Merge branch 'main' into add-overrides

chainguard-dev · Oct 1, 2024 · 82a57ed · 82a57ed
2 parents 3871455 + 54990d5
commit 82a57ed
Show file tree

Hide file tree

Showing 115 changed files with 1,324 additions and 110 deletions.
diff --git a/.github/workflows/go-tests.yaml b/.github/workflows/go-tests.yaml
@@ -24,7 +24,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -18,7 +18,7 @@ jobs:
     - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
       with:
         egress-policy: audit
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
     - uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8
     - name: Set up Octo-STS
       uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0

diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml
@@ -23,7 +23,7 @@ jobs:
           egress-policy: audit
 
       - name: Check out code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
@@ -45,7 +45,7 @@ jobs:
           egress-policy: audit
 
       - name: Check out code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
@@ -65,7 +65,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
@@ -99,7 +99,7 @@ jobs:
           egress-policy: audit
 
       - name: Check out code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2

diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml
@@ -24,7 +24,7 @@ jobs:
     - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
       with:
         egress-policy: audit 
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
     - uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8
     - name: Set up Octo-STS
       uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0

diff --git a/Makefile b/Makefile
@@ -48,7 +48,7 @@ fix: $(FIXERS)
 # END: lint-install ../malcontent
 
 SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= 84a2015439ad84d3005fa57d06d7a925acb9f2a3
+SAMPLES_COMMIT ?= 75ee4b4f3e5c29484811e77ffa9d5d02eb75218f
 OUT_DIR=out/samples-$(SAMPLES_COMMIT).tmp
 out/samples-$(SAMPLES_COMMIT):
 	mkdir -p out

diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
@@ -86,6 +86,7 @@ net/url/request
 persist/crontab
 process/chdir
 process/chroot
+process/executable_path
 process/find
 process/groups/set
 process/unshare

diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go
@@ -83,6 +83,8 @@ var rulesWithWarnings = map[string]bool{
 	"Agenda_golang":                         false,
 	"bookworm_dll_UUID":                     false,
 	"cobaltstrike_offensive_tool_keyword":   false,
+	"amos":                                  true,
+	"echo_decode_bash":                      true,
 }
 
 func Recursive(ctx context.Context, fss []fs.FS) (*yara.Rules, error) {

diff --git a/rules/admin/pip_install.yara b/rules/admin/pip_install.yara
@@ -1,15 +1,24 @@
 import "math"
 
+rule pip_installer_known_good : low {
+  meta:
+    description = "Installs software using pip from python"
+  strings:
+	$distro = /pip3{0,1} install distro/ fullword
+  condition:
+	any of them
+}
+
 rule pip_installer : high {
   meta:
     description = "Installs software using pip from python"
     hash_2022_2022_requests_3_0_0_setup = "15507092967fbd28ccb833d98c2ee49da09e7c79fd41759cd6f783672fe1c5cc"
     hash_2022_BeautifulSoup_new_3_0_0_setup = "975cd3986ba59ffab8df71227293dbf2534ffb572e028e3bd492d8d08ec1f090"
     hash_2022_SimpleCalc_2022_4_2_21_setup = "5b0f7b30b411d7e404786ab2266426db471a2c9d0d9cae593eb187a58a28bc4f"
   strings:
-    $ref = /pip[3 \'\"]{0,5}install[ \'\"\w\-\_%]{0,32}/
+    $ref = /pip3{0,1}[ \'\"\,]{0,5}install[ \'\"\,]{0,5}[\w\-\_\%]{0,32}/
   condition:
-    $ref
+    $ref and not pip_installer_known_good
 }
 
 rule pip_installer_fernet : critical {
@@ -28,6 +37,7 @@ rule pip_installer_url : critical {
 	ref = "https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/"
   strings:
 	$ref = /pip.{1,5}install.{1,4}https{0,1}:\/\/.{0,64}/
+
   condition:
 	filesize < 8192 and $ref
 }

