Yara Rule - 라우터의 카마로드래곤의 Horseshell 임플란트를 감지
Yara 정의.
Yara Rule - Detects CamaroDragon’s HorseShell implant for routers
Yara definition.
Author: Florian Roth
https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/
date = "2023-10-06"
score = 85
hash1 = "7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a"
$x1 = "-h server_ip -p server_port -i update_index[0-4] [-r]" ascii fullword
$s1 = "read_ip" ascii fullword
$s2 = "open fail.%m" ascii fullword
$s3 = "ri:h:p:" ascii fullword /* flags */
$s4 = "update server list success!" ascii fullword
uint16(0) == 0x457f and
date = "2023-10-06"
score = 85
hash1 = "998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c"
$x1 = "echo \"start shell '%s' failed!\" > .remote_shell.log" ascii fullword
$x2 = "*****recv NET_REQ_HORSE_SHELL REQ_CONNECT_PORT*****" ascii fullword
$s1 = "m.cremessage.com" ascii fullword
$s2 = "POST http://%s/index.php HTTP/1.1" ascii fullword
$s3 = "wzsw_encrypt_buf" ascii fullword
$s4 = "body:%d-%s" ascii fullword
$s5 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident" ascii fullword /* String occurs 1 times in goodware */
$s6 = "process_http_read_events" ascii fullword
$op1 = { c4 34 42 00 02 30 63 00 40 10 60 00 09 ae 62 00 48 8e 62 00 cc }
$op2 = { 27 f4 8c 46 27 f0 03 20 f8 09 00 60 28 21 }
uint16(0) == 0x457f and```
[https://github.com/Neo23x0/signature-base/commit/cb7535cf02789bbffba8d5a10ceeb8887e1ed8c2](https://github.com/Neo23x0/signature-base/commit/cb7535cf02789bbffba8d5a10ceeb8887e1ed8c2)