PingRAT is a relatively simple open-source RAT which uses ICMP to pass through firewalls. This rule matches strings found in the PingRAT server:
rule MAL_PingRAT_server_strings {
meta:
description = "Matches strings found in the PingRAT server binary and source code."
last_modified = "2024-03-09"
author = "@petermstewart"
DaysofYara = "69/100"
sha256 = "81070ba18e6841ee7ec44b00bd33e8a44c8c1af553743eebcb0d44b47130b677"
ref = "https://github.com/umutcamliyurt/PingRAT"
strings:
$a1 = "Listener (virtual) Network Interface (e.g. eth0)"
$a2 = "Destination IP address"
$a3 = "Please provide both interface and destination IP address."
$a4 = "[+] ICMP C2 started!"
$a5 = "[+] Command sent to the client:"
$a6 = "[+] Stopping ICMP C2..."
$b1 = "golang.org/x/net/icmp"
$b2 = "golang.org/x/net/ipv4"
$b3 = "os/signal"
condition:
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 