diff --git a/rules/combo/degrader/daemon_killer.yara b/rules/combo/degrader/daemon_killer.yara
@@ -0,0 +1,8 @@
+rule win_kill_proc_likely : high {
+  meta:
+    description = "httpd killer, may block future attackers from entry"
+  strings:
+	$ref = "killall httpd"
+  condition:
+	 uint32(0) == 1179403647 and filesize < 1MB and $ref
+}
diff --git a/rules/combo/dropper/binary.yara b/rules/combo/dropper/binary.yara
@@ -0,0 +1,12 @@
+rule chmod_executable_shell_binary : high {
+  meta:
+    description = "executable makes another file executable"
+	filetypes = "macho,elf"
+  strings:
+    $chmod = /chmod [\-\w ]{0,4}\+[rw]{0,2}x[ \$\@\w\/\.]{0,64}/
+    $chmod2 = /chmod [\-\w ]{0,4}\+[rw]{0,2}[75][ \$\@\w\/\.]{0,64}/
+	$http = "http:"
+	$https = "https:"
+  condition:
+     filesize < 10MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of ($chmod*) and any of ($http*)
+}
diff --git a/rules/combo/dropper/cocoa_bundle.yara b/rules/combo/dropper/cocoa_bundle.yara
diff --git a/rules/combo/dropper/fake_doc.yara b/rules/combo/dropper/fake_doc.yara
@@ -0,0 +1,20 @@
+rule fakedoc : critical {
+	meta:
+		description = "downloads and execute a program after opening a document"
+	strings:
+		$http = "http://"
+		$https = "https://"
+	    $tool_curl_o = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\- :\"\/\.]{0,64}/
+		$tool_wget_q = "wget -"
+		$tool_lwp = "lwp-download"
+		$cmd_bash = "bash" fullword
+		$cmd_dot_slash = /\.\/[\.\w]{1,16}/ fullword
+		$cmd_rm = "rm" fullword
+		$cmd_sleep = "sleep" fullword
+		$cmd_echo = "echo" fullword
+		$cmd_chmod = "chmod" fullword
+
+		$open_doc = /open .{0,24}\.(pdf|xls|doc|rtf|txt)/ fullword
+	condition:
+		filesize < 768 and $open_doc and any of ($http*) and any of ($tool*) and any of ($cmd*)
+}
diff --git a/rules/combo/dropper/macos.yara b/rules/combo/dropper/macos.yara
@@ -0,0 +1,37 @@
+private rule macho {
+  strings:
+    $not_jar = "META-INF/"
+    $not_dwarf = "_DWARF"
+    $not_kext = "_.SYMDEF SORTED"
+  condition:
+    (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178) and none of ($not*)
+}
+
+rule macos_chflags_hidden : critical {
+  meta:
+    description = "dropper that hides it's payload using chflags"
+	hash = "e064158742c9a5f451e69b02e83eea9fb888623fafe34ff5b38036901d8419b4"
+	filetypes = "macho"
+  strings:
+	$c_curl = "curl" fullword
+	$c_chflags = "chflags" fullword
+	$c_hidden = "hidden" fullword
+	$c_chmod = "chmod" fullword
+  condition:
+    filesize < 5MB and all of them
+}
+
+rule cocoa_bundle_dropper : critical {
+  meta:
+    ref = "https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos"
+    hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4"
+  strings:
+    $bundle = "NSBundle" fullword
+    $url = "NSURL" fullword
+    $shared = "/Users/Shared" fullword
+    $aes = "AES" fullword
+    $download = "Download" fullword
+    $platform = "isPlatformOrVariantPlatformVersionAtLeast" fullword
+  condition:
+    macho and $shared and 5 of them
+}
diff --git a/rules/combo/dropper/python.yara b/rules/combo/dropper/python.yara
@@ -84,3 +84,20 @@ rule setuptools_dropper : critical {
 	condition:
 		pythonSetup and py_dropper
 }
+
+rule dropper_imports : high {
+	meta:
+		description = "imports modules known to be used by Python droppers"
+		filetypes = "python"
+	strings:
+		$http = "http"
+		$import = "import" fullword
+		$l_base64 = "base64" fullword
+		$l_platform = "platform" fullword
+		$l_os = "os" fullword
+		$l_subprocess = "subprocess" fullword
+		$l_sys = "sys" fullword
+		$l_requests = "requests" fullword
+	condition:
+		filesize < 4000 and $http and $import and 5 of ($l*)
+}
diff --git a/rules/combo/dropper/shell.yara b/rules/combo/dropper/shell.yara
@@ -25,22 +25,41 @@ rule curl_chmod_relative_run : medium {
     all of them
 }
 
