diff --git a/yara/apt_apt27_rshell.yar b/yara/apt_apt27_rshell.yar new file mode 100644 index 00000000..25fc84e4 --- /dev/null +++ b/yara/apt_apt27_rshell.yar @@ -0,0 +1,40 @@ + +rule APT_MAL_APT27_Rshell_Jul24 { + meta: + sharing = "TLP:WHITE" + source = "BUNDESAMT FUER VERFASSUNGSSCHUTZ" + author = "Bundesamt fuer Verfassungsschutz, modified by Florian Roth" + description = "YARA rule to detect RSHELL of APT27" + category = "MALWARE" + malware = "RSHELL / SYSUPDATE" + reference = "https://x.com/bfv_bund/status/1811364839656185985?s=12&t=C0_T_re0wRP_NfKa27Xw9w" + date = "2024-07-11" + hash1 = "0433edfad648e1e29be54101abaded690302dc7e49ad916cfbbddf99b3ade12c" + hash2 = "10bb89fdf25c88d3c5623e8d68573124c9a42549750014e3675e2ca342aeba4a" + hash3 = "2603e1f61363451891c97b0c4ce8acfbfb680d3df4282f9d151ecce3a5679616" + hash4 = "70dac42491f8f19568a5d7b1d10b29f732a88d75e7f2bfa07b23202bacadf56f" + hash5 = "b988a6583ce40f07e5fc8e890ae2b1c84a93db8a2e3ca8769241b94bea332a7a" + hash6 = "c4fe1e56f601d411e2385352606524fb8bbf773bc2ba14889a8de605c2d14da0" + hash7 = "c787144d285fcca8a542f7a5525a37bcd089b39068b9a4db7fe3554ee6c08301" + hash8 = "ddaa4d23e4651a517fffbd29f0924607ba6b6253171144da5e49237afe91666b" + strings: + $a1 = "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%" ascii + $a2 = "/proc/self/exe" ascii + + $s1 = "HISTFILE" ascii fullword + $s2 = "/tmp/guid" ascii fullword + + $sop1 = { e8 ?? ?? ?? ?? c7 43 04 00 00 00 00 8b 3b 85 ff 7e 2? e8 ?? ?? 0? 00 85 c0 7e 0? } + $sop2 = { c7 43 04 00 00 00 00 8b 3b 85 ff 7e 2? e8 ?? ?? 0? 00 85 c0 7e 0? f7 d8 } + condition: + ( + uint32be(0) == 0x7f454c46 // Linux + or ( uint32be(0) == 0xcafebabe and uint32be(4) < 0x20 ) // Universal mach-O App with dont-match-java-class-file hack + or uint32(0) == 0xfeedface // 32-bit mach-O + or uint32(0) == 0xfeedfacf // 64-bit mach-O + ) + and filesize < 2MB + and all of ($a*) + and 2 of ($s*) + or 3 of ($s*) +}