The final rule for week one is an alternative method of identifying the SQLMaggie backdoor used by a China-nexus threat actor tracked by SentinelLabs as WIP19.
Examining the debug output from the YARA PE module I found that my SQLMaggie sample DLL only exported a single function – maggie. This rule matches any PE file with a single export, named maggie.
import "pe"
rule MAL_SQLMaggie_dll_export {
meta:
description = "Matches DLL export found in SQLMaggie backdoor used by China-nexus threat actor WIP19."
last_modified = "2024-01-07"
author = "@petermstewart"
DaysofYara = "7/100"
ref = "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"
sha256 = "f29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14"
condition:
uint16(0) == 0x5a4d and
pe.number_of_exports == 1 and
pe.export_details[0].name == "maggie"
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 