Skip to content

Commit

Permalink
Integrate bartblaze YARA rules (chainguard-dev#255)
Browse files Browse the repository at this point in the history
* Integrate bartblaze YARA rules

* make critical generics 'high'

* address review comments and lint

---------

Co-authored-by: Evan Gibler <[email protected]>
  • Loading branch information
tstromberg and egibs authored Jun 10, 2024
1 parent ff19192 commit 5bc6a23
Show file tree
Hide file tree
Showing 94 changed files with 3,911 additions and 28 deletions.
32 changes: 18 additions & 14 deletions pkg/report/report.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,13 @@ var yaraForgeJunkWords = map[string]bool{
"greyware": true,
}

// thirdPartyCriticalSources are 3P sources that default to critical.
var thirdPartyCriticalSources = map[string]bool{
"YARAForge": true,
"huntress": true,
"bartblaze": true,
}

// authorWithURLRe matcehs "Arnim Rupp (https://github.com/ruppde)"
var authorWithURLRe = regexp.MustCompile(`(.*?) \((http.*)\)`)

Expand Down Expand Up @@ -142,21 +149,23 @@ func ignoreMatch(tags []string, ignoreTags map[string]bool) bool {
func behaviorRisk(ns string, rule string, tags []string) int {
risk := 1

// default to critical
if thirdParty(ns) {
risk = 4
risk = 3
src := strings.Split(ns, "/")[1]

// third party rules that are a bit looser
if strings.Contains(ns, "InQuest-VT") {
risk = 3
if thirdPartyCriticalSources[src] {
risk = 4
if strings.Contains(strings.ToLower(ns), "generic") || strings.Contains(strings.ToLower(rule), "generic") {
risk = 3
}
}
}

if strings.Contains(ns, "php-malware-finder") {
risk = 3
if strings.Contains(strings.ToLower(ns), "keyword") || strings.Contains(strings.ToLower(rule), "keyword") {
risk = 2
}
}

if strings.Contains(ns, "keyword") || strings.Contains(rule, "keyword") {
if strings.Contains(ns, "combo/") {
risk = 2
}

Expand All @@ -170,11 +179,6 @@ func behaviorRisk(ns string, rule string, tags []string) int {
"crit": 4,
"critical": 4,
}

if strings.Contains(ns, "combo/") {
risk = 2
}

for _, tag := range tags {
if r, ok := levels[tag]; ok {
risk = r
Expand Down
28 changes: 28 additions & 0 deletions third_party/yara/bartblaze/APT/Confucius_B.yar
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
rule Confucius_B
{
meta:
id = "3AaavteplEPTLc29oIVtzm"
fingerprint = "f7a7224bfdbb79208776c856eb05a59ed75112376d0d3b28776305efc94c0414"
version = "1.0"
creation_date = "2020-04-01"
first_imported = "2021-12-30"
last_modified = "2021-12-30"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies Confucius malware."
category = "MALWARE"
malware = "CONFUCIUS"
malware_type = "BACKDOOR"
reference = "https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/"


strings:
$ = "----BONE-79A8DE0E314C50503FF2378aEB126363-" ascii wide
$ = "----MUETA-%.08x%.04x%.04x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x-" ascii wide
$ = "C:\\Users\\DMITRY-PC\\Documents\\JKE-Agent-Win32\\JKE_Agent_DataCollectorPlugin\\output\\Debug\\JKE_Agent_DumbTestPlugin.dll" ascii wide
condition:
any of them
}
56 changes: 56 additions & 0 deletions third_party/yara/bartblaze/APT/Cotx_RAT.yar
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
import "pe"

rule Cotx_RAT
{
meta:
id = "44kYl6i8SEYFPSxi2Q3Lz3"
fingerprint = "47f671933c49fabc22117ef5e877efb33ba7fc0c437f6be3750ecca7cd27816a"
version = "1.0"
creation_date = "2019-07-01"
first_imported = "2021-12-30"
last_modified = "2021-12-30"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies Cotx RAT."
category = "MALWARE"
malware = "COTX"
malware_type = "RAT"
reference = "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology"

