cousy285
diff --git a/‎invisimole/invisimole.yar
Lines changed: 297 additions & 0 deletions b/‎invisimole/invisimole.yar
Lines changed: 297 additions & 0 deletions
diff --git a/‎invisimole/sigma/win_apt_invisimole_cpl_chain.yml
Lines changed: 55 additions & 0 deletions b/‎invisimole/sigma/win_apt_invisimole_cpl_chain.yml
Lines changed: 55 additions & 0 deletions
diff --git a/‎invisimole/sigma/win_apt_invisimole_eternalblue.yml
Lines changed: 22 additions & 0 deletions b/‎invisimole/sigma/win_apt_invisimole_eternalblue.yml
Lines changed: 22 additions & 0 deletions
@@ -0,0 +1,297 @@
+// For feedback or questions contact us at: [email protected]
+// https://github.com/eset/malware-ioc/
+//
+// These YARA rules are provided to the community under the two-clause BSD
+// license as follows:
+//
+// Copyright (c) 2021, ESET
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+
+import "pe"
+
+private rule InvisiMole_Blob {
+    meta:
+        description = "Detects InvisiMole blobs by magic values"
+        author = "ESET Research"
+        date = "2021-05-17"
+        reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+        source = "https://github.com/eset/malware-ioc/"
+        license = "BSD 2-Clause"
+        version = "1"
+
+    strings:
+        $magic_old_32 = {F9 FF D0 DE}
+        $magic_old_64 = {64 FF D0 DE}
+        $magic_new_32 = {86 DA 11 CE}
+        $magic_new_64 = {64 DA 11 CE}
+
+    condition:
+        ($magic_old_32 at 0) or ($magic_old_64 at 0) or ($magic_new_32 at 0) or ($magic_new_64 at 0)
+}
+
+rule apt_Windows_InvisiMole_Logs {
+    meta:
+        description = "Detects log files with collected created by InvisiMole's RC2CL backdoor"
+        author = "ESET Research"
+        date = "2021-05-17"
+        reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+        source = "https://github.com/eset/malware-ioc/"
+        license = "BSD 2-Clause"
+        version = "1"
+
+    condition:
+        uint32(0) == 0x08F1CAA1 or
+        uint32(0) == 0x08F1CAA2 or
+        uint32(0) == 0x08F1CCC0 or
+        uint32(0) == 0x08F2AFC0 or
+        uint32(0) == 0x083AE4DF or
+        uint32(0) == 0x18F2CBB1 or
+        uint32(0) == 0x1900ABBA or
+        uint32(0) == 0x24F2CEA1 or
+        uint32(0) == 0xDA012193 or
+        uint32(0) == 0xDA018993 or
+        uint32(0) == 0xDA018995 or
+        uint32(0) == 0xDD018991
+}
+
+rule apt_Windows_InvisiMole_SFX_Dropper {
+
+    meta:
+        description = "Detects trojanized InvisiMole files: patched RAR SFX droppers with added InvisiMole blobs (config encrypted XOR 2A at the end of a file)"
+        author = "ESET Research"
+        date = "2021-05-17"
+        reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+        source = "https://github.com/eset/malware-ioc/"
+        license = "BSD 2-Clause"
+        version = "1"
+
+    strings:
+        $encrypted_config = {5F 59 4F 58 19 18 04 4E 46 46 2A 5D 59 5A 58 43 44 5E 4C 7D 2A 0F 2A 59 2A 78 2A 4B 2A 58 2A 0E 2A 6F 2A 72 2A 4B 2A 0F 2A 4E 2A 04 2A 0F 2A 4E 2A 76 2A 0F 2A 79 2A 2A 2A 79 42 4F 46 46 6F 52 4F 49 5F 5E 4F 7D 2A 79 42 4F 46 46 19 18 04 4E 46 46 2A 7C 43 58 5E 5F 4B 46 6B 46 46 45 49 2A 66 45 4B 4E 66 43 48 58 4B 58 53 6B}
+
+    condition:
+        uint16(0) == 0x5A4D and $encrypted_config
+}
+
+rule apt_Windows_InvisiMole_CPL_Loader {
+    meta:
+        description = "CPL loader"
+        author = "ESET Research"
+        date = "2021-05-17"
+        reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+        source = "https://github.com/eset/malware-ioc/"
+        license = "BSD 2-Clause"
+        version = "1"
+
+    strings:
+        $s1 = "WScr%steObject(\"WScr%s.Run(\"::{20d04fe0-3a%s30309d}\\\\::{21EC%sDD-08002B3030%s\", 0);"
+        $s2 = "\\Control.js" wide
+        $s3 = "\\Control Panel.lnk" wide
+        $s4 = "FPC 3.0.4 [2019/04/13] for x86_64 - Win64"
+        $s5 = "FPC 3.0.4 [2019/04/13] for i386 - Win32"
+        $s6 = "imageapplet.dat" wide
+        $s7 = "wkssvmtx"
+
+    condition:
