-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathAPT34 New Backdoor-SideTwist Variant IoCs
122 lines (99 loc) · 5.19 KB
/
APT34 New Backdoor-SideTwist Variant IoCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Indicator of Compromises #
## Domains ##
hxxp://tecforsc-001-site1.gtempurl.com
## URLs ##
hxxp://tecforsc-001-site1.gtempurl.com/ads.asp?[random char]=[random char]
hxxp://11.0.188.38:443/search/ID
## Menorah Samples ##
64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345
f2929c2450be06371ecccb132f274902d7c6b9d638508eef47aa0ed9a34a53e7
## SideTwist Variant Samples ##
7b83ca04240ca8769eb0f01a873674aa2891a4aa702d5cf632e7ecc284c38bc9
2fe919294cdb3baf51bc0cc199dd9e4980b4a0cc0c8884f60a0242f93cb35825
## YARA Rules ##
import "pe"
rule APT_MAL_Oilrig_EXE_Backdoor_December{
meta:
author = "Gokhan FIRAT"
source = "brandefense .io"
date = "05.12.2023"
strings :
$s1 = "Menorah" ascii fullword
$s2 = "Mango" ascii fullword
$h1 = {72 ?? ?? 00 70 0A 73 ?? 00 00 0A 0B 72 ?? 00 00 70 0C 07 16
02 17 59 6F ?? 00 00 0A 0D 16 13 04 38 81 00 00 00 08 06 07 16 06
6F ?? 00 00 0A 17 59 6F ?? 00 00 0A 6F ?? 00 00 0 A 13 05 12 05 28
?? 00 00 0A 72 ?? ?? 00 70 28 ?? 00 00 0A 0C 11 04 09 FE 01 03 5F
2C 48 1B 8D ?? 00 00 01 25 16 08 A2 25 17 1F 5B 13 05 12 05 28 ??
00 00 0A A2 25 18 1F 40 13 05 12 05 28 ?? 00 00 0 A A2 25 18 1F 40
13 05 12 05 28 ?? 00 00 0A A2 25 1A 1F 5D 13 05 12 05 28 ?? 00 00
0A A2 28 ?? 00 00 0A 0 C 11 04 17 58 13 04 11 04 02 3F 77 FF FF FF}
$h2 = {02 2D 02 14 2A 02 8E 69 8D 00 00 01 0A 16 0B 2B 1A 06 07 02
07 91 03 07 03 6F ?? 00 00 0A 5D 6F ?? 00 00 0A 61 D2 9C 07 17 58 0B
07 02 8E 69 32 E0}
$h3 = {73 ?? 00 00 06 0A 06 02 7D ?? 00 00 04 02 28 ?? 00 00 06 0B 1D
8D ?? 00 00 01 25 16 1F 64 0D 12 03 28 ?? 00 00 0A A2 25 17 1F 40 0D
12 03 28 ?? 00 00 0A A2 25 18 07 A2 25 19 1F 40 0D 12 03 28 ?? 00 00
0A A2 25 1A 28 ?? 00 00 0A A2 25 1B 1F 7C 0D 12 03 28 ?? 00 00 0A A2
25 1C 28 ?? 00 00 0A A2 28 ?? 00 00 0A 0C 06 02 02 7B ?? 00 00 04 08
28 ?? 00 00 06 7D ?? 00 00 04 06 7B ?? 00 00 04 28 ?? 00 00 0A 2D 2C
06 06 7B ?? 00 00 04 72 ?? 0? 00 70 72 ?? 00 00 70 6F ?? 00 00 0A 7D
?? 00 00 04 06 06 7B ?? 00 00 04 6F ?? 00 00 0A 7D ?? 00 00 04 06 FE
06 ?? 00 00 06 73 ?? 00 00 0A 73 ?? 00 00 0A 28 ?? 00 00 0A DE 03}
$h4 = {28 ?? 00 00 0A 04 6F ?? 00 00 0A 02 7B ?? 00 00 04 28 ?? 00 00
06 28 ?? 00 00 0A 0A 73 ?? 00 00 0A 19 1F 0E 6F ?? 00 00 0A 17 28 ??
00 00 06 1F 5B 13 06 12 06 28 ?? 00 00 0A 1F 40 13 06 12 06 28 ?? 00
00 0A 1F 40 13 06 12 06 28 ?? 00 00 0A 1F 5D 13 06 12 06 28 ?? 00 00
0A 28 ?? 00 00 0A 1B 8D ?? 00 00 01 25 16 1F 5B 13 06 12 06 28 ?? 00
00 0A A2 25 17 1F 40 13 06 12 06 28 ?? 00 00 0A A2 25 18 06 A2 25 19
1F 40 13 06 12 06 28 ?? 00 00 0A A2 25 1A 1F 5D 13 06 12 06 28 ?? 00
00 0A A2 28 ?? 00 00 0A 6F ?? 00 00 0A 0B 28 ?? 00 00 0A 07 6F ?? 00
00 0A 0C 72 ?? 00 00 70 0D 1F 3F 13 06 12 06 28 ?? 00 00 0A 17 16 28
?? 00 00 06 1F 3D 13 06 12 06 28 ?? 00 00 0A 17 16 28 ?? 00 00 06 28
?? 00 00 0A 13 04 03 11 04 28 ?? 00 00 0A 28 ?? 00 00 0A 74 ?? 00 00
01 13 05 11 05 1F 50 13 06 12 06 28 ?? 00 00 0A 1F 4F 13 06 12 06 28
?? 00 00 0A 1F 53 13 06 12 06 28 ?? 00 00 0A 1F 54 13 06 12 06 28 ??