strings:
$ = "%4d-%02d-%02d %02d:%02d:%02d" ascii wide
$ = "%hs|%hs|%hs|%hs|%hs|%hs|%hs" ascii wide
$ = "%hs|%s|%hs|%s|%s|%s|%s|%s|%s|%s|%hs" ascii wide
$ = "%s;%s;%s;%.2f GB;%.2f GB|" ascii wide
$ = "Cmd shell is not running,or your cmd is error!" ascii wide
$ = "Domain: [%s]" ascii wide
$ = "Error:Cmd file not exists!" ascii wide
$ = "Error:Create read pipe error!" ascii wide
$ = "Error:No user is logoned!" ascii wide
$ = "Error:You have in a shell,please exit first!" ascii wide
$ = "Error:You have in a shell,please exit it first!" ascii wide
$ = "Error:cmd.exe not exist!" ascii wide
$ = "LogonUser: [%s]" ascii wide
$ = "WriteFile session error!" ascii wide
$ = "You have no permission to write on" ascii wide
$ = "cannot delete directory:" ascii wide
$ = "cannot delete file:" ascii wide
$ = "cannot upload file to %s" ascii wide
$ = "copy failed:" ascii wide
$ = "exec failed:" ascii wide
$ = "exec ok:" ascii wide
$ = "explorer.exe" ascii wide
$ = "file list error:open path [%s] error." ascii wide
$ = "is already exist!" ascii wide
$ = "is not exist!" ascii wide
$ = "not exe:" ascii wide
$ = "open file error:" ascii wide
$ = "read file error:" ascii wide
$ = "set config items error." ascii wide
$ = "set config ok." ascii wide
condition:
15 of them or ( for any i in (0..pe.number_of_sections-1) : (pe.sections[i].name==".cotx"))
}
41 changes: 41 additions & 0 deletions third_party/yara/bartblaze/APT/RokRAT.yar
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
rule RokRAT
{
meta:
id = "67CbAcgxp3LrNC8G138xsq"
fingerprint = "9a421d0257276c98d57abdaeb1e31e98956ec8ecf97d48827b35b527d174f35e"
version = "1.0"
modified = "2024-03-08"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies RokRAT."
category = "MALWARE"
malware_type = "RAT"
reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"

strings:
$new_pe = {0f b6 03 8d 4b 05 03 c8 89 4? ?? 8b 44 18 01 89 4? ?? 8d ?? 98 f4 ff ff 50 68 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 8d ?? 98 f4 ff ff 4f 8a
4? ?? 47 84 c0 75 ?? 8b 5? ?? be ?? ?? ?? ?? 33 c0 8b c8 a5 a5 a5 a5 a4 8b 7? ?? 85 d2 74 ?? 8a 26 8a 04 31 32 c4 34 ?? 88 04 31 41 3b ca}
$str_1 = "%s%04X%04X.tmp" ascii wide
$str_2 = "360Tray.exe" ascii wide
$str_3 = "dir /A /S %s >> \"%%temp%%/%c_.TMP\"" ascii wide
$str_4 = "KB400928_doc.exe" ascii wide
$str_5 = "\\%d.dat" ascii wide
$str_6 = "%spid:%d,name:%s,path:%s%s" ascii wide
$str_7 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" ascii wide
$comms_1 = "127.0.0.1" ascii wide
$comms_2 = "api.pcloud.com" ascii wide
$comms_3 = "my.pcloud.com" ascii wide
$comms_4 = "cloud-api.yandex.net" ascii wide
$comms_5 = "api.dropboxapi.com" ascii wide
$comms_6 = "content.dropboxapi.com" ascii wide
$comms_7 = "Content-Type: voice/mp3" ascii wide
condition:
$new_pe or
4 of ($str_*) or
(6 of ($comms_*) and 2 of ($str_*))
}
28 changes: 28 additions & 0 deletions third_party/yara/bartblaze/APT/RoyalRoad_RTF.yar
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
rule RoyalRoad_RTF
{
meta:
id = "p1XW7z3B1sdN89zXF7Nel"
fingerprint = "52be45a991322fa96f4e806cf6fa7a77886f63799c1f67723484bc3796363a4e"
version = "1.0"
creation_date = "2020-01-01"
first_imported = "2021-12-30"
last_modified = "2021-12-30"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies RoyalRoad RTF, used by multiple Chinese APT groups."
category = "MALWARE"
malware = "ROYALROAD"
malware_type = "EXPLOITKIT"
reference = "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html"


