SugarGh0st is a customised variant of the old GhostRAT malware active since 2008, and recently assessed to be used by a China-nexus threat actor to target entities in Uzbekistan and South Korea. SugarGh0st utilises a multi-stage infection process which includes a DLL used to decrypt and reflexively load the final payload; this rule matches strings found in that loader DLL:
rule MAL_APT_SugarGhost_Loader_strings {
meta:
description = "Matches strings found in the DLL loader component of SugarGhost malware."
last_modified = "2024-03-24"
author = "@petermstewart"
DaysofYara = "84/100"
sha256 = "34cba6f784c8b68ec9e598381cd3acd11713a8cf7d3deba39823a1e77da586b3"
ref = "https://blog.talosintelligence.com/new-sugargh0st-rat/"
strings:
$a1 = "The ordinal %u could not be located in the dynamic link library %s"
$a2 = "File corrupted!. This program has been manipulated and maybe"
$a3 = "it's infected by a Virus or cracked. This file won't work anymore."
condition:
filesize > 200MB and
uint16(0) == 0x5a4d and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 