Category: Malware Analysis

#100DaysofYARA 2024 – Day 7 – SQLMaggie DLL Export

The final rule for week one is an alternative method of identifying the SQLMaggie backdoor used by a China-nexus threat actor tracked by SentinelLabs as WIP19.

Examining the debug output from the YARA PE module I found that my SQLMaggie sample DLL only exported a single function – maggie. This rule matches any PE file with a single export, named maggie.

import "pe"

rule MAL_SQLMaggie_dll_export {
	meta:
		description = "Matches DLL export found in SQLMaggie backdoor used by China-nexus threat actor WIP19."
		last_modified = "2024-01-07"
        author = "@petermstewart"
        DaysofYara = "7/100"
		ref = "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"
		sha256 = "f29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14"

	condition:
		uint16(0) == 0x5a4d and
		pe.number_of_exports == 1 and
		pe.export_details[0].name == "maggie"
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 6 – SQLMaggie Strings

This rule matches samples of the SQLMaggie backdoor utilised by a China-nexus threat actor tracked by SentinelLabs as WIP19.

Whilst we did not observe the initial infection vector in this intrusion, the SQLmaggie malware dropped on victim networks targets Windows systems and has to be executed in an MSSQL server.

We found that SQLMaggie masquerades as a legitimate DLL containing extended stored procedure functions for an MSSQL Server … After registering the DLL into the MSSQL server, the threat actor is able to fully control the server machine and use this backdoor to conduct reconnaissance in the internal network.

SentinelLabs, New Chinese APT Targets IT Service Providers and Telcos With Signed Malware
rule MAL_SQLMaggie_strings {
	meta:
		description = "Matches strings found in SQLMaggie backdoor used by China-nexus threat actor WIP19."
		last_modified = "2024-01-06"
        author = "@petermstewart"
        DaysofYara = "6/100"
		ref = "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"
		sha256 = "f29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14"
	
	strings:
		$a1 = "Account Owner Not Found For The SID"
		$a2 = "%s Isn't Successfully Hooked Yet"
		$a3 = "About To Execute: %s %s %s"
		$a4 = "RunAs User Password Command"
		$a5 = "Wait 5 To 10 Seconds For TS Taking Effect"
		$a6 = "Re-Install TS Successfullly"
		$a7 = "ImpersonateLoggedOnUser = %d"
		$a8 = "The Account %s Has Been Cloned To %s"
		$a9 = "Fileaccess ObjectName [TrusteeName] [Permission] Options"
		$a10 = "SQL Scan Already Running"
		$a11 = "HellFire2050"

	condition:
		uint16(0) == 0x5a4d and
		8 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 5 – Known Bad Signing Certificate

Today’s rule is the first in a short series covering a China-nexus threat actor tracked by SentinelLabs as WIP19.

SentinelLabs has been monitoring a threat cluster we track as WIP19, a group characterized by the usage of a legitimate, stolen digital certificate issued by a company called “DEEPSoft”. Based on our investigations, WIP19 has been targeting telecommunications and IT service providers in the Middle East and Asia.

WIP19 has been observed signing malware with a valid digital certificate issued for DEEPSoft Co., Ltd., a Korean company specializing in messaging solutions. The threat actor used the certificate to sign several malware components, some of which were tailor-made for specific targets. We assess that it is highly likely the certificate was stolen, as it was also used to sign legitimate software used by DEEPSoft in the past.

SentinelLabs, New Chinese APT Targets IT Service Providers and Telcos With Signed Malware

Building on yesterday’s work on signed PE files, we can also match any binary signed with a particular certificate based on the certificate serial number.

import "pe"

rule TTP_WIP19_bad_cert {
	meta:
		description = "Matches known bad signing certificate serial number used by China-nexus threat actor WIP19."
		last_modified = "2024-01-05"
        author = "@petermstewart"
        DaysofYara = "5/100"
		ref = "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"
		sha256 = "f29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14"
		sha256 = "2f2f165ee5b81a101ebda0b161f43b54bc55afd8e4702c9b8056a175a1e7b0e0"
		
	condition:
		uint16(0) == 0x5a4d and
		pe.number_of_signatures > 0 and
		for any sig in pe.signatures:
		(
			sig.serial == "02:10:36:b9:e8:0d:16:ea:7f:8c:f0:e9:06:2b:34:55"
		)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 0

Since switching my focus from incident response to threat hunting I have been using YARA more and more often to identify new samples and track the threat actors using them. During 2023 I was able to complete Steve Miller‘s excellent “YARA for Security Analysts” course from Applied Network Defense, and wanted to challenge myself to write even more YARA rules, so am joining in the 2024 edition of #100DaysofYARA.

I am mostly focusing on specific malware families and tools that I encounter during my day-job, but also have plans for some more generic hunting rules that might catch something interesting.

I plan to add new rules each day, posting them on this blog and uploading them to Github where hopefully someone else will find them useful.

Unless otherwise stated, all of the samples I will be triaging will be acquired from public repositories such as those on Lenny Zeltser’s list of malware sources, or based on analysis of public reports and blogs.

#100DaysofYARA 2024 starts on the 1st of January. Let’s go!