Integrate bartblaze YARA rules (chainguard-dev#255)

* Integrate bartblaze YARA rules

* make critical generics 'high'

* address review comments and lint

---------

Co-authored-by: Evan Gibler <[email protected]>

pkg/report/report.go

@@ -60,6 +60,13 @@ var yaraForgeJunkWords = map[string]bool{
 	"greyware":          true,
 }
 
+// thirdPartyCriticalSources are 3P sources that default to critical.
+var thirdPartyCriticalSources = map[string]bool{
+	"YARAForge": true,
+	"huntress":  true,
+	"bartblaze": true,
+}
+
 // authorWithURLRe matcehs "Arnim Rupp (https://github.com/ruppde)"
 var authorWithURLRe = regexp.MustCompile(`(.*?) \((http.*)\)`)
 
@@ -142,21 +149,23 @@ func ignoreMatch(tags []string, ignoreTags map[string]bool) bool {
 func behaviorRisk(ns string, rule string, tags []string) int {
 	risk := 1
 
-	// default to critical
 	if thirdParty(ns) {
-		risk = 4
+		risk = 3
+		src := strings.Split(ns, "/")[1]
 
-		// third party rules that are a bit looser
-		if strings.Contains(ns, "InQuest-VT") {
-			risk = 3
+		if thirdPartyCriticalSources[src] {
+			risk = 4
+			if strings.Contains(strings.ToLower(ns), "generic") || strings.Contains(strings.ToLower(rule), "generic") {
+				risk = 3
+			}
 		}
-	}
 
-	if strings.Contains(ns, "php-malware-finder") {
-		risk = 3
+		if strings.Contains(strings.ToLower(ns), "keyword") || strings.Contains(strings.ToLower(rule), "keyword") {
+			risk = 2
+		}
 	}
 
-	if strings.Contains(ns, "keyword") || strings.Contains(rule, "keyword") {
+	if strings.Contains(ns, "combo/") {
 		risk = 2
 	}
 
@@ -170,11 +179,6 @@ func behaviorRisk(ns string, rule string, tags []string) int {
 		"crit":       4,
 		"critical":   4,
 	}
-
-	if strings.Contains(ns, "combo/") {
-		risk = 2
-	}
-
 	for _, tag := range tags {
 		if r, ok := levels[tag]; ok {
 			risk = r

third_party/yara/bartblaze/APT/Confucius_B.yar

@@ -0,0 +1,28 @@
+rule Confucius_B
+{
+    meta:
+        id = "3AaavteplEPTLc29oIVtzm"
+        fingerprint = "f7a7224bfdbb79208776c856eb05a59ed75112376d0d3b28776305efc94c0414"
+        version = "1.0"
+        creation_date = "2020-04-01"
+        first_imported = "2021-12-30"
+        last_modified = "2021-12-30"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies Confucius malware."
+        category = "MALWARE"
+        malware = "CONFUCIUS"
+        malware_type = "BACKDOOR"
+        reference = "https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/"
+
+
+    strings:
+        $ = "----BONE-79A8DE0E314C50503FF2378aEB126363-" ascii wide
+        $ = "----MUETA-%.08x%.04x%.04x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x-" ascii wide
+        $ = "C:\\Users\\DMITRY-PC\\Documents\\JKE-Agent-Win32\\JKE_Agent_DataCollectorPlugin\\output\\Debug\\JKE_Agent_DumbTestPlugin.dll" ascii wide
+
+    condition:
+        any of them
+}

