diff --git a/.yara-ci.yml b/.yara-ci.yml index edd784f5..5433d0d9 100644 --- a/.yara-ci.yml +++ b/.yara-ci.yml @@ -10,6 +10,7 @@ false_positives: - rule: "shellcode_stack_strings" - rule: "shellcode_get_eip" - rule: "shellcode_peb_parsing" + - rule: "shellcode_patterns" - rule: "lsadump" - rule: "UPX" - - rule: "INDICATOR_EXE_Packed_Dotfuscator" + - rule: "INDICATOR_EXE_Packed_Dotfuscator" \ No newline at end of file diff --git a/data/yara/binaries/HTML_PhishingKit.yar b/data/yara/binaries/HTML_PhishingKit.yar deleted file mode 100644 index 62cdb1ee..00000000 --- a/data/yara/binaries/HTML_PhishingKit.yar +++ /dev/null @@ -1,73 +0,0 @@ -/* - YARA Rule Set for HTML phishing - Author: Yasin Tas, Eye Security - Date: 2023-04-05 - Identifier: Phish:HTML/Gen.*!html - Reference: Personal Research, Florian Roth yarGen -*/ - -rule CAPEHTML_Phish_1 { - meta: - description = "YARA detection for HTMLPhisher_2023" - author = "Yasin Tas, Eye Security" - reference = "Personal Research, Florian Roth yarGen" - date = "2023-04-05" - - strings: - $s1 = "74%20%32%73%20%69%6E%66%69%6E%69%74%65%7D%2E%70%72%6F%67%72%65%73%73%3E%64%69%76%3A%6E%74%68%2D%63%68%69%6C%64%28%31%29%7B%2D%77" ascii /* hex encoded string 't 2s infinite}.progress>div:nth-child(1){-w' */ - $s2 = "31%70%78%20%73%6F%6C%69%64%20%23%30%30%37%38%64%37%3B%62%6F%72%64%65%72%2D%74%6F%70%2D%77%69%64%74%68%3A%30%3B%62%6F%72%64%65%72" ascii /* hex encoded string '1px solid #0078d7;border-top-width:0;border' */ - $s3 = "72%6F%75%70%7B%66%6F%6E%74%2D%77%65%69%67%68%74%3A%37%30%30%7D%74%61%62%6C%65%7B%62%6F%72%64%65%72%2D%63%6F%6C%6C%61%70%73%65%3A" ascii /* hex encoded string 'roup{font-weight:700}table{border-collapse:' */ - $s4 = "73%20%73%68%6F%77%2D%66%72%6F%6D%2D%72%69%67%68%74%7B%66%72%6F%6D%7B%6C%65%66%74%3A%32%30%30%70%78%3B%6F%70%61%63%69%74%79%3A%30" ascii /* hex encoded string 's show-from-right{from{left:200px;opacity:0' */ - $s5 = "63%6F%6C%6F%72%3A%23%62%33%62%33%62%33%3B%62%61%63%6B%67%72%6F%75%6E%64%2D%63%6F%6C%6F%72%3A%72%67%62%61%28%30%2C%30%2C%30%2C%2E" ascii /* hex encoded string 'color:#b3b3b3;background-color:rgba(0,0,0,.' */ - $s6 = "65%2C%2E%69%6E%70%75%74%2D%67%72%6F%75%70%2D%62%74%6E%3A%6C%61%73%74%2D%63%68%69%6C%64%3E%2E%62%74%6E%2D%67%72%6F%75%70%3A%6E%6F" ascii /* hex encoded string 'e,.input-group-btn:last-child>.btn-group:no' */ - $s7 = "3A%35%70%78%3B%77%69%64%74%68%3A%35%70%78%3B%62%61%63%6B%67%72%6F%75%6E%64%2D%63%6F%6C%6F%72%3A%23%30%30%36%37%62%38%3B%7A%2D%69" ascii /* hex encoded string ':5px;width:5px;background-color:#0067b8;z-i' */ - $s8 = "7B%61%6E%69%6D%61%74%69%6F%6E%2D%64%75%72%61%74%69%6F%6E%3A%2E%32%35%73%3B%2D%77%65%62%6B%69%74%2D%61%6E%69%6D%61%74%69%6F%6E%2D" ascii /* hex encoded string '{animation-duration:.25s;-webkit-animation-' */ - $s9 = "31%2E%37%35%72%65%6D%3B%70%61%64%64%69%6E%67%2D%62%6F%74%74%6F%6D%3A%32%2E%33%36%70%78%3B%70%61%64%64%69%6E%67%2D%74%6F%70%3A%32" ascii /* hex encoded string '1.75rem;padding-bottom:2.36px;padding-top:2' */ - $s10 = "2E%31%36%36%36%37%25%7D%2E%63%6F%6C%2D%6D%64%2D%70%75%73%68%2D%31%34%7B%6C%65%66%74%3A%35%38%2E%33%33%33%33%33%25%7D%2E%63%6F%6C" ascii /* hex encoded string '.16667%}.col-md-push-14{left:58.33333%}.col' */ - $s11 = "65%66%74%3A%35%30%25%7D%2E%63%6F%6C%2D%6C%67%2D%6F%66%66%73%65%74%2D%31%33%7B%6D%61%72%67%69%6E%2D%6C%65%66%74%3A%35%34%2E%31%36" ascii /* hex encoded string 'eft:50%}.col-lg-offset-13{margin-left:54.16' */ - $s12 = "66%66%73%65%74%3A%2D%32%70%78%3B%6F%75%74%6C%69%6E%65%3A%35%70%78%20%61%75%74%6F%20%2D%77%65%62%6B%69%74%2D%66%6F%63%75%73%2D%72" ascii /* hex encoded string 'ffset:-2px;outline:5px auto -webkit-focus-r' */ - $s13 = "69%63%61%6C%2D%61%6C%69%67%6E%3A%6D%69%64%64%6C%65%7D%2E%64%69%61%6C%6F%67%2D%6F%75%74%65%72%20%2E%64%69%61%6C%6F%67%2D%6D%69%64" ascii /* hex encoded string 'ical-align:middle}.dialog-outer .dialog-mid' */ - $s14 = "70%61%63%69%74%79%3A%30%7D%7D%40%2D%6D%6F%7A%2D%6B%65%79%66%72%61%6D%65%73%20%70%72%6F%67%72%65%73%73%44%6F%74%7B%30%25%2C%32%30" ascii /* hex encoded string 'pacity:0}}@-moz-keyframes progressDot{0%,20' */ - $s15 = "6E%61%6D%65%3A%68%69%64%65%2D%74%6F%2D%72%69%67%68%74%7D%68%74%6D%6C%5B%64%69%72%3D%6C%74%72%5D%20%2E%61%6E%69%6D%61%74%65%2E%73" ascii /* hex encoded string 'name:hide-to-right}html[dir=ltr] .animate.s' */ - $s16 = "2D%77%65%62%6B%69%74%2D%70%6C%61%63%65%68%6F%6C%64%65%72%2C%69%6E%70%75%74%5B%74%79%70%65%3D%63%6F%6C%6F%72%5D%3A%3A%2D%77%65%62" ascii /* hex encoded string '-webkit-placeholder,input[type=color]::-web' */ - $s17 = "33%70%78%20%32%30%70%78%3B%66%6F%6E%74%2D%73%69%7A%65%3A%31%32%70%78%3B%6C%69%6E%65%2D%68%65%69%67%68%74%3A%31%2E%34%32%38%35%37" ascii /* hex encoded string '3px 20px;font-size:12px;line-height:1.42857' */ - $s18 = "3B%2D%77%65%62%6B%69%74%2D%62%6F%78%2D%73%68%61%64%6F%77%3A%30%20%32%70%78%20%36%70%78%20%72%67%62%61%28%30%2C%30%2C%30%2C%2E%32" ascii /* hex encoded string ';-webkit-box-shadow:0 2px 6px rgba(0,0,0,.2' */ - $s19 = "33%33%33%25%7D%2E%63%6F%6C%2D%6C%67%2D%70%75%73%68%2D%31%35%7B%6C%65%66%74%3A%36%32%2E%35%25%7D%2E%63%6F%6C%2D%6C%67%2D%70%75%73" ascii /* hex encoded string '333%}.col-lg-push-15{left:62.5%}.col-lg-pus' */ - $s20 = "74%69%74%6C%65%2E%74%65%78%74%2D%6D%61%78%6C%69%6E%65%73%2D%34%7B%6D%61%78%2D%68%65%69%67%68%74%3A%38%30%2E%34%35%70%78%3B%6D%61" ascii /* hex encoded string 'title.text-maxlines-4{max-height:80.45px;ma' */ - condition: - ( uint16(0) == 0x733c and filesize < 1000KB and ( 8 of them ) - ) or ( all of them ) -} - -rule CAPEHTML_Phish_2 { - meta: - description = "YARA detection for HTMLPhisher_2023" - author = "Yasin Tas, Eye Security" - reference = "Personal Research, Florian Roth yarGen" - date = "2023-04-05" - - strings: - $s1 = "30%25%32%30%25%32%30%25%37%64%25%30%64%25%30%61%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30" ascii /* hex encoded string '0%20%20%7d%0d%0a%0d%0a%20%20%20%20%20%20%20' */ - $s2 = "32%30%25%37%33%25%37%32%25%36%33%25%33%64%25%32%32%25%36%38%25%37%34%25%37%34%25%37%30%25%37%33%25%33%61%25%32%66%25%32%66%25%36" ascii /* hex encoded string '20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%6' */ - $s3 = "25%32%30%25%32%30%25%32%30%25%32%30%25%32%65%25%36%32%25%37%34%25%36%65%25%32%64%25%36%66%25%37%35%25%37%34%25%36%63%25%36%39%25" ascii /* hex encoded string '%20%20%20%20%2e%62%74%6e%2d%6f%75%74%6c%69%' */ - $s4 = "32%64%25%36%37%25%37%32%25%36%66%25%37%35%25%37%30%25%32%64%25%36%39%25%37%34%25%36%35%25%36%64%25%32%64%25%37%33%25%37%35%25%36" ascii /* hex encoded string '2d%67%72%6f%75%70%2d%69%74%65%6d%2d%73%75%6' */ - $s5 = "36%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%36%63%25%36%37%25%32%64%25%36%33%25%36%35%25%36%65%25%37" ascii /* hex encoded string '63%6f%6e%74%65%6e%74%2d%6c%67%2d%63%65%6e%7' */ - $s6 = "25%32%30%25%32%30%25%37%36%25%36%39%25%37%33%25%36%39%25%36%32%25%36%39%25%36%63%25%36%39%25%37%34%25%37%39%25%33%61%25%32%30%25" ascii /* hex encoded string '%20%20%76%69%73%69%62%69%6c%69%74%79%3a%20%' */ - $s7 = "25%37%30%25%32%64%25%37%34%25%36%35%25%37%38%25%37%34%25%32%62%25%32%65%25%36%39%25%36%65%25%37%30%25%37%35%25%37%34%25%32%64%25" ascii /* hex encoded string '%70%2d%74%65%78%74%2b%2e%69%6e%70%75%74%2d%' */ - $s8 = "36%39%25%36%37%25%36%65%25%32%64%25%37%33%25%36%35%25%36%63%25%36%36%25%32%64%25%37%33%25%36%64%25%32%64%25%36%35%25%36%65%25%36" ascii /* hex encoded string '69%67%6e%2d%73%65%6c%66%2d%73%6d%2d%65%6e%6' */ - $s9 = "66%25%36%39%25%36%65%25%37%34%25%32%64%25%36%63%25%36%37%25%33%61%25%32%30%25%33%39%25%33%39%25%33%32%25%37%30%25%37%38%25%33%62" ascii /* hex encoded string 'f%69%6e%74%2d%6c%67%3a%20%39%39%32%70%78%3b' */ - $s10 = "32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%64%25%36%64%25%36" ascii /* hex encoded string '20%20%20%20%20%20%20%20%20%20%20%20%2d%6d%6' */ - $s11 = "37%36%25%33%65%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32" ascii /* hex encoded string '76%3e%0d%0a%20%20%20%20%20%20%20%20%20%20%2' */ - $s12 = "65%25%33%36%25%33%36%25%33%36%25%33%36%25%33%36%25%33%37%25%32%35%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30" ascii /* hex encoded string 'e%36%36%36%36%36%37%25%0d%0a%20%20%20%20%20' */ - $s13 = "25%36%35%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%37%34%25%36%35%25" ascii /* hex encoded string '%65%3b%0d%0a%20%20%20%20%20%20%20%20%74%65%' */ - $s14 = "36%31%25%36%63%25%32%64%25%36%37%25%37%32%25%36%66%25%37%35%25%37%30%25%33%61%25%32%30%25%33%30%25%33%62%25%30%64%25%30%61%25%32" ascii /* hex encoded string '61%6c%2d%67%72%6f%75%70%3a%20%30%3b%0d%0a%2' */ - $s15 = "30%25%32%30%25%32%30%25%32%30%25%32%65%25%36%66%25%36%36%25%36%36%25%37%33%25%36%35%25%37%34%25%32%64%25%37%33%25%36%64%25%32%64" ascii /* hex encoded string '0%20%20%20%2e%6f%66%66%73%65%74%2d%73%6d%2d' */ - $s16 = "32%25%36%37%25%36%39%25%36%65%25%33%61%25%32%30%25%33%33%25%37%32%25%36%35%25%36%64%25%32%30%25%32%31%25%36%39%25%36%64%25%37%30" ascii /* hex encoded string '2%67%69%6e%3a%20%33%72%65%6d%20%21%69%6d%70' */ - $s17 = "25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%37%61%25%32%64%25%36%39%25%36%65%25%36%34%25%36%35%25" ascii /* hex encoded string '%20%20%20%20%20%20%20%20%7a%2d%69%6e%64%65%' */ - $s18 = "25%36%39%25%36%65%25%32%64%25%37%37%25%36%39%25%36%34%25%37%34%25%36%38%25%33%61%25%33%39%25%33%39%25%33%32%25%37%30%25%37%38%25" ascii /* hex encoded string '%69%6e%2d%77%69%64%74%68%3a%39%39%32%70%78%' */ - $s19 = "25%36%35%25%36%65%25%37%34%25%36%35%25%37%32%25%32%30%25%37%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25" ascii /* hex encoded string '%65%6e%74%65%72%20%7b%0d%0a%20%20%20%20%20%' */ - $s20 = "25%32%30%25%32%33%25%36%36%25%33%38%25%36%36%25%33%39%25%36%36%25%36%31%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25" ascii /* hex encoded string '%20%23%66%38%66%39%66%61%3b%0d%0a%20%20%20%' */ - condition: - ( uint16(0) == 0x733c and filesize < 7000KB and ( 8 of them ) - ) or ( all of them ) -} \ No newline at end of file diff --git a/data/yara/binaries/OneNote_BuildPath.yar b/data/yara/binaries/OneNote_BuildPath.yar deleted file mode 100644 index d83f3c38..00000000 --- a/data/yara/binaries/OneNote_BuildPath.yar +++ /dev/null @@ -1,23 +0,0 @@ -rule OneNote_BuildPath -{ - meta: - id = "6lPn0V5wZyc2iuEz13uKAZ" - fingerprint = "f8ed9e3cdd5411e2bda7495c8b00b8e69e8f495db97cf542f6a1f3b790bef7a5" - version = "1.0" - first_imported = "2023-02-02" - last_modified = "2023-02-23" - status = "RELEASED" - sharing = "TLP:WHITE" - source = "BARTBLAZE" - author = "@bartblaze" - description = "Identifies malicious OneNote file by build path." - category = "MALWARE" - -strings: - //Z:\build\one\attachment.hta - $path_0 = {5a003a005c006200750069006c0064005c006f006e0065005c006100740074006100630068006d0065006e0074002e00680074006100} - //Z:\builder\O P E N.wsf - $path_1 = {5a003a005c006200750069006c006400650072005c004f00200050002000450020004e002e00770073006600} -condition: - filesize <200KB and any of them -} \ No newline at end of file diff --git a/modules/signatures/credential_access_phishingkit.py b/modules/signatures/credential_access_phishingkit.py index 12c3d423..9928320f 100644 --- a/modules/signatures/credential_access_phishingkit.py +++ b/modules/signatures/credential_access_phishingkit.py @@ -31,6 +31,11 @@ class HTMLPhisher_0(Signature): confidence = 100 categories = ["credential_access","evasion","infostