#100DaysofYARA 2024 – Day 62 – ScreenConnect

ScreenConnect is a legitimate Remote Management and Monitoring tool which has been abused to act as a C2 mechanism by threat actors, including at least one HIVE SPIDER affiliate. If that’s not enough, the ScreenConnect server was found to suffer from a trivially exploited authentication bypass vulnerability in February 2024.

This rule matches strings found in the ScreenConnect MSI package, commonly used to install the application:

rule PUP_RMM_ScreenConnect_msi {
	meta:
		description = "Matches strings found in ScreenConnect MSI packages, often abused for unauthorised access."
		last_modified = "2024-03-02"
		author = "@petermstewart"
		DaysofYara = "62/100"
		sha256 = "80b6ec0babee522290588e324026f7c16e3de9d178b9e846ae976ab432058ce7"
		sha256 = "f8c2b122da9c9b217eada5a1e5fde92678925f1bb2ea847253538ffda274f0b9"

	strings:
		$magic = { d0 cf 11 e0 a1 b1 1a e1 }
		$clsid = { 84 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 }
		$a1 = "ScreenConnect.Client.dll"
		$a2 = "ScreenConnect.WindowsClient.exe"
		$a3 = "Share My Desktop"
		$a4 = "Grab a still image of the remote machine desktop"

	condition:
		$magic at 0 and
		all of them
}

While researching ScreenConnect I also wrote a utility rule to detect MSI installers:

rule file_msi {
    meta:
        description = "Finds Microsoft Installer (.msi) files"
        last_modified = "2024-03-02"
        author = "@petermstewart"
        DaysofYara = "62/100"

    strings:
        $magic = { d0 cf 11 e0 a1 b1 1a e1 }
        $clsid = { 84 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 }
        
    condition:
        $magic at 0 and
        $clsid
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 61 – SystemBC (Linux)

The SystemBC RAT/proxy also has a Linux variant; today’s rule uses strings to match that one too.

rule MAL_SystemBC_Lin_strings {
	meta:
		description = "Matches strings found in SystemBC malware Linux samples."
		last_modified = "2024-03-01"
		author = "@petermstewart"
		DaysofYara = "61/100"
		sha256 = "cf831d33e7ccbbdc4ec5efca43e28c6a6a274348bb7bac5adcfee6e448a512d9"
		sha256 = "b68bfd96f2690058414aaeb7d418f376afe5ba65d18ee4441398807b06d520fd"

	strings:
		$a1 = "Rc4_crypt" fullword
		$a2 = "newConnection" fullword
		$a3 = "/tmp/socks5.sh" fullword
		$a4 = "cat <(echo '@reboot echo" fullword
		$a5 = "socks5_backconnect" fullword

	condition:
		uint32(0) == 0x464c457f and
		2 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 60 – SystemBC (Windows)

SystemBC is a persistent backdoor which allows its operators to execute commands, but also to proxy network traffic via SOCKS5 or Tor. Today’s rule matches strings found in Windows SystemBC samples.

rule MAL_SystemBC_Win_strings {
	meta:
		description = "Matches strings found in SystemBC malware Windows samples."
		last_modified = "2024-02-29"
		author = "@petermstewart"
		DaysofYara = "60/100"
		sha256 = "876c2b332d0534704447ab5f04d0eb20ff1c150fd60993ec70812c2c2cad3e6a"
		sha256 = "b9d6bf45d5a7fefc79dd567d836474167d97988fc77179a2c7a57f29944550ba"

	strings:
		$a1 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
		$a2 = "GET %s HTTP/1.0"
		$a3 = "Host: %s"
		$a4 = "Connection: close"
		$b1 = "BEGINDATA"
		$b2 = "HOST1:"
		$b3 = "HOST2:"
		$b4 = "PORT1:"
		$b5 = "DNS:"
		$b6 = "-WindowStyle Hidden -ep bypass -file"

	condition:
		uint16(0) == 0x5a4d and
		all of ($a*) or
		5 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 59 – DarkComet RAT

The original DarkComet RAT was first developed in 2008 and is still widely used today by, basically, everyone.

rule MAL_DarkComet_strings {
	meta:
		description = "Matches strings found in DarkComet malware samples."
		last_modified = "2024-02-28"
		author = "@petermstewart"
		DaysofYara = "59/100"
		sha256 = "3e10c254d6536cc63d286b53abfebbf53785e6509ae9fb569920747d379936f6"

	strings:
		$a1 = "I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!"
		$a2 = "BTRESULTPing|Respond [OK] for the ping !|"
		$a3 = "BTRESULTClose Server|close command receive, bye bye...|"
		$a4 = "BTRESULTHTTP Flood|Http Flood task finished!|"
		$a5 = "BTRESULTMass Download|Downloading File...|"
		$a6 = "ERR|Cannot listen to port, try another one..|"

	condition:
		uint16(0) == 0x5a4d and
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 58 – Netwire RAT

