Matt Suiche msuiche

YARA Security Signatures

This repository contains YARA rules for detecting potentially dangerous patterns in code and configuration files.

Those files have been generated from the information shared in the following blogposts: Suspicious files that may be related to the latest UNC4899 hack of Safe/ByBit

	rule TrueBot_Domains_IOC {
	meta:
	date = "2023-07-08"
	description = "Hunts for memory IOCs TRUEBOT."
	author = "Matt Suiche - Magnet Forensics"
	reference1 = "https://github.com/The-DFIR-Report/Yara-Rules/blob/main/21619/21619.yar"
	reference2 = "https://www.ic3.gov/Media/News/2023/230707.pdf"
	verdict = "dangerous"
	mitre = "T1082"
	platform = "windows"

	rule MOVEit_Transfer_exploit_webshell_memory {
	meta:
	date = "2023-06-15"
	description = "Hunts for memory IOCs MOVEit Transfer exploitation."
	author = "Matt Suiche - Magnet Forensics"
	reference1 = "https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/"
	reference2 = "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/"
	reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643"
	reference4 = "https://github.com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara"
	verdict = "dangerous"

	/*
	Hunting Russian Intelligence “Snake” Malware

	The Snake implant is considered the most sophisticated cyber espionage tool designed and used by
	Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive
	targets.
	*/

	rule Windows_Snake_Malware {
	meta:

	##
	## A good excuse to learn LINQ in WinDbg.
	## Author: Matt Suiche (@msuiche) - 18-Jan-2019
	##
	## References:
	## Extracting Forensic Script Content from PowerShell Process Dumps (Lee Holmes) - 17 Jan 2019
	## http://www.leeholmes.com/blog/2019/01/17/extracting-forensic-script-content-from-powershell-process-dumps/
	## Extracting Activity History from PowerShell Process Dumps (Lee Holmes) - 4 Jan 2019
	## https://www.leeholmes.com/blog/2019/01/04/extracting-activity-history-from-powershell-process-dumps/
	##

	#include <windows.h>
	#include <stdio.h>
	#include <stdlib.h>

	//
	// The mysterious command (0x2E214B44) results in the first 10 sectors being wiped out.Or if the original replaceBootSectors() function fails.
	//

	// 0x2E214B44 ??? => Mysterious process. Name very close to AVP.exe
	// Source of below hashes: https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/

	//------------------------------------------------
	//--- 010 Editor v7.0 Binary Template
	//
	// File:
	// Authors:
	// Version:
	// Purpose:
	// Category:
	// File Mask:
	// ID Bytes:

	/*
	# 010 Template for t.wnry

	typedef struct {
	char Signature[8]; // WANACRY!
	uint32 Part1Size; // Always 0x100
	char DataPart1[Part1Size];
	uint32 Part2Signature;
	uint64 Part2Size;
	char DataPart2[Part2Size];

	// https://twitter.com/msuiche

	int threadMain()
	{
	unsigned int i; // edi@1
	_DWORD *v1; // eax@2
	void *v2; // esi@7
	char v4; // [sp+13h] [bp-2Dh]@0
	char v5; // [sp+14h] [bp-2Ch]@1
	void *Memory; // [sp+18h] [bp-28h]@1

	Thanks to https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5 for the description

	kd> dps srv!SrvTransaction2DispatchTable
	91463530 9148b56f srv!SrvSmbOpen2
	91463534 91485fe4 srv!SrvSmbFindFirst2
	91463538 9148606d srv!SrvSmbFindNext2
	9146353c 91488a89 srv!SrvSmbQueryFsInformation
	91463540 914892f3 srv!SrvSmbSetFsInformation
	91463544 9147ff65 srv!SrvSmbQueryPathInformation
	91463548 91480c74 srv!SrvSmbSetPathInformation