third_party/yara/bartblaze/APT/Cotx_RAT.yar

@@ -0,0 +1,56 @@
+import "pe"
+
+rule Cotx_RAT
+{
+    meta:
+        id = "44kYl6i8SEYFPSxi2Q3Lz3"
+        fingerprint = "47f671933c49fabc22117ef5e877efb33ba7fc0c437f6be3750ecca7cd27816a"
+        version = "1.0"
+        creation_date = "2019-07-01"
+        first_imported = "2021-12-30"
+        last_modified = "2021-12-30"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies Cotx RAT."
+        category = "MALWARE"
+        malware = "COTX"
+        malware_type = "RAT"
+        reference = "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology"
+
+    strings:
+        $ = "%4d-%02d-%02d %02d:%02d:%02d" ascii wide
+        $ = "%hs|%hs|%hs|%hs|%hs|%hs|%hs" ascii wide
+        $ = "%hs|%s|%hs|%s|%s|%s|%s|%s|%s|%s|%hs" ascii wide
+        $ = "%s;%s;%s;%.2f GB;%.2f GB|" ascii wide
+        $ = "Cmd shell is not running,or your cmd is error!" ascii wide
+        $ = "Domain:    [%s]" ascii wide
+        $ = "Error:Cmd file not exists!" ascii wide
+        $ = "Error:Create read pipe error!" ascii wide
+        $ = "Error:No user is logoned!" ascii wide
+        $ = "Error:You have in a shell,please exit first!" ascii wide
+        $ = "Error:You have in a shell,please exit it first!" ascii wide
+        $ = "Error:cmd.exe not exist!" ascii wide
+        $ = "LogonUser: [%s]" ascii wide
+        $ = "WriteFile session error!" ascii wide
+        $ = "You have no permission to write on" ascii wide
+        $ = "cannot delete directory:" ascii wide
+        $ = "cannot delete file:" ascii wide
+        $ = "cannot upload file to %s" ascii wide
+        $ = "copy failed:" ascii wide
+        $ = "exec failed:" ascii wide
+        $ = "exec ok:" ascii wide
+        $ = "explorer.exe" ascii wide
+        $ = "file list error:open path [%s] error." ascii wide
+        $ = "is already exist!" ascii wide
+        $ = "is not exist!" ascii wide
+        $ = "not exe:" ascii wide
+        $ = "open file error:" ascii wide
+        $ = "read file error:" ascii wide
+        $ = "set config items error." ascii wide
+        $ = "set config ok." ascii wide
+
+    condition:
+        15 of them or ( for any i in (0..pe.number_of_sections-1) : (pe.sections[i].name==".cotx"))
+}

third_party/yara/bartblaze/APT/RokRAT.yar

@@ -0,0 +1,41 @@
+rule RokRAT
+{
+meta:
+	id = "67CbAcgxp3LrNC8G138xsq"
+	fingerprint = "9a421d0257276c98d57abdaeb1e31e98956ec8ecf97d48827b35b527d174f35e"
+	version = "1.0"
+	modified = "2024-03-08"
+	status = "RELEASED"
+	sharing = "TLP:WHITE"
+	source = "BARTBLAZE"
+	author = "@bartblaze"
+	description = "Identifies RokRAT."
+	category = "MALWARE"
+	malware_type = "RAT"
+	reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"
+
+strings:
+	$new_pe = {0f b6 03 8d 4b 05 03 c8 89 4? ?? 8b 44 18 01 89 4? ?? 8d ?? 98 f4 ff ff 50 68 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 8d ?? 98 f4 ff ff 4f 8a 
+	4? ?? 47 84 c0 75 ?? 8b 5? ?? be ?? ?? ?? ?? 33 c0 8b c8 a5 a5 a5 a5 a4 8b 7? ?? 85 d2 74 ?? 8a 26 8a 04 31 32 c4 34 ?? 88 04 31 41 3b ca}
+
+	$str_1 = "%s%04X%04X.tmp" ascii wide
+	$str_2 = "360Tray.exe" ascii wide
+	$str_3 = "dir /A /S %s >> \"%%temp%%/%c_.TMP\"" ascii wide
+	$str_4 = "KB400928_doc.exe" ascii wide
+	$str_5 = "\\%d.dat" ascii wide
+	$str_6 = "%spid:%d,name:%s,path:%s%s" ascii wide
+	$str_7 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" ascii wide
+
+	$comms_1 = "127.0.0.1" ascii wide
+	$comms_2 = "api.pcloud.com" ascii wide
+	$comms_3 = "my.pcloud.com" ascii wide
+	$comms_4 = "cloud-api.yandex.net" ascii wide
+	$comms_5 = "api.dropboxapi.com" ascii wide
+	$comms_6 = "content.dropboxapi.com" ascii wide
+	$comms_7 = "Content-Type: voice/mp3" ascii wide
+
+condition:
+	$new_pe or 
+	4 of ($str_*) or 
+	(6 of ($comms_*) and 2 of ($str_*))
+}