strings:
$rtf = "{\\rt"
$RR1 = "5C746D705C382E74" ascii wide nocase
$RR2 = "5C417070446174615C4C6F63616C5C54656D705C382E74" ascii wide nocase
condition:
$rtf at 0 and any of ($RR*)
}
21 changes: 21 additions & 0 deletions third_party/yara/bartblaze/LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2020 Bart

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
56 changes: 56 additions & 0 deletions third_party/yara/bartblaze/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# About
## What is this?
A repo containing some of my privately developed Yara rules.

## Why?
To contribute to the community.

## Can I use these rules?
Of course! That's why I created this repo.

You can use them in your detection systems. For example, [CAPE sandbox](https://github.com/kevoreilly/CAPEv2), [MalwareBazaar](https://bazaar.abuse.ch/), [UnPac.me](https://www.unpac.me/) and [VirusTotal](https://www.virustotal.com/) (must be logged in, signup is free) and others are using these rules. Furthermore, the rules can work natively with [AssemblyLine](https://www.cyber.gc.ca/en/tools-services/assemblyline) due to the CCCS Yara rule standard adoption.

All rules are TLP:White, so you can use and distribute them freely. Please retain the meta.

## Help! A generic rule is hitting my software!
If one of the rules in the [generic](https://github.com/bartblaze/Yara-rules/tree/master/rules/generic) rules section hits on your software: this is not a false positive. It is simply an objective fact that, for example, your software has been compiled or wrapped using AutoIT. It equally does **not** mean your software is malicious.

Note the meta also mentions _category = "**INFO**"_, in which case it is a purely generic or informational rule.

## Actions
There's two workflows running on this Github repository:

* [YARA-CI](https://yara-ci.cloud.virustotal.com/): runs automatically to detect signature errors, as well as false positives and negatives.
* [Package Yara rules](https://github.com/bartblaze/Yara-rules/blob/master/.github/workflows/yara.yml): allows download of a complete rules file (all Yara rules from this repo in one file) for convenience from the Actions tab > Choose the last workflow run > Artifacts (see image below).

![image](https://user-images.githubusercontent.com/3075118/113322817-731feb00-9315-11eb-86ab-94f133f07038.png)

[![Package Yara Rules](https://github.com/bartblaze/Yara-rules/actions/workflows/yara.yml/badge.svg)](https://github.com/bartblaze/Yara-rules/actions/workflows/yara.yml)

## Minimum Yara version needed?
v3.3.0 is minimally needed, as some rules may require a specific module. Note that it's recommended to always use the latest Yara version as found [here](https://github.com/VirusTotal/yara/releases).

## Do the rules work with Yara-X?
[Yara-X](https://github.com/VirusTotal/yara-x), a rewrite of Yara in Rust, should have no difficulty running the rules in this repo. At time of writing, Yara-X v0.4.0 works fine with the rules presented here.

