#100DaysofYARA 2024 – Day 91 – Hunters International Ransomware Note

Two rules to cover the Hunters International ransom note; one which includes the associated .onion addresses…

rule MAL_HuntersInternational_ransomnote {
    meta:
        description = "Matches strings found in Hunters International ransom notes."
        last_modified = "2024-03-31"
        author = "@petermstewart"
        DaysofYara = "91/100"

    strings:
        $a1 = "_   _ _   _ _   _ _____ _____ ____  ____"
        $a2 = "| | | | | | | \\ | |_   _| ____|  _ \\/ ___|"
        $a3 = "|  | | | |  \\| | | | |  _| | |_) \\___ \\"
        $a4 = "|  _  |  | |\\  | | | | |___|  _ < ___) |"
        $a5 = "|_|_|_|\\___/|_|_\\_|_|_|_|_____|_|_\\_\\____/____ ___ ___  _   _    _    _"
        $a6 = "|_ _| \\ | |_   _| ____|  _ \\| \\ | |  / \\|_   _|_ _/ _ \\| \\ | |  / \\  | |"
        $a7 = "| ||  \\| | | | |  _| | |_) |  \\| | / _ \\ | |  | | | | |  \\| | / _ \\ | |"
        $a8 = "| || |\\  | | | | |___|  _ <| |\\  |/ ___ \\| |  | |  | |\\  |/ ___ \\| |___"
        $a9 = "|___|_| \\_|  |_____|_| \\_\\_| \\_/_/   \\_\\_| |___\\___/|_| \\_/_/   \\_\\_____|"
        $b1 = "hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion"
        $b2 = "hunters33dootzzwybhxyh6xnmumopeoza6u4hkontdqu7awnhmix7ad.onion"
        $b3 = "hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion"
        $b4 = "hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion"

    condition:
        filesize < 5KB and
        all of ($a*) and
        1 of ($b*)
}

…and a second to match the ASCII art logo.

rule HUNT_HuntersInternational_ascii_art {
	meta:
		description = "Matches ascii art found in Hunters International ransomware notes."
		last_modified = "2024-03-31"
		author = "@petermstewart"
		DaysofYara = "91/100"

	strings:
        $a1 = "_   _ _   _ _   _ _____ _____ ____  ____"
        $a2 = "| | | | | | | \\ | |_   _| ____|  _ \\/ ___|"
        $a3 = "|  | | | |  \\| | | | |  _| | |_) \\___ \\"
        $a4 = "|  _  |  | |\\  | | | | |___|  _ < ___) |"
        $a5 = "|_|_|_|\\___/|_|_\\_|_|_|_|_____|_|_\\_\\____/____ ___ ___  _   _    _    _"
        $a6 = "|_ _| \\ | |_   _| ____|  _ \\| \\ | |  / \\|_   _|_ _/ _ \\| \\ | |  / \\  | |"
        $a7 = "| ||  \\| | | | |  _| | |_) |  \\| | / _ \\ | |  | | | | |  \\| | / _ \\ | |"
        $a8 = "| || |\\  | | | | |___|  _ <| |\\  |/ ___ \\| |  | |  | |\\  |/ ___ \\| |___"
        $a9 = "|___|_| \\_|  |_____|_| \\_\\_| \\_/_/   \\_\\_| |___\\___/|_| \\_/_/   \\_\\_____|"

	condition:
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 90 – Hunters International Ransomware

The Hunters International ransomware was first observed in late 2023 and has been reported to be a rebrand of Hive following a disruption operation in January 2023. This rule matches strings found in a Windows Hunters International sample.

rule MAL_HuntersInternational_strings {
    meta:
        description = "Matches strings found in Hunters International ransomware samples."
        last_modified = "2024-03-30"
        author = "@petermstewart"
        DaysofYara = "90/100"
        sha256 = "c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e"

    strings:
        $a1 = "windows_encrypt/src/main.rs"
        $a2 = "skipped, reserve dir"
        $a3 = "skipped, min size:"
        $a4 = "skipped, symlink:"
        $a5 = "skipped, reserved file:"
        $a6 = "skipped, reserved extension:"
        $a7 = "got, dir:"
        $a8 = "encrypting"

    condition:
        uint16(0) == 0x5a4d and
        all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 89 – Trigona Ransomware Note