Netwire is another commodity RAT most often seen in high-volume opportunistic campaigns, but occasionally used as part of targeted operations, such as this one targeting Pakistani government organisations.

rule MAL_Netwire_strings {
	meta:
		description = "Matches strings found in NetWire malware samples."
		last_modified = "2024-02-27"
		author = "@petermstewart"
		DaysofYara = "58/100"
		sha256 = "05a36b671efa242764695140c004dfff3e0ff9d11df5d74005b7c1c8c53d8f00"
		sha256 = "d2a60c0cb4dd0c53c48bc062ca754d94df400dee9b672cf8881f5a1eff5b4fbe"

	strings:
		$ua = "User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
		$a1 = "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
		$a2 = "Accept-Language: en-US,en;q=0.8"
		$a3 = "GET %s HTTP/1.1" 
		$b1 = "ping 192.0.2.2 -n 1 -w %d >nul 2>&1"
		$b2 = "DEL /s \"%s\" >nul 2>&1"
		$b3 = "call :deleteSelf&exit /b"
		$b4 = ":deleteSelf"
		$b5 = "start /b \"\" cmd /c del \"%%~f0\"&exit /b"
		$b6 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"
		$c1 = "%6\\EWWnid\\PI0Wld\\u6d0 aC5C\\ad8CQi5\\mWn4R aC5C"
		$c2 = "%6\\PI0Wl4Ql\\u6d0 aC5C\\ad8CQi5\\mWn4R aC5C"
		$c3 = "%6\\PWlWSW\\a0CnWR\\u6d0 aC5C\\ad8CQi5\\mWn4R aC5C"
		$c4 = "%6\\vCRSdf\\vCRSdfc0Wg6d0\\u6d0 aC5C\\ad8CQi5\\mWn4R aC5C"
		$c5 = "%6\\Tsd0C MW85gC0d\\Tsd0C M5CVid\\mWn4R aC5C"

	condition:
		uint16(0) == 0x5a4d and
		12 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 57 – PrivateLoader

PrivateLoader is a downloader malware family whose primary purpose is to download and execute additional malware. Intel 471 and Walmart reported on PrivateLoader’s pay-per-install (PPI) service that distributes malware on behalf of other threat actors. The malware payloads can be selectively delivered to victims based on certain criteria (e.g. location, cryptocurrency or financial activity, on a corporate network, specific software installed, etc.) As previously reported, some of the payloads being distributed include Redline Stealer, Vidar Stealer, SmokeLoader, Stop ransomware, and other commodity malware.
Peeking into PrivateLoader, Zscaler

This rule matches PrivateLoader samples found on vx-underground:

rule MAL_PrivateLoader_strings {
	meta:
		description = "Matches strings found in PrivateLoader malware samples."
		last_modified = "2024-02-26"
		author = "@petermstewart"
		DaysofYara = "57/100"
		sha256 = "077225467638a420cf29fb9b3f0241416dcb9ed5d4ba32fdcf2bf28f095740bb"
		sha256 = "27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4"

	strings:
		$ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" ascii wide
		$b1 = ".?AVBase@Rijndael@CryptoPP@@" ascii
		$b2 = ".?AVCannotFlush@CryptoPP@@" ascii
		$b3 = ".?AVBase64Decoder@CryptoPP@@" ascii
		$b4 = ".?AVCBC_Encryption@CryptoPP@@" ascii
		$b5 = "Cleaner" ascii
		$c1 = "Content-Type: application/x-www-form-urlencoded" wide
		$c2 = "https://ipinfo.io/" wide
		$c3 = "https://db-ip.com/" wide
		$c4 = "https://www.maxmind.com/en/locate-my-ip-address" wide
		$c5 = "https://ipgeolocation.io/" wide

	condition:
		uint16(0) == 0x5a4d and
		($ua and 4 of them) or
		all of ($b*) or
		all of ($c*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 56 – “no virus.exe” Ransomware

Today’s rule is inspired by MalwareHunterTeam tweeting about an unidentified (by me at least) ransomware sample dropping a note named read_it.txt uploaded to VirusTotal with the filename “no virus.exe“. Seems legit.

"no virus.exe": 015e546f3ac1350c5b68fedc89e16334a4e456092228e691f054c1a86fefb6c6
😂 pic.twitter.com/MygOOxwaxB
— MalwareHunterTeam (@malwrhunterteam) January 10, 2024

rule MAL_NoVirus_strings {
	meta:
		description = "Matches strings found in ransomware sample uploaded to VirusTotal with filename 'no virus.exe'."
		last_modified = "2024-02-25"
		author = "@petermstewart"
		DaysofYara = "56/100"
		sha256 = "015e546f3ac1350c5b68fedc89e16334a4e456092228e691f054c1a86fefb6c6"
		ref = "https://twitter.com/malwrhunterteam/status/1745182178474885199"

