @@ rule server_addr_small: high {
     description = "may execute a shell and communicate with a server"
 
   strings:
-    $serverAddr    = "serverAddr"
-    $server_addr   = "server_addr"
-    $exec          = "exec"
-    $sh            = "/bin/sh" fullword
-    $sh_bash       = "/bin/bash" fullword
-    $sh_zsh        = "/bin/zsh" fullword
-    $sh_script     = "ShellScript"
-    $sh_exec       = "ExecShell"
-    $sh_cmd        = "cmd.exe"
-    $sh_powershell = "powershell.exe"
+    $serverAddr       = "serverAddr"
+    $server_addr      = "server_addr"
+    $server_connected = "connected to server"
+    $exec             = "exec"
+    $sh               = "/bin/sh" fullword
+    $sh_bash          = "/bin/bash" fullword
+    $sh_zsh           = "/bin/zsh" fullword
+    $sh_script        = "ShellScript"
+    $sh_exec          = "ExecShell"
+    $sh_cmd           = "cmd.exe"
+    $sh_powershell    = "powershell.exe"
 
     $hash_bang = "#!"
 

diff --git a/rules/c2/connect/server.yara b/rules/c2/connect/server.yara
@@ -0,0 +1,11 @@
+rule connect_server: medium {
+  meta:
+    description = "connects to a server"
+
+  strings:
+    $ = "connected to server" fullword
+
+  condition:
+    filesize < 1MB and any of them
+}
+
diff --git a/rules/c2/refs.yara b/rules/c2/refs.yara
@@ -40,3 +40,14 @@ rule remote_control: medium {
   condition:
     any of them
 }
+
+rule download_ref: medium {
+  meta:
+    description = "downloads files"
+
+  strings:
+    $download_file = "download file"
+
+  condition:
+    any of them
+}
diff --git a/rules/c2/tool_transfer/bitsadmin.yara b/rules/c2/tool_transfer/bitsadmin.yara
@@ -0,0 +1,24 @@
+rule bitsadmin: medium {
+  meta:
+    description = "mentions 'bitsadmin', often used for file transfers"
+
+  strings:
+    $bitsadmin = "bitsadmin" fullword
+
+  condition:
+    filesize < 250KB and all of them
+}
+
+rule bitsadmin_transfer: high {
+  meta:
+    description = "transfers files via 'bitsadmin'"
+
+  strings:
+    $bitsadmin = "bitsadmin"
+    $transfer  = "transfer"
+    $wscript   = "wscript"
+
+  condition:
+    filesize < 250KB and all of them
+}
+
diff --git a/rules/c2/tool_transfer/download.yara b/rules/c2/tool_transfer/download.yara
@@ -20,6 +20,7 @@ rule download_sites: high {
     $d_anotepad      = "anotepad.com"
     $d_privnote      = "privnote.com"
     $d_hushnote      = /hushnote[\.\w\/]{3,16}/
+    $d_000webhostapp = "000webhostapp"
     $not_mozilla     = "download.mozilla.org"
     $not_google      = "dl.google.com"
     $not_manual      = "manually upload"
@@ -74,3 +75,34 @@ rule executable_url: high {
   condition:
     any of ($xec*) and none of ($not*)
 }
+
+rule http_archive_url: medium {
+  meta:
+    description = "accesses hardcoded archive file endpoint"
+
+  strings:
+    $ref         = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.(zip|tar|tgz|gz|xz)/ fullword
+    $not_foo_bar = "http://foo/bar.tar"
+
+  condition:
+    any of ($ref*) and none of ($not*)
+}
+
+private rule smallerBinary {
+  condition:
+    // matches ELF or machO binary
+    filesize < 10MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962)
+}
+
+rule http_archive_url_higher: high {
+  meta:
+    description = "accesses hardcoded archive file endpoint"
+
+  strings:
+    $ref         = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.(zip|tar|tgz|gz|xz)/ fullword
+    $not_foo_bar = "http://foo/bar.tar"
+
+  condition:
+    smallerBinary and any of ($ref*) and none of ($not*)
+}
+
diff --git a/rules/c2/tool_transfer/shell.yara b/rules/c2/tool_transfer/shell.yara
@@ -12,45 +12,50 @@ rule fetch_chmod_run_oneliner_value: critical {
     any of them
 }
 
-rule curl_chmod_relative_run: medium {
+rule tool_chmod_relative_run: medium {
   meta:
     description                                                                          = "may fetch file, make it executable, and run it"
     hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
     hash_2023_Downloads_6e35                                                             = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
     hash_2023_Linux_Malware_Samples_df3b                                                 = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52"
 
   strings:
-    $f_curl      = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/
+    $f_curl      = /(curl|wget) [\-\w \$\@\{\w\/\.\:]{0,96}/
     $f_chmod     = /chmod [\+\-\w \$\@\{\w\/\.]{0,64}/
-    $f_dot_slash = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
+    $f_dot_slash = /\.\/[a-z\$]{1,2}[a-z\.\/\- ]{0,32}/ fullword
 
     $not_comment_curl = "# curl "
 
   condition:
     filesize < 1MB and all of ($f*) and none of ($not*)
 }
 
-rule curl_chmod_relative_run_tiny: critical {
+rule tool_chmod_relative_run_tiny: critical {
   meta:
-    description                                                                          = "change dir, fetch file, make it executable, and run it"
+    description                                                                          = "fetch file, make it executable, and run it"
     hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
     hash_2023_Downloads_6e35                                                             = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
     hash_2023_Linux_Malware_Samples_df3b                                                 = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52"
 
   strings:
-    $cd        = /cd {1,2}[\/\$][\w\/]{0,16}/
-    $curl      = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/
-    $chmod     = /chmod [\+\-\w \$\@\{\w\/\.]{0,64}/
-    $dot_slash = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
+    $must_cd     = /cd {1,2}[\/\$][\w\/]{0,16}/
+    $must_rm     = /rm -[rR]{0,1}f  {1,2}[\/\$][\w\/]{0,16}/
+    $o_curl      = /(curl|wget) [\-\w \$\@\{\w\/\.\:]{0,96}/
+    $o_chmod     = /chmod [\+\-\w \$\@\{\w\/\.]{0,64}/
+    $o_dot_slash = /\.\/[\$a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
+
+    $not_copyright_comment = "# Copyright"
+    $not_source            = "source ./"
+    $not_apache_license    = "Apache License"
 
   condition:
-    filesize < 6KB and all of them
+    filesize < 6KB and any of ($must*) and all of ($o*) and none of ($not*)
 }
 
 rule helm_test_env: override {
   meta:
     description                  = "helm_test_env"
-    curl_chmod_relative_run_tiny = "medium"
+    tool_chmod_relative_run_tiny = "medium"
 
   strings:
     $helm_curl = "curl -L https://get.helm.sh"
@@ -59,7 +64,7 @@ rule helm_test_env: override {
     $helm_curl
 }
 
-rule curl_tor_chmod_relative_run: high {
+rule tool_tor_chmod_relative_run: high {
   meta:
     description                                                                          = "change dir, fetch file via tor, make it executable, and run it"
     hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
@@ -72,7 +77,7 @@ rule curl_tor_chmod_relative_run: high {
     $tor_onion = ".onion"
 
     $cd        = /cd {1,2}[\/\$][\w\/]{0,16}/
-    $curl      = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/
+    $curl      = /(curl|wget) [\-\w \$\@\{\w\/\.\:]{0,96}/
     $chmod     = /chmod [\+\-\w \$\@\{\w\/\.]{0,64}/
     $dot_slash = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
 
@@ -82,24 +87,6 @@ rule curl_tor_chmod_relative_run: high {
     filesize < 10MB and any of ($tor*) and $cd and $curl and $chmod and $dot_slash and filesize < 1MB and none of ($not*)
 }
 