+        uint16(0) == 0x5A4D and (3 of them)
+}
+
+rule apt_Windows_InvisiMole_Wrapper_DLL {
+    meta:
+        description = "Detects InvisiMole wrapper DLL with embedded RC2CL and RC2FM backdoors, by export and resource names"
+        author = "ESET Research"
+        date = "2021-05-17"
+        reference = "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/"
+        source = "https://github.com/eset/malware-ioc/"
+        license = "BSD 2-Clause"
+        version = "1"
+
+    condition:
+        pe.exports("GetDataLength") and
+        for any y in (0..pe.number_of_resources - 1): (
+            pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00C\x00L\x00"
+        ) and
+        for any y in (0..pe.number_of_resources - 1): (
+            pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00F\x00M\x00"
+        )
+}
+
+rule apt_Windows_InvisiMole_DNS_Downloader {
+
+    meta:
+        description = "InvisiMole DNS downloader"
+        author = "ESET Research"
+        date = "2021-05-17"
+        reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+        source = "https://github.com/eset/malware-ioc/"
+        license = "BSD 2-Clause"
+        version = "1"
+
+    strings:
+        $d = "DnsQuery_A"
+
+        $s1 = "Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B}" xor
+        $s2 = "AddIns\\" ascii wide xor
+        $s3 = "pcornomeex." xor
+        $s4 = "weriahsek.rxe" xor
+        $s5 = "dpmupaceex." xor
+        $s6 = "TCPViewClass" xor
+        $s7 = "PROCMON_WINDOW_CLASS" xor
+        $s8 = "Key%C"
+        $s9 = "AutoEx%C" xor
+        $s10 = "MSO~"
+        $s11 = "MDE~"
+        $s12 = "DNS PLUGIN, Step %d" xor
+        $s13 = "rundll32.exe \"%s\",StartUI"
+
+    condition:
+        ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $d and 5 of ($s*)
+}
+
+rule apt_Windows_InvisiMole_RC2CL_Backdoor {
+
+    meta:
+        description = "InvisiMole RC2CL backdoor"
+        author = "ESET Research"
+        date = "2021-05-17"
+        reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+        source = "https://github.com/eset/malware-ioc/"
+        license = "BSD 2-Clause"
+        version = "1"
+
+    strings:
+        $s1 = "RC2CL" wide
+
+        $s2 = "hp12KsNh92Dwd" wide
+        $s3 = "ZLib package %s: files: %d, total size: %d" wide
+        $s4 = "\\Un4seen" wide
+        $s5 = {9E 01 3A AD} // encryption key
+
+        $s6 = "~mrc_" wide
+        $s7 = "~src_" wide
+        $s8 = "~wbc_" wide
+        $s9 = "zdf_" wide
+        $s10 = "~S0PM" wide
+        $s11 = "~A0FM" wide
+        $s12 = "~70Z63\\" wide
+        $s13 = "~E070C" wide
+        $s14 = "~N031E" wide
+
+        $s15 = "%szdf_%s.data" wide
+        $s16 = "%spicture.crd" wide
+        $s17 = "%s70zf_%s.cab" wide
+        $s18 = "%spreview.crd" wide
+
+        $s19 = "Value_Bck" wide
+        $s20 = "Value_WSFX_ZC" wide
+        $s21 = "MachineAccessStateData" wide
+        $s22 = "SettingsSR2" wide
+
+    condition:
+        ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and 5 of ($s*)
+}
+
+rule apt_Windows_InvisiMole {
+
+    meta:
+        description = "InvisiMole magic values, keys and strings"
+        author = "ESET Research"
+        date = "2021-05-17"
+        reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+        source = "https://github.com/eset/malware-ioc/"
+        license = "BSD 2-Clause"
+        version = "1"
+
+    strings:
+        $s1 = "CryptProtectData"
+        $s2 = "CryptUnprotectData"
+        $s3 = {9E 01 3A AD}
+        $s4 = "GET /getversion2a/%d%.2X%.2X/U%sN HTTP/1.1"
+        $s5 = "PULSAR_LOADER.dll"
+
+        /*
+        cmp reg, 0DED0FFF9h
+        */
+        $check_magic_old_32 = {3? F9 FF D0 DE}
+
+        /*
+        cmp reg, 0DED0FF64h
+        */
+        $check_magic_old_64 = {3? 64 FF D0 DE}
+
+        /*
+        cmp dword ptr [reg], 0CE11DA86h
+        */
+        $check_magic_new_32 = {81 3? 86 DA 11 CE}
+
+        /*
+        cmp dword ptr [reg], 0CE11DA64h