## Feedback?
If you spot an issue or improvement with one of the rules, feel free to submit a PR or open an Issue.

# Extra

## What is Yara?
From the official Github repo, https://github.com/VirusTotal/yara:
> YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
More information: https://yara.readthedocs.io/en/stable/index.html

## What is TLP?
> The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information.
The rules in this repo are TLP:White.
> Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
More information: https://www.us-cert.gov/tlp

## Where can I find other open-source Yara rules?
InQuest has made a Github repo which contains a curated list of Yara rules: https://github.com/InQuest/awesome-yara.
3 changes: 3 additions & 0 deletions third_party/yara/bartblaze/RELEASE
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
/tmp/tmp.dxdSSSmhxM ~/src/bincapz/third_party/yara
dd8cfd8c456159c7201f5d4209fe007dfff1636e
~/src/bincapz/third_party/yara
41 changes: 41 additions & 0 deletions third_party/yara/bartblaze/crimeware/Andromeda.yar
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
rule Andromeda
{
meta:
id = "66EiRJfwdRpNnHru6KDjKX"
fingerprint = "45a5315e4ffe5156ce4a7dc8e2d6e27d6152cd1d5ce327bfa576bf0c4a4767d8"
version = "1.0"
creation_date = "2021-03-01"
first_imported = "2022-01-24"
last_modified = "2022-01-24"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies Andromeda aka Gamarue botnet."
category = "MALWARE"
malware = "ANDROMEDA"
malware_type = "WORM"



strings:
//IndexerVolumeGuid
$ = { 8d ?? dc fd ff ff 50 8d ?? d8 fd ff ff 50 e8 ?? ?? ?? ?? 8a 00 53 68 ?? ?? ?? ?? 56
ff b? ?? ?? ?? ?? a2 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 18 53 ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53
53 ff 15 ?? ?? ?? ?? ff b? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? a3 ?? ?? ?? ?? 83 f8
ff 74 ?? 6a 01 50 ff 15 ?? ?? ?? ?? }
$ = { 83 c4 10 ff b? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? ff b? ?? ?? ?? ?? ff b?
?? ?? ?? ?? ff 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? }
/*
MOV DL ,byte ptr SS :[EAX + EBP *0x1 + 0xffffff00 ]
MOV DH ,byte ptr SS :[EBX + EBP *0x1 + 0xffffff00 ]
MOV byte ptr SS :[EAX + EBP *0x1 + 0xffffff00 ],DH
MOV byte ptr SS :[EBX + EBP *0x1 + 0xffffff00 ],DL
*/
$ = { 36 8a 94 28 00 ff ff ff 02 da 36 8a b4 2b 00 ff ff ff 36 88 b4 28 00 ff ff ff 36 88 94 2b 00 ff ff ff }
condition:
any of them
}
27 changes: 27 additions & 0 deletions third_party/yara/bartblaze/crimeware/ArechClient.yar
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
rule ArechClient
{
meta:
id = "1POsZzKWdklwDRUysnEJ9J"
fingerprint = "949f1c6596fffe0aca581e61bcc522e70775ad16c651875539c32d6de6801729"
version = "1.0"
creation_date = "2021-07-01"
first_imported = "2021-12-30"
last_modified = "2021-12-30"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies ArechClient, infostealer."
category = "MALWARE"
malware = "ARECHCLIENT"
malware_type = "INFOSTEALER"


strings:
$ = "is_secure" ascii wide
$ = "encrypted_value" ascii wide
$ = "host_keyexpires_utc" ascii wide
condition:
all of them
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
import "dotnet"

rule ArechClient_Campaign_July2021
{
meta:
id = "16N9HHtspErd7pE2A261Mh"
fingerprint = "971fcef8b604c185c14af001633a3f83297d183f47620a9c4fc014815b26a28f"
version = "1.0"
creation_date = "2021-07-01"
first_imported = "2021-12-30"
last_modified = "2021-12-30"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies ArechClient stealer's July 2021 campaign."
category = "MALWARE"
malware = "ARECHCLIENT"
malware_type = "INFOSTEALER"
reference = "https://twitter.com/bcrypt/status/1420471176137113601"


condition:
dotnet.guids[0]=="10867a7d-8f80-4d52-8c58-47f5626e7d52" or dotnet.guids[0]=="7596afea-18b9-41f9-91dd-bee131501b08"
}
Loading

0 comments on commit 5bc6a23

Please sign in to comment.