Skip to content

Commit

Permalink
Address false positives for Chromium, KOTS, and Nuclei (#368)
Browse files Browse the repository at this point in the history
* Address false positives for Chromium, KOTS, and Nuclei

* Add additional Chromium string

Signed-off-by: egibs <[email protected]>

* Sort

Signed-off-by: egibs <[email protected]>

* More specific string for kots

Signed-off-by: egibs <[email protected]>

* Chromium rule parity

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
  • Loading branch information
egibs authored Jul 17, 2024
1 parent 445a139 commit cc7791f
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 1 deletion.
6 changes: 6 additions & 0 deletions rules/combo/stealer/browser.yara
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ rule multiple_browser_refs : critical {
$name_opera = "Opera Software"
$name_yandex = "YandexBrowser"
$not_chromium = "ChromiumBrowser"
$not_chromium_comment = "When this is enabled, Chromium can use"
$not_chromium_issues = "https://issues.chromium.org/"
$not_google = "developed by Google"
$not_google_chrome_software = "The Google Chrome software"
$not_bugzilla = "https://bugzilla.mozilla.org"
Expand Down Expand Up @@ -87,6 +90,9 @@ rule userdata_browser_archiver : medium {
$b_Safari = "Safari"
$b_Chrome = "Chrome"
$not_chromium = "ChromiumBrowser"
$not_chromium_comment = "When this is enabled, Chromium can use"
$not_chromium_issues = "https://issues.chromium.org/"
$not_google = "developed by Google"
$not_google_chrome_software = "The Google Chrome software"
$not_bugzilla = "https://bugzilla.mozilla.org"
Expand Down
9 changes: 8 additions & 1 deletion rules/combo/stealer/wallet.yara
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,13 @@ rule crypto_stealer : critical {
$w_trezor = "Trezor"
$w_exodus = "Exodus"
$w_coinomi = "Coinomi"
$not_cats = /\"cats\": \[[^]]{0,64}/
$not_description = /\"description\": "([^"]{0,64})"/
$not_dom = /\"dom\": "([^"]{0,64})"/
$not_icon = /\"icon\": "([^"]{0,64})"/
$not_js = /\"js\": \{[^}]{0,64}/
$not_scriptsrc = /\"scriptSrc\": "([^"]{0,64})"/
$not_website = /\"website\": "([^"]{0,64})"/
condition:
$http and 2 of ($w*)
$http and 2 of ($w*) and none of ($not*)
}
2 changes: 2 additions & 0 deletions rules/evasion/base64-php_functions.yara
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ rule base64_php_functions : medium {
$f_wp_nonce_field = "wp_nonce_field" base64
$f_wp_verify_nonce = "wp_verify_nonce" base64
$not_comment = "// processing instruction, e.g. <?php ?>"
$not_mongosh_php = { 3C 3F 70 68 70 00 00 00 01 0C 51 61 03 00 00 00 02 00 00 00 3F 3E }
condition:
$php and $base64_decode and any of ($f_*) and none of ($not*)
Expand Down Expand Up @@ -124,6 +125,7 @@ rule base64_php_functions_multiple : critical {
$f_wp_nonce_field = "wp_nonce_field" base64
$f_wp_verify_nonce = "wp_verify_nonce" base64
$not_comment = "// processing instruction, e.g. <?php ?>"
$not_mongosh_php = { 3C 3F 70 68 70 00 00 00 01 0C 51 61 03 00 00 00 02 00 00 00 3F 3E }
condition:
$php and $base64_decode and 2 of ($f_*) and none of ($not*)
Expand Down

0 comments on commit cc7791f

Please sign in to comment.