+        */
+        $check_magic_new_64 = {81 3? 64 DA 11 CE}
+
+    condition:
+        ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and (any of ($check_magic*)) and (2 of ($s*))
+}
+
+rule apt_Windows_InvisiMole_C2 {
+
+    meta:
+        description = "InvisiMole C&C servers"
+        author = "ESET Research"
+        date = "2021-05-17"
+        reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+        source = "https://github.com/eset/malware-ioc/"
+        license = "BSD 2-Clause"
+        version = "1"
+
+    strings:
+        $s1 = "46.165.220.228" ascii wide
+        $s2 = "80.255.3.66" ascii wide
+        $s3 = "85.17.26.174" ascii wide
+        $s4 = "185.193.38.55" ascii wide
+        $s5 = "194.187.249.157"  ascii wide
+        $s6 = "195.154.255.211"  ascii wide
+        $s7 = "153.re"  ascii wide fullword
+        $s8 = "adstat.red"  ascii wide
+        $s9 = "adtrax.net"  ascii wide
+        $s10 = "akamai.sytes.net"  ascii wide
+        $s11 = "amz-eu401.com"  ascii wide
+        $s12 = "blabla234342.sytes.net"  ascii wide
+        $s13 = "mx1.be"  ascii wide fullword
+        $s14 = "statad.de"  ascii wide
+        $s15 = "time.servehttp.com"  ascii wide
+        $s16 = "upd.re"  ascii wide fullword
+        $s17 = "update.xn--6frz82g"  ascii wide
+        $s18 = "updatecloud.sytes.net"  ascii wide
+        $s19 = "updchecking.sytes.net"  ascii wide
+        $s20 = "wlsts.net"  ascii wide
+        $s21 = "ro2.host"  ascii wide fullword
+        $s22 = "2ld.xyz"  ascii wide fullword
+        $s23 = "the-haba.com"  ascii wide
+        $s24 = "82.202.172.134"  ascii wide
+        $s25 = "update.xn--6frz82g"  ascii wide
+
+    condition:
+        ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $s21 and any of them
+}
@@ -0,0 +1,55 @@
+action: global
+title: InvisiMole Control Panel Misuse Chain
+id: d57fd9ea-0ed5-4435-bff0-c998f0feeacf
+status: experimental
+description: Detects artefacts associated with InvisiMole Control Panel persistence chain, as reported in June 2020
+references:
+    - https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/
+author: ESET Research
+date: 2021/05/17
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.persistence
+    - attack.t1218.002
+    - attack.t1059.007
+    - attack.t1547.001
+    - attack.t1547.009
+falsepositives:
+    - Unknown
+level: high
+---
+logsource:
+    category: registry_event
+    product: windows
+    definition: 'Note that you have to configure logging events associated with this registry key'
+detection:
+    selection:
+        TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs\infocard'
+        Details|endswith: '\Microsoft\AddIns\infocardadd.cpl'
+    condition: selection
+---
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|endswith:
+            - '\Startup\Control Panel.lnk'
+            - '\AppData\Roaming\Control\Control.js'
+            - '\Microsoft\AddIns\infocardadd.cpl'
+            - '\Microsoft\AddIns\imageapplet.dat'
+    condition: selection
+---
+logsource:
+    category: image_load
+    product: windows
+    definition: 'Note that you have to configure logging for loading CPL files'
+detection:
+    filename:
+        ImageLoaded|endswith: '\Microsoft\AddIns\infocardadd.cpl'
+    hash:
+        sha1:
+            - '9f64fec50d4447175459aab33bc9126f9a3370d8'
+            - 'a3aff8ce55907daa1f3360ded01bcf3f6f9d0cf2'
+    condition: 1 of them
@@ -0,0 +1,22 @@
+action: global
+title: InvisiMole Artefacts
+id: 67c9bdff-2de7-4214-9734-6d48e1bf1381
+status: experimental
+description: Detects artefacts associated with lateral movement technique used by InvisiMole Group, as reported in June 2020
+references:
+    - https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/
+author: ESET Research
+date: 2021/05/17
+falsepositives:
+    - Unknown
+level: high
+---
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith:
+            - '\stg0D0CE03.dll'
+            - '\stg0D33E0A.dll'
+    condition: selection