Today’s rule matches strings in the Trigona ransom note:

rule MAL_Trigona_ransomnote {
    meta:
        description = "Matches strings found in Trigona ransom notes."
        last_modified = "2024-03-29"
        author = "@petermstewart"
        DaysofYara = "89/100"

    strings:
        $a1 = "3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion"
        $b1 = "<title>ENCRYPTED</title>"
        $b2 = "the entire network is encrypted"
        $b3 = "your business is losing money"
        $b4 = "All documents, databases, backups and other critical data were encrypted and leaked"
        $b5 = "The program uses a secure AES algorithm"
        $b6 = "decryption impossible without contacting us"
        $b7 = "To recover your data, please follow the instructions"
        $b8 = "Download Tor Browser"
        $b9 = "Open decryption page"
        $b10 = "Auth using this key"

    condition:
        filesize < 20KB and
        7 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 88 – Trigona Ransomware

The Trigona ransomware began operations around October 2022 and has been regularly updated since then with both Windows and Linux/ESXi variants observed in the wild. This rule matches strings found in Windows samples.

rule MAL_Trigona_strings {
    meta:
        description = "Matches strings found in Trigona ransomware samples."
        last_modified = "2024-03-28"
        author = "@petermstewart"
        DaysofYara = "88/100"
        sha256 = "fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b"
        sha256 = "d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a"

    strings:
        $a1 = "how_to_decrypt" wide
        $b1 = "nolocal"
        $b2 = "nolan"
        $b3 = "shutdown"
        $b4 = "random_file_system"
        $b5 = "fullmode"
        $b6 = "erasemode"
        $b7 = "network_scan_finished"
        $b8 = "is_testing"

    condition:
        uint16(0) == 0x5a4d and
        $a1 and
        4 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 87 – Yanluowang Ransomware Note

Today’s rule matches strings found in the note dropped post-encryption by the Yanluowang ransomware.

rule MAL_Yanluowang_ransomnote {
    meta:
        description = "Matches strings found in Yanluowang ransom notes."
        last_modified = "2024-03-27"
        author = "@petermstewart"
        DaysofYara = "87/100"

    strings:
        $a1 = "since you are reading this it means you have been hacked"
        $a2 = "encrypting all your systems"
        $a3 = "Here's what you shouldn't do"
        $a4 = "Do not try to decrypt the files yourself"
        $a5 = "do not change the file extension yourself"
        $a6 = "Keep us for fools"
        $a7 = "Here's what you should do right after reading it"
        $a8 = "send our message to the CEO of the company, as well as to the IT department"
        $a9 = "you should contact us within 24 hours by email"
        $a10 = "As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption"
        $a11 = "Mails to contact us"

    condition:
        filesize < 5KB and
        8 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 86 – Yanluowang Ransomware

The Yanluowang ransomware was first observed in late 2021, and has been reported to utilise code-signing on their binaries. This rule relies on PDB path and usage strings found in Windows samples.

rule MAL_Yanluowang_strings {
    meta:
        description = "Matches function name strings found in Yanluowang ransomware samples."
        last_modified = "2024-03-26"
        author = "@petermstewart"
        DaysofYara = "86/100"
        sha256 = "49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d"
        sha256 = "d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c"

    strings:
        $a1 = "C:\\Users\\111\\Desktop\\wifi\\project\\ConsoleApplication2\\Release\\ConsoleApplication2.pdb"
        $a2 = "C:\\Users\\cake\\Desktop\\project-main\\project-main\\ConsoleApplication2\\cryptopp-master"
        $a3 = "Syntax: encrypt.exe [(-p,-path,--path)<path>]"
        $a4 = "yanluowang"

    condition:
        uint16(0) == 0x5a4d and
        all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 85 – KrustyLoader

KrustyLoader is a Rust-based malware observed on compromised Ivanti ConnectSecure devices in January 2024 which ultimately downloaded and executed Sliver implants.