third_party/yara/bartblaze/APT/RoyalRoad_RTF.yar

@@ -0,0 +1,28 @@
+rule RoyalRoad_RTF
+{
+    meta:
+        id = "p1XW7z3B1sdN89zXF7Nel"
+        fingerprint = "52be45a991322fa96f4e806cf6fa7a77886f63799c1f67723484bc3796363a4e"
+        version = "1.0"
+        creation_date = "2020-01-01"
+        first_imported = "2021-12-30"
+        last_modified = "2021-12-30"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies RoyalRoad RTF, used by multiple Chinese APT groups."
+        category = "MALWARE"
+        malware = "ROYALROAD"        
+        malware_type = "EXPLOITKIT"
+        reference = "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html"
+
+
+    strings:
+        $rtf = "{\\rt"
+        $RR1 = "5C746D705C382E74" ascii wide nocase
+        $RR2 = "5C417070446174615C4C6F63616C5C54656D705C382E74" ascii wide nocase
+
+    condition:
+        $rtf at 0 and any of ($RR*)
+}

third_party/yara/bartblaze/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Bart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

third_party/yara/bartblaze/README.md

@@ -0,0 +1,56 @@
+# About
+## What is this?
+A repo containing some of my privately developed Yara rules.
+
+## Why?
+To contribute to the community.
+
+## Can I use these rules?
+Of course! That's why I created this repo. 
+
+You can use them in your detection systems. For example, [CAPE sandbox](https://github.com/kevoreilly/CAPEv2), [MalwareBazaar](https://bazaar.abuse.ch/), [UnPac.me](https://www.unpac.me/) and [VirusTotal](https://www.virustotal.com/) (must be logged in, signup is free) and others are using these rules. Furthermore, the rules can work natively with [AssemblyLine](https://www.cyber.gc.ca/en/tools-services/assemblyline) due to the CCCS Yara rule standard adoption.
+
+All rules are TLP:White, so you can use and distribute them freely. Please retain the meta. 
+
+## Help! A generic rule is hitting my software!
+If one of the rules in the [generic](https://github.com/bartblaze/Yara-rules/tree/master/rules/generic) rules section hits on your software: this is not a false positive. It is simply an objective fact that, for example, your software has been compiled or wrapped using AutoIT. It equally does **not** mean your software is malicious. 
+
+Note the meta also mentions _category = "**INFO**"_, in which case it is a purely generic or informational rule.
+
+## Actions
+There's two workflows running on this Github repository:
+
+* [YARA-CI](https://yara-ci.cloud.virustotal.com/): runs automatically to detect signature errors, as well as false positives and negatives.
+* [Package Yara rules](https://github.com/bartblaze/Yara-rules/blob/master/.github/workflows/yara.yml): allows download of a complete rules file (all Yara rules from this repo in one file) for convenience from the Actions tab > Choose the last workflow run > Artifacts (see image below).
+
+![image](https://user-images.githubusercontent.com/3075118/113322817-731feb00-9315-11eb-86ab-94f133f07038.png)
+
+[![Package Yara Rules](https://github.com/bartblaze/Yara-rules/actions/workflows/yara.yml/badge.svg)](https://github.com/bartblaze/Yara-rules/actions/workflows/yara.yml)
+
+## Minimum Yara version needed?
+v3.3.0 is minimally needed, as some rules may require a specific module. Note that it's recommended to always use the latest Yara version as found [here](https://github.com/VirusTotal/yara/releases).
+
+## Do the rules work with Yara-X?
+[Yara-X](https://github.com/VirusTotal/yara-x), a rewrite of Yara in Rust, should have no difficulty running the rules in this repo. At time of writing, Yara-X v0.4.0 works fine with the rules presented here.
+
+## Feedback?
+If you spot an issue or improvement with one of the rules, feel free to submit a PR or open an Issue.
+
+# Extra
+
+## What is Yara?
+From the official Github repo, https://github.com/VirusTotal/yara:
+> YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
+
+More information: https://yara.readthedocs.io/en/stable/index.html
+
+## What is TLP?
+> The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information.
+
+The rules in this repo are TLP:White.
+> Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
+
+More information: https://www.us-cert.gov/tlp
+
+## Where can I find other open-source Yara rules?
+InQuest has made a Github repo which contains a curated list of Yara rules: https://github.com/InQuest/awesome-yara.