-rule wget_chmod_relative_run: medium {
-  meta:
-    description                                                                          = "may fetch file, make it executable, and run it"
-    hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
-    hash_2023_Downloads_6e35                                                             = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
-    hash_2023_Linux_Malware_Samples_3059                                                 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3"
-
-  strings:
-    $f_wget      = /wget http[\-\w \$\@\{\w\/\.\:]{0,96}/
-    $f_chmod     = /chmod [\-\w \$\@\{\w\/\.]{0,64}/
-    $f_dot_slash = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
-
-    $not_chmod_error = "chmod error"
-
-  condition:
-    filesize < 1MB and all of them
-}
-
 rule dev_null_rm: medium {
   strings:
     $dev_null_rm = /[ \w\.\/\&\-%]{0,32}\/dev\/null\;rm[ \w\/\&\.\-\%]{0,32}/
@@ -160,8 +147,7 @@ rule possible_dropper: high {
 
   strings:
     $http          = /https{0,1}:\/\/[\.\w\/\?\=\-]{1,64}/
-    $tool_curl_o   = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\.\- :\"\/]{0,64}/
-    $tool_wget_q   = "wget -"
+    $tool_curl_o   = /(curl|wget) [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\.\- :\"\/]{0,64}/
     $tool_lwp      = "lwp-download"
     $cmd_bash      = "bash" fullword
     $cmd_dot_slash = /\.\/[\.\w]{1,16}/ fullword

diff --git a/rules/credential/os/shadow.yara b/rules/credential/os/shadow.yara
@@ -26,3 +26,14 @@ rule npm_etc_shadow: high {
   condition:
     filesize < 16KB and $ref and $name and $scripts
 }
+
+rule getspnam: low {
+  meta:
+    description = "verifies passwords against /etc/shadow"
+
+  strings:
+    $getspnam = "getspnam@" fullword
+
+  condition:
+    filesize < 1MB and any of them
+}
diff --git a/rules/crypto/password.yara b/rules/crypto/password.yara
@@ -0,0 +1,11 @@
+rule crypt_user: low {
+  meta:
+    description = "password encryption via crypt(3)"
+    ref         = "https://man7.org/linux/man-pages/man3/crypt.3.html"
+
+  strings:
+    $ref = "crypt@@GLIBC"
+
+  condition:
+    any of them
+}
diff --git a/rules/data/embedded/embedded-base64-gzip.yara b/rules/data/embedded/embedded-base64-gzip.yara
@@ -1,3 +1,5 @@
+import "math"
+
 rule base64_gz: medium {
   meta:
     description                                                                = "Contains base64 gzip content"
@@ -12,17 +14,29 @@ rule base64_gz: medium {
     $header
 }
 
-rule base64_gz_small: high {
+rule base64_gz_high_entropy: high {
   meta:
-    description = "Contains base64 gzip content"
+    description = "high entropy (>6.5), contains base64 gzip content"
 
   strings:
-    $header             = "H4sIA"
-    $not_assertEquals   = "assertEquals" fullword
-    $not_test_case      = "test_case" fullword
-    $not_gzipped_binary = "gzipped binary" fullword
-    $not_example        = "H4sIAAAAAAAAAOlongstringtoken"
+    $header        = "H4sIA"
+    $not_cloudinit = "cloudinit" fullword
+
+  condition:
+    filesize < 2MB and math.entropy(1, filesize) >= 6.5 and $header and none of ($not*)
+}
+
+rule base64_obfuscated_js: critical {
+  meta:
+    description = "Contains base64 gzip content within high-entropy javascript"
+
+  strings:
+    $header = "H4sIA"
+    $       = "charAt("
+    $       = "substr("
+    $       = "join("
+    $       = "function("
 
   condition:
-    filesize < 32KB and $header and none of ($not*)
+    filesize < 2MB and all of them and math.entropy(1, filesize) >= 5.0
 }
diff --git a/rules/evasion/file/location/var-tmp.yara b/rules/evasion/file/location/var-tmp.yara
@@ -14,9 +14,11 @@ rule var_tmp_path_hidden: high {
     description = "path reference to hidden file within /var/tmp"
 
   strings:
-    $resolv = /var\/tmp\/\.[%\w\.\-\/]{0,64}/
+    $ref = /\/{0,1}var\/tmp\/\.[%\w\.\-\/]{0,64}/
+
+    $not_xfs = "var/tmp/.fsrlast_xfs"
 
   condition:
-    any of them
+    $ref and none of ($not*)
 }
 
diff --git a/rules/exec/script/activex.yara b/rules/exec/script/activex.yara
@@ -0,0 +1,10 @@
+rule ActiveXObject: medium windows {
+  meta:
+    description = "Create an ActiveX object"
+
+  strings:
+    $ActiveXObject = "ActiveXObject"
+
+  condition:
+    any of them
+}