rule MAL_Loader_KrustyLoader_strings {
	meta:
		description = "Matches strings found in KrustyLoader malware samples."
		last_modified = "2024-03-25"
		author = "@petermstewart"
		DaysofYara = "85/100"
		sha256 = "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0"
		ref = "https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises"

	strings:
		$a1 = "|||||||||||||||||||||||||||||||||||"
		$a2 = "/proc/self/exe"
		$a3 = "/tmp/"
		$a4 = "TOKIO_WORKER_THREADS"

	condition:
		uint32(0) == 0x464c457f and
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 84 – SugarGh0st DLL Loader

SugarGh0st is a customised variant of the old GhostRAT malware active since 2008, and recently assessed to be used by a China-nexus threat actor to target entities in Uzbekistan and South Korea. SugarGh0st utilises a multi-stage infection process which includes a DLL used to decrypt and reflexively load the final payload; this rule matches strings found in that loader DLL:

rule MAL_APT_SugarGhost_Loader_strings {
	meta:
		description = "Matches strings found in the DLL loader component of SugarGhost malware."
		last_modified = "2024-03-24"
		author = "@petermstewart"
		DaysofYara = "84/100"
		sha256 = "34cba6f784c8b68ec9e598381cd3acd11713a8cf7d3deba39823a1e77da586b3"
		ref = "https://blog.talosintelligence.com/new-sugargh0st-rat/"

	strings:
		$a1 = "The ordinal %u could not be located in the dynamic link library %s"
		$a2 = "File corrupted!. This program has been manipulated and maybe"
		$a3 = "it's infected by a Virus or cracked. This file won't work anymore."

	condition:
		filesize > 200MB and
		uint16(0) == 0x5a4d and
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 83 – Cactus Ransomware Note

Today’s rule matches strings in the note dropped by Cactus ransomware post-encryption:

rule MAL_Cactus_ransomnote {
	meta:
		description = "Matches strings found in ransom notes dropped by Cactus ransomware."
		last_modified = "2024-03-23"
		author = "@petermstewart"
		DaysofYara = "83/100"
		
	strings:
		$a1 = "cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion"
		$a2 = "sonarmsng5vzwqezlvtu2iiwwdn3dxkhotftikhowpfjuzg7p3ca5eid.onion"
		$a3 = "cactus2tg32vfzd6mwok23jfeolh4yxrg2obzlsyax2hfuka3passkid.onion"
		$b1 = "encrypted by Cactus"
		$b2 = "Do not interrupt the encryption process"
		$b3 = "Otherwise the data may be corrupted"
		$b4 = "wait until encryption is finished"
		$b6 = "TOX (https://tox.chat):"
		$b7 = "7367B422CD7498D5F2AAF33F58F67A332F8520CF0279A5FBB4611E0121AE421AE1D49ACEABB2"

	condition:
		filesize < 5KB and
		1 of ($a*) or
		5 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 82 – Cactus Ransomware

Cactus ransomware was first observed in March 2023, and makes heavy use of data-theft as leverage in ransom negotiations. This rule matches strings found in Windows Cactus samples.

rule MAL_Cactus_strings {
	meta:
		description = "Matches strings found in Cactus ransomware samples."
		last_modified = "2024-03-22"
		author = "@petermstewart"
		DaysofYara = "82/100"
		sha256 = "1ea49714b2ff515922e3b606da7a9f01732b207a877bcdd1908f733eb3c98af3"
		sha256 = "c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a"

	strings:
		$a1 = "vssadmin delete shadows /all /quiet" wide
		$a2 = "WMIC shadowcopy delete" wide
		$a3 = "bcdedit /set {default} bootstatuspolicy ignoreallfailures" wide
		$a4 = "bcdedit /set {default} recoveryenabled no" wide
		$a5 = "cAcTuS" wide
		$a6 = "CaCtUs.ReAdMe.txt" wide
		$a7 = "schtasks.exe /create /sc MINUTE /mo 5 /rl HIGHEST /ru SYSTEM /tn \"Updates Check Task\" /tr \"cmd /c cd C:\\ProgramData &&" wide
		$a8 = "C:\\Windows\\system32\\schtasks.exe /run /tn \"Updates Check Task\"" wide

	condition:
		uint16(0) == 0x5a4d and
		6 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.