-
 rule curl_chmod_relative_run_tiny : critical {
   meta:
     description = "change dir, fetch file, make it executable, and run it"
     hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
     hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
     hash_2023_Linux_Malware_Samples_df3b = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52"
   strings:
-	$cd = /cd {1,2}\/[\w\/]{0,16}/
+	$cd = /cd {1,2}[\/\$][\w\/]{0,16}/
     $curl = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/
-    $chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/
+    $chmod = /chmod [\+\-\w \$\@\{\w\/\.]{0,64}/
     $dot_slash = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
   condition:
     filesize < 6KB and all of them
 }
 
+rule curl_tor_chmod_relative_run : critical {
+  meta:
+    description = "change dir, fetch file via tor, make it executable, and run it"
+    hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
+    hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
+    hash_2023_Linux_Malware_Samples_df3b = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52"
+  strings:
+	$tor2web = "tor2web"
+	$tor2socks = "tor2socks"
+	$tor_onion = ".onion"
+
+	$cd = /cd {1,2}[\/\$][\w\/]{0,16}/
+    $curl = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/
+    $chmod = /chmod [\+\-\w \$\@\{\w\/\.]{0,64}/
+    $dot_slash = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
+  condition:
+     any of ($tor*) and $cd and $curl and $chmod and $dot_slash
+}
+
+
 
 rule wget_chmod_relative_run : medium {
   meta:
@@ -109,7 +128,7 @@ rule possible_dropper : high {
 	strings:
 		$http = "http://"
 		$https = "https://"
-	    $tool_curl_o = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\- :\"\/]{0,64}/
+	    $tool_curl_o = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\.\- :\"\/]{0,64}/
 		$tool_wget_q = "wget -"
 		$tool_lwp = "lwp-download"
 		$cmd_bash = "bash" fullword

diff --git a/rules/combo/exploit/pwnkit.yara b/rules/combo/exploit/pwnkit.yara
@@ -0,0 +1,30 @@
+
+rule polkit_pkexec_exploit : critical {
+  meta:
+    description = "polkit pkexec exploit (CVE-2021-4034)"
+  strings:
+    $ref = "PATH" fullword
+    $ref2 = "pkexec"
+	$ref3 = "reverse_shell"
+
+	$pwnkit = "PwnKit" 
+	$pwnkit2 = "pwnkit" 
+	$pwn_cve = "cve-2021-4034"
+	$pwn_CVE = "CVE-2021-4034"
+  condition:
+    any of ($pwn*) and any of ($ref*)
+}
+
+rule polkit_pkexec_exploit2 : critical {
+  meta:
+    description = "polkit pkexec exploit (CVE-2021-4034)"
+  strings:
+	$ref = "GCONV_PATH=."
+	$ref2 = "CMDTOEXECUTE"
+	$ref3 = "NOTTY_PORT"
+	$ref4 = "payload.so"
+	$ref5 = "pkexec"
+	$ref6 = "main.gconv_init"
+  condition:
+    4 of them
+}
diff --git a/rules/combo/stealer/notes.yara b/rules/combo/stealer/notes.yara
@@ -0,0 +1,10 @@
+rule stickies: critical {
+  meta:
+	description = "steals the contents of macos Stickies application"
+  strings:
+	$note_group = "group.com.apple.notes"
+	$note_other = "NoteStore.sqlite"
+	$upload = "upload"
+  condition:
+    all of them
+}
diff --git a/rules/combo/stealer/pam.yara b/rules/combo/stealer/pam.yara
@@ -21,3 +21,12 @@ rule pam_passwords : high {
   condition:
     $auth and $pass and any of ($f*)
 }
+
+rule pam_passwords_rootkit : critical {
+	meta:
+		description = "records passwords and installs a rootkit"
+	strings:
+		$rootkit = "rootkit"
+	condition:
+		any of them and pam_passwords
+}