Yara Rule - APT27의 rsell을 감지하는 Yara 규칙
Yara 정의.
Yara Rule - YARA rule to detect RSHELL of APT27
Yara definition.
Author: Bundesamt fuer Verfassungsschutz, modified by Florian Roth
https://x.com/bfv_bund/status/1811364839656185985?s
sharing = "TLP:WHITE"
source = "BUNDESAMT FUER VERFASSUNGSSCHUTZ"
category = "MALWARE"
malware = "RSHELL / SYSUPDATE"
date = "2024-07-11"
hash1 = "0433edfad648e1e29be54101abaded690302dc7e49ad916cfbbddf99b3ade12c"
hash2 = "10bb89fdf25c88d3c5623e8d68573124c9a42549750014e3675e2ca342aeba4a"
hash3 = "2603e1f61363451891c97b0c4ce8acfbfb680d3df4282f9d151ecce3a5679616"
hash4 = "70dac42491f8f19568a5d7b1d10b29f732a88d75e7f2bfa07b23202bacadf56f"
hash5 = "b988a6583ce40f07e5fc8e890ae2b1c84a93db8a2e3ca8769241b94bea332a7a"
hash6 = "c4fe1e56f601d411e2385352606524fb8bbf773bc2ba14889a8de605c2d14da0"
hash7 = "c787144d285fcca8a542f7a5525a37bcd089b39068b9a4db7fe3554ee6c08301"
hash8 = "ddaa4d23e4651a517fffbd29f0924607ba6b6253171144da5e49237afe91666b"
$a1 = "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%" ascii
$a2 = "/proc/self/exe" ascii
$s1 = "HISTFILE" ascii fullword
$s2 = "/tmp/guid" ascii fullword
$sop1 = { e8 ?? ?? ?? ?? c7 43 04 00 00 00 00 8b 3b 85 ff 7e 2? e8 ?? ?? 0? 00 85 c0 7e 0? }
$sop2 = { c7 43 04 00 00 00 00 8b 3b 85 ff 7e 2? e8 ?? ?? 0? 00 85 c0 7e 0? f7 d8 }
uint32be(0) == 0x7f454c46 // Linux
or ( uint32be(0) == 0xcafebabe and uint32be(4) < 0x20 ) // Universal mach-O App with dont-match-java-class-file hack
or uint32(0) == 0xfeedface // 32-bit mach-O
or uint32(0) == 0xfeedfacf // 64-bit mach-O```
[https://github.com/Neo23x0/signature-base/commit/2ccd5f772b3f626a0130dd562f1ae68602dcade0](https://github.com/Neo23x0/signature-base/commit/2ccd5f772b3f626a0130dd562f1ae68602dcade0)