dfir, mostly
That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.
Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.
I hope it’s helpful!
The final rule for week one is an alternative method of identifying the SQLMaggie backdoor used by a China-nexus threat actor tracked by SentinelLabs as WIP19.
Examining the debug output from the YARA PE module I found that my SQLMaggie sample DLL only exported a single function – maggie. This rule matches any PE file with a single export, named maggie.
import "pe"
rule MAL_SQLMaggie_dll_export {
meta:
description = "Matches DLL export found in SQLMaggie backdoor used by China-nexus threat actor WIP19."
last_modified = "2024-01-07"
author = "@petermstewart"
DaysofYara = "7/100"
ref = "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"
sha256 = "f29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14"
condition:
uint16(0) == 0x5a4d and
pe.number_of_exports == 1 and
pe.export_details[0].name == "maggie"
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
This rule matches samples of the SQLMaggie backdoor utilised by a China-nexus threat actor tracked by SentinelLabs as WIP19.
Whilst we did not observe the initial infection vector in this intrusion, the SQLmaggie malware dropped on victim networks targets Windows systems and has to be executed in an MSSQL server.
…
We found that SQLMaggie masquerades as a legitimate DLL containing extended stored procedure functions for an MSSQL Server … After registering the DLL into the MSSQL server, the threat actor is able to fully control the server machine and use this backdoor to conduct reconnaissance in the internal network.
SentinelLabs, New Chinese APT Targets IT Service Providers and Telcos With Signed Malware
rule MAL_SQLMaggie_strings {
meta:
description = "Matches strings found in SQLMaggie backdoor used by China-nexus threat actor WIP19."
last_modified = "2024-01-06"
author = "@petermstewart"
DaysofYara = "6/100"
ref = "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"
sha256 = "f29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14"
strings:
$a1 = "Account Owner Not Found For The SID"
$a2 = "%s Isn't Successfully Hooked Yet"
$a3 = "About To Execute: %s %s %s"
$a4 = "RunAs User Password Command"
$a5 = "Wait 5 To 10 Seconds For TS Taking Effect"
$a6 = "Re-Install TS Successfullly"
$a7 = "ImpersonateLoggedOnUser = %d"
$a8 = "The Account %s Has Been Cloned To %s"
$a9 = "Fileaccess ObjectName [TrusteeName] [Permission] Options"
$a10 = "SQL Scan Already Running"
$a11 = "HellFire2050"
condition:
uint16(0) == 0x5a4d and
8 of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Today’s rule is the first in a short series covering a China-nexus threat actor tracked by SentinelLabs as WIP19.
SentinelLabs has been monitoring a threat cluster we track as WIP19, a group characterized by the usage of a legitimate, stolen digital certificate issued by a company called “DEEPSoft”. Based on our investigations, WIP19 has been targeting telecommunications and IT service providers in the Middle East and Asia.
…
WIP19 has been observed signing malware with a valid digital certificate issued for DEEPSoft Co., Ltd., a Korean company specializing in messaging solutions. The threat actor used the certificate to sign several malware components, some of which were tailor-made for specific targets. We assess that it is highly likely the certificate was stolen, as it was also used to sign legitimate software used by DEEPSoft in the past.
SentinelLabs, New Chinese APT Targets IT Service Providers and Telcos With Signed Malware
Building on yesterday’s work on signed PE files, we can also match any binary signed with a particular certificate based on the certificate serial number.
import "pe"
rule TTP_WIP19_bad_cert {
meta:
description = "Matches known bad signing certificate serial number used by China-nexus threat actor WIP19."
last_modified = "2024-01-05"
author = "@petermstewart"
DaysofYara = "5/100"
ref = "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"
sha256 = "f29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14"
sha256 = "2f2f165ee5b81a101ebda0b161f43b54bc55afd8e4702c9b8056a175a1e7b0e0"
condition:
uint16(0) == 0x5a4d and
pe.number_of_signatures > 0 and
for any sig in pe.signatures:
(
sig.serial == "02:10:36:b9:e8:0d:16:ea:7f:8c:f0:e9:06:2b:34:55"
)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 