#100DaysofYARA 2024 – Day 64 – Atera Agent

Rounding out this little series on Remote Management and Monitoring tools is Atera Agent. Just like ScreenConnect and AnyDesk, Atera Agent has also been abused by malicious actors.

Today’s rule matches strings found in the Atera Agent MSI installer package:

rule PUP_RMM_AteraAgent_msi {
	meta:
		description = "Matches strings found in Atera Agent remote management tool installer, often abused for unauthorised access."
		last_modified = "2024-03-04"
		author = "@petermstewart"
		DaysofYara = "64/100"
		sha256 = "91d9c73b804aae60057aa93f4296d39ec32a01fe8201f9b73f979d9f9e4aea8b"

	strings:
		$magic = { d0 cf 11 e0 a1 b1 1a e1 }
		$clsid = { 84 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 }
		$a1 = "AteraAgent"
		$a2 = "This installer database contains the logic and data required to install AteraAgent."

	condition:
		$magic at 0 and
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 63 – AnyDesk

AnyDesk is another legitimate Remote Management and Monitoring tool also abused as a secondary C2 by threat actors, including at least two publicly-reported intrusions linked to the BumbleBee loader malware which I covered at the end of January:

BumbleBee Roasts Its Way to Domain Admin

BumbleBee: Round Two

AnyDesk also suffered a pretty serious breach a few weeks ago resulting in the revocation of their code-signing certificate, so maybe treat AnyDesk binaries with a bit more suspicion now.

rule PUP_RMM_AnyDesk_exe {
	meta:
		description = "Matches AnyDesk remote management tool, often abused for unauthorised access."
		last_modified = "2024-03-03"
		author = "@petermstewart"
		DaysofYara = "63/100"
		sha256 = "5beab9f13976d174825f9caeedd64a611e988c69f76e63465ed10c014de4392a"
		sha256 = "7a719cd40db3cf7ed1e4b0d72711d5eca5014c507bba029b372ade8ca3682d70"

	strings:
		$pdb = "C:\\Buildbot\\ad-windows-32\\build\\release\\app-32\\win_loader\\AnyDesk.pdb"
		$a1 = "my.anydesk.com"
		$a2 = "AnyDesk Software GmbH" wide

	condition:
		uint16(0)==0x5a4d and
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 62 – ScreenConnect

ScreenConnect is a legitimate Remote Management and Monitoring tool which has been abused to act as a C2 mechanism by threat actors, including at least one HIVE SPIDER affiliate. If that’s not enough, the ScreenConnect server was found to suffer from a trivially exploited authentication bypass vulnerability in February 2024.

This rule matches strings found in the ScreenConnect MSI package, commonly used to install the application:

rule PUP_RMM_ScreenConnect_msi {
	meta:
		description = "Matches strings found in ScreenConnect MSI packages, often abused for unauthorised access."
		last_modified = "2024-03-02"
		author = "@petermstewart"
		DaysofYara = "62/100"
		sha256 = "80b6ec0babee522290588e324026f7c16e3de9d178b9e846ae976ab432058ce7"
		sha256 = "f8c2b122da9c9b217eada5a1e5fde92678925f1bb2ea847253538ffda274f0b9"

	strings:
		$magic = { d0 cf 11 e0 a1 b1 1a e1 }
		$clsid = { 84 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 }
		$a1 = "ScreenConnect.Client.dll"
		$a2 = "ScreenConnect.WindowsClient.exe"
		$a3 = "Share My Desktop"
		$a4 = "Grab a still image of the remote machine desktop"

	condition:
		$magic at 0 and
		all of them
}

While researching ScreenConnect I also wrote a utility rule to detect MSI installers:

rule file_msi {
    meta:
        description = "Finds Microsoft Installer (.msi) files"
        last_modified = "2024-03-02"
        author = "@petermstewart"
        DaysofYara = "62/100"

    strings:
        $magic = { d0 cf 11 e0 a1 b1 1a e1 }
        $clsid = { 84 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 }
        
    condition:
        $magic at 0 and
        $clsid
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.