third_party/yara/bartblaze/RELEASE

@@ -0,0 +1,3 @@
+/tmp/tmp.dxdSSSmhxM ~/src/bincapz/third_party/yara
+dd8cfd8c456159c7201f5d4209fe007dfff1636e
+~/src/bincapz/third_party/yara

third_party/yara/bartblaze/crimeware/Andromeda.yar

@@ -0,0 +1,41 @@
+rule Andromeda
+{
+    meta:
+        id = "66EiRJfwdRpNnHru6KDjKX"
+        fingerprint = "45a5315e4ffe5156ce4a7dc8e2d6e27d6152cd1d5ce327bfa576bf0c4a4767d8"
+        version = "1.0"
+        creation_date = "2021-03-01"
+        first_imported = "2022-01-24"
+        last_modified = "2022-01-24"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies Andromeda aka Gamarue botnet."
+        category = "MALWARE"
+        malware = "ANDROMEDA"
+        malware_type = "WORM"
+
+
+
+    strings:
+		//IndexerVolumeGuid
+        $ = { 8d ?? dc fd ff ff 50 8d ?? d8 fd ff ff 50 e8 ?? ?? ?? ?? 8a 00 53 68 ?? ?? ?? ?? 56
+    ff b? ?? ?? ?? ?? a2 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 18 53 ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53
+    53 ff 15 ?? ?? ?? ?? ff b? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? a3 ?? ?? ?? ?? 83 f8
+    ff 74 ?? 6a 01 50 ff 15 ?? ?? ?? ?? }
+        $ = { 83 c4 10 ff b? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? ff b? ?? ?? ?? ?? ff b?
+    ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? }
+
+
+		/*
+		MOV        DL ,byte ptr SS :[EAX  + EBP *0x1  + 0xffffff00 ]
+		MOV        DH ,byte ptr SS :[EBX  + EBP *0x1  + 0xffffff00 ]
+		MOV        byte ptr SS :[EAX  + EBP *0x1  + 0xffffff00 ],DH
+		MOV        byte ptr SS :[EBX  + EBP *0x1  + 0xffffff00 ],DL
+		*/
+        $ = { 36 8a 94 28 00 ff ff ff 02 da 36 8a b4 2b 00 ff ff ff 36 88 b4 28 00 ff ff ff 36 88 94 2b 00 ff ff ff }
+
+    condition:
+        any of them
+}

third_party/yara/bartblaze/crimeware/ArechClient.yar

@@ -0,0 +1,27 @@
+rule ArechClient
+{
+    meta:
+        id = "1POsZzKWdklwDRUysnEJ9J"
+        fingerprint = "949f1c6596fffe0aca581e61bcc522e70775ad16c651875539c32d6de6801729"
+        version = "1.0"
+        creation_date = "2021-07-01"
+        first_imported = "2021-12-30"
+        last_modified = "2021-12-30"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies ArechClient, infostealer."
+        category = "MALWARE"
+        malware = "ARECHCLIENT"
+        malware_type = "INFOSTEALER"
+
+
+    strings:
+        $ = "is_secure" ascii wide
+        $ = "encrypted_value" ascii wide
+        $ = "host_keyexpires_utc" ascii wide
+
+    condition:
+        all of them
+}

third_party/yara/bartblaze/crimeware/ArechClient_Campaign_July2021.yar

@@ -0,0 +1,25 @@
+import "dotnet"
+
+rule ArechClient_Campaign_July2021
+{
+    meta:
+        id = "16N9HHtspErd7pE2A261Mh"
+        fingerprint = "971fcef8b604c185c14af001633a3f83297d183f47620a9c4fc014815b26a28f"
+        version = "1.0"
+        creation_date = "2021-07-01"
+        first_imported = "2021-12-30"
+        last_modified = "2021-12-30"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies ArechClient stealer's July 2021 campaign."
+        category = "MALWARE"
+        malware = "ARECHCLIENT"
+        malware_type = "INFOSTEALER"
+        reference = "https://twitter.com/bcrypt/status/1420471176137113601"
+
+
+    condition:
+        dotnet.guids[0]=="10867a7d-8f80-4d52-8c58-47f5626e7d52" or dotnet.guids[0]=="7596afea-18b9-41f9-91dd-bee131501b08"
+}