Yara Rule - 2022 년 5 월 이후 손상된 거래 기술 인증서로 서명 된 샘플을 감지하는 위협 사냥 규칙
Yara 정의.
Yara Rule - Threat hunting rule that detects samples signed with the compromised Trading Technologies certificate after May 2022
Yara definition.
Author: Florian Roth
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
900b63ff9b06e0890bf642bdfcbfcc6ab7887c7a3c057c8e3fd6fba5ffc8e5d6;NK UNC4736 Installer that drops VEILEDSIGNAL malware https://twitter.com/cyb3rops/status/1649054604620075022?s=20
aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43;NK UNC4736 VEILEDSIGNAL malware https://twitter.com/cyb3rops/status/1649068018754830336?s=20
date = "2023-04-20"
score = 85
hash1 = "aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43"
$op1 = {B8 AB AA AA AA F7 E1 8B C1 C1 EA 02 8D 14 52 03 D2 2B C2 8A 84 05 ?? ?? ?? ?? 30 84 0D ?? ?? ?? ??} /* xor decryptiom*/
$op2 = { 50 66 0F 13 85 ?? ?? ?? ?? 66 0F 13 85 ?? ?? ?? ?? 66 0F 13 85 ?? ?? ?? ?? 66 0F 13 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 3C 00 00 00 C7 85 ?? ?? ?? ?? 40 00 00 00 C7 85 ?? ?? ?? ?? 05 00 00 00 FF 15} /* shellexecute*/
$op3 = { 6A 00 8D 85 ?? ?? ?? ?? 50 6A 04 8D 85 ?? ?? ?? ?? 50 57 FF 15 } /* read file*/
uint16(0) == 0x5a4d and all of them
date = "2023-04-20"
score = 75
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
hash3 = "cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2"
$opb1 = { 81 BD ?? ?? ?? ?? 5E DA F3 76} /* marker */
$opb2 = { C7 85 ?? ?? ?? ?? 74 F2 39 DA 66 C7 85 ?? ?? ?? ?? E5 CF} /* xor key*/
date = "2023-04-20"
score = 65
$s1 = { 00 85 38 A6 C5 01 8F 50 FC } /* serial number */
$s2 = "Go Daddy Secure Certificate Authority - G2" /* CA */
$s3 = "Trading Technologies International, Inc"```
[https://github.com/Neo23x0/signature-base/commit/12c952834932a30e9a6d07ee1a2ddb729a82f21e](https://github.com/Neo23x0/signature-base/commit/12c952834932a30e9a6d07ee1a2ddb729a82f21e)