00 00 0A 28 ?? 00 00 0A 6F ?? 00 00 0A 11 05 1F 21 8D ?? 00 00 01 25
16 1F 61 13 06 12 06 28 ?? 00 00 0A A2 25 17 1F 70 13 06 12 06 28 ??
00 00 0A A2 25 18 1F 70 13 06 12 06 28 ?? 00 00 0A A2 25 19 1F 6C 13
06 12 06 28 ?? 00 00 0A A2 25 1A 1F 69 13 06 12 06 28 ?? 00 00 0A A2
25 1B 1F 63 13 06 12 06 28 ?? 00 00 0A A2 25 1C 1F 61 13 06 12 06 28
?? 00 00 0A A2 25 1D 1F 74 13 06 12 06 28 ?? 00 00 0A A2 25 1E 1F 69
13 06 12 06 28 ?? 00 00 0A A2 25 1F 09 1F 6F 13 06 12 06 28 ?? 00 00
0A A2 25 1F 0A 1F 6E 13 06 12 06 28 ?? 00 00 0A A2 25 1F 0B 1F 2F 13
06 12 06 28 ?? 00 00 0A A2 25 1F 0C 1F 78 13 06 12 06 28 ?? 00 00 0A
A2 25 1F 0D 1F 2D 13 06 12 06 28 ?? 00 00 0A A2 25 1F 0E 1F 77 13 06
12 06 28 ?? 00 00 0A A2 25 1F 0F 1F 77 13 06 12 06 28 ?? 00 00 0A A2
25 1F 10 1F 77 13 06 12 06 28 ?? 00 00 0A A2 25 1F 11 1F 2D 13 06 12
06 28 ?? 00 00 0A A2 25 1F 12 1F 66 13 06 12 06 28 ?? 00 00 0A A2 25
1F 13 1F 6F 13 06 12 06 28 ?? 00 00 0A A2 25 1F 14 1F 72 13 06 12 06
28 ?? 00 00 0A A2 25 1F 15 1F 6D 13 06 12 06 28 ?? 00 00 0A A2 25 1F
16 1F 2D 13 06 12 06 28 ?? 00 00 0A A2 25 1F 17 1F 75 13 06 12 06 28
?? 00 00 0A A2 25 1F 18 1F 72 13 06 12 06 28 ?? 00 00 0A A2 25 1F 19
1F 6C 13 06 12 06 28 ?? 00 00 0A A2 25 1F 1A 1F 65 13 06 12 06 28 ??
00 00 0A A2 25 1F 1B 1F 6E 13 06 12 06 28 ?? 00 00 0A A2 25 1F 1C 1F
63 13 06 12 06 28 ?? 00 00 0A A2 25 1F 1D 1F 6F 13 06 12 06 28 ?? 00
00 0A A2 25 1F 1E 1F 64 13 06 12 06 28 ?? 00 00 0A A2 25 1F 1F 1F 65
13 06 12 06 28 ?? 00 00 0A A2 25 1F 20 1F 64 13 06 12 06 28 ?? 00 00
0A A2 28 ?? 00 00 0A 6F ?? 00 00 0A 11 05 08 8E 69 6A 6F ?? 00 00 0A
11 05 6F ?? 00 00 0A 25 08 16 08 8E 69 6F ?? 00 00 0A 6F ?? 00 00 0A
11 05 6F ?? 00 00 0A 25 6F ?? 00 00 0A 73 ?? 00 00 0A 25 6F ?? 00 00
0A 0D 6F ?? 00 00 0A 6F ?? 00 00 0A 09 13 07 DE 0A}
condition:
uint16(0) == 0 x5A4D and
any of ($s*) and
1 of ($h*)
}
rule APT_MAL_SideTwist_Variant_EXE_Backdoor_December {
meta :
author = "reita"
source = "brandefense .io"
date = "05.12.2023"
strings :
$str1 = "/search/" fullword
$str2 = "/getFile/" fullword
$str3 = "\\SystemFailureReporter\\update.xml" fullword
$hex1 = {48 8D ?5 60 FF FF FF 4C 8D ?5 E0}
condition :
any of ($str1 , $str2 , $str3) or (1 of ( $hex1 ))
}