	strings:
		$a1 = "vssadmin delete shadows /all /quiet & wmic shadowcopy delete" wide
		$a2 = "bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no" wide
		$a3 = "wbadmin delete catalog -quiet" wide
		$b1 = "read_it.txt" wide
		$b2 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" wide
		$c1 = "Don't worry, you can return all your files!" wide
		$c2 = "All your files like documents, photos, databases and other important are encrypted" wide
		$c3 = "You must follow these steps To decrypt your files" wide
		$c4 = "1) CONTACT US Telegram @CryptoKeeper_Support" wide
		$c5 = "2) Obtain Bitcoin (You have to pay for decryption in Bitcoins." wide
		$c6 = "After payment we will send you the tool that will decrypt all your files.)" wide
		$c7 = "3) Send 500$ worth of btc to the next address:" wide
		$c8 = "17Ym1FfiuXGGWr1SN6enUEEZUwnsuNMUDa" wide

	condition:
		uint16(0) == 0x5a4d and
		8 of them
}

This sample also matched my TTP_contains_BTC_address and HUNT_Ransomware_generic_strings rules, which was nice to see.

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 54 – AsyncRAT Github Release

After writing my rule to match AsyncRAT samples available on vx-underground, I found that it did not match the release binaries available on the AsyncRAT Github repository. I haven’t looked too closely into why that is the case. I’m a threat hunter, not a reverse engineer – you might notice that my YARA rules tend to be reliant on the output of strings!

In any case, here is a new rule that does match the Github release binary:

rule MAL_AsyncRAT_Github_release {
	meta:
		description = "Matches strings found in AsyncRAT Github release."
		last_modified = "2024-02-23"
		author = "@petermstewart"
		DaysofYara = "54/100"
		sha256 = "06899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5"
		ref = "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp"
        
	strings:
		$a1 = "NYAN-x-CAT"
		$a2 = "This program is distributed for educational purposes only."
		$a3 = "namespace AsyncRAT"
		$b1 = "[!] If you wish to upgrade to new version of AsyncRAT, You will need to copy 'ServerCertificate.p12'." wide
		$b2 = "[!] If you lose\\delete 'ServerCertificate.p12' certificate you will NOT be able to control your clients, You will lose them all." wide
		$b3 = "AsyncRAT | Dot Net Editor" wide
		$b4 = "XMR Miner | AsyncRAT" wide
		$b5 = "SEND A NOTIFICATION WHEN CLIENT OPEN A SPECIFIC WINDOW" wide
		$b6 = "Popup UAC prompt?" wide
		$b7 = "AsyncRAT | Unistall" wide
		$b8 = "recovered passwords successfully @ ClientsFolder" wide
	
	condition:
		uint16(0) == 0x5a4d and
		all of ($a*) or
		6 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 53 – AsyncRAT

AsyncRAT is a popular commodity trojan often used as a credential stealer or loader for further malware. This rule matches strings found in AsyncRAT samples downloaded from vx-underground.

rule MAL_AsyncRAT_strings {
	meta:
		description = "Matches strings found in AsyncRAT samples."
		last_modified = "2024-02-22"
		author = "@petermstewart"
		DaysofYara = "53/100"
		sha256 = "00cdee79a9afc1bf239675ba0dc1850da9e4bf9a994bb61d0ec22c9fdd3aa36f"
		sha256 = "774e4d4af9175367bc3c7e08f4765778c58f1c66b46df88484a6aa829726f570"

	strings:
		$a1 = "/c schtasks /create /f /sc onlogon /rl highest /tn" wide
		$a2 = "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" wide
		$a3 = "bat.exe" wide
		$a4 = "Stub.exe" wide

	condition:
		uint16(0) == 0x5a4d and
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 48 – Abyss Locker Ransomware Note

Today’s rule matches strings in the note dropped by the Abyss Locker ransomware, based on analysis published by SentinalOne.

rule MAL_AbyssLocker_ransomnote {
	meta:
		description = "Matches strings found in SentinelOne analysis of Abyss Locker note."
		last_modified = "2024-02-17"
		author = "@petermstewart"
		DaysofYara = "48/100"
		ref = "https://www.sentinelone.com/anthology/abyss-locker/"

	strings:
		$a1 = "Your company Servers are locked and Data has been taken to our servers. This is serious."
		$a2 = "Good news:"
		$a3 = "100% of your Server system and Data will be restored by our Decryption Tool;"
		$a4 = "for now, your data is secured and safely stored on our server;"
		$a5 = "nobody in the world is aware about the data leak from your company except you and Abyss Locker team."
		$a6 = "Want to go to authorities for protection?"
		$a7 = "they will do their job properly, but you will not get any win points out of it, only headaches;"
		$a8 = "they will never make decryption for data or servers"
		$a9 = "Also, they will take all of your IT infrastructure as a part of their procedures"
		$a10 = "but still they will not help you at all."
		$a11 = "Think you can handle it without us by decrypting your servers and data using some IT Solution from third-party non-hackers"

	condition:
		filesize < 5KB and
		8 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.