Yara Rule - ScreenConnect 취약성 CVE-2024-1708 및 CVE-2024-1709의 악용에 관한 HuntressLabs 보고서에서 언급 된 맬웨어 샘플을 감지
Yara 정의.
Yara Rule - Detects malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709
Yara definition.
Author: Florian Roth
https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
date = "2024-02-23"
score = 75
$x02 = ".msi c:\\mpyutd.msi"
$x03 = "/MyUserName_$env:UserName"
$x04 = " -OutFile C:\\Windows\\Help\\"
$x05 = "/Create /TN \\\\Microsoft\\\\Windows\\\\Wininet\\\\UserCache_"
$x06 = "$e = $r + \"ssh.exe\""
$x07 = "Start-Process -f $e -a $args -PassThru -WindowStyle Hidden).Id"
$x08 = "-R 9595:localhost:3389 -p 443 -N -oStrictHostKeyChecking=no "
$x09 = "chromeremotedesktophost.msi', $env:ProgramData+"
$x10 = "9595; iwr -UseBasicParsing "
$x11 = "curl https://cmctt.]com/pub/media/wysiwyg/"
$x12 = ":8080/servicetest2.dll"
$x13 = "/msappdata.msi c:\\mpyutd.msi"
$x14 = "/svchost.exe -OutFile "
$x15 = "curl http://minish.wiki.gd"
$x16 = " -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile "
$x17 = "rundll32.exe' -Headers @"
$x18 = "/nssm.exe' -Headers @"
$x19 = "c:\\programdata\\update.dat UpdateSystem"
$x20 = "::size -eq 4){\\\"TVqQAA" ascii wide
$x21 = "::size -eq 4){\"TVqQAA" ascii wide
$x22 = "-nop -c [System.Reflection.Assembly]::Load(([WmiClass]'root\\cimv2:System_"
$xp0 = "/add default test@2021! /domain"
$xp1 = "/add default1 test@2021! /domain"
$xp2 = "oldadmin Pass8080!!"
$xp3 = "temp 123123qwE /add "
$xp4 = "oldadmin \"Pass8080!!\""
$xp5 = "nssm set xmrig AppDirectory "
date = "2024-02-23"
score = 75
$sa1 = " | iex"
$sa2 = "iwr -UseBasicParsing "
date = "2024-02-23"
score = 70
$x1 = ".DownloadString('https://transfer.sh"
$x2 = ".DownloadString(\"https://transfer.sh"
$x3 = "Invoke-WebRequest -Uri 'https://transfer.sh"
$x4 = "Invoke-WebRequest -Uri \"https://transfer.sh"
date = "2024-02-23"
score = 75
$x1 = ">>>> Your personal DECRYPTION ID:"
date = "2024-02-23"
score = 75
$x1 = "All Encrypted files can be reversed to original form and become usable"
date = "2024-02-23"
score = 75
hash1 = "37a39fc1feb4b14354c4d4b279ba77ba51e0d413f88e6ab991aad5dd6a9c231b"
hash2 = "e8c48250cf7293c95d9af1fb830bb8a5aaf9cfb192d8697d2da729867935c793"
$s1 = "Wisdom Promise Security Technology Co." ascii
$s2 = "Globalsign TSA for CodeSign1" ascii
$s3 = { 5D AC 0B 6C 02 5A 4B 21 89 4B A3 C2 }
uint16(0) == 0x5a4d
date = "2024-02-23"
score = 75
hash1 = "0a492d89ea2c05b1724a58dd05b7c4751e1ffdd2eab3a2f6a7ebe65bf3fdd6fe"
$s1 = "Dll_x86.dll" ascii fullword
uint16(0) == 0x5a4d
pe.imphash() == "0dc05c4c21a86d29f1c3bf9cc5b712e0"
date = "2024-02-23"
score = 75
hash1 = "a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0"
$op1 = { 76 c1 95 8b 18 00 93 56 bf 2b 88 71 4c 34 af b1 a5 e9 77 46 c3 13 }
$op2 = { e0 02 10 f7 ac 75 0e 18 1b c2 c1 98 ac 46 }
$op3 = { 8b c6 ab 53 ff 15 e4 57 42 00 ff 45 fc eb 92 ff 75 f8 ff 15 f4 57 42 00 }
uint16(0) == 0x5a4d
pe.imphash() == "914685b69f2ac2ff61b6b0f1883a054d"
date = "2024-02-23"
score = 70
hash1 = "8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600"
$s1 = "crypt64ult.exe" ascii fullword
$s2 = "EXPAND.EXE" wide fullword
$s6 = "ICACLS.EXE" wide fullword
uint16(0) == 0xcfd0
date = "2024-02-23"
score = 75
hash1 = "6e8f83c88a66116e1a7eb10549542890d1910aee0000e3e70f6307aae21f9090"
hash2 = "b0adf3d58fa354dbaac6a2047b6e30bc07a5460f71db5f5975ba7b96de986243"
hash3 = "c0f7970bed203a5f8b2eca8929b4e80ba5c3276206da38c4e0a4445f648f3cec"
$s1 = "Driver.dll" wide fullword
$s2 = "X l.dlT" ascii fullword
$s3 = "$928c7481-dd27-8e23-f829-4819aefc728c" ascii fullword
uint16(0) == 0x5a4d```
[https://github.com/Neo23x0/signature-base/commit/cce28f1b681b37420b950d8813b949c8e00baaf6](https://github.com/Neo23x0/signature-base/commit/cce28f1b681b37420b950d8813b949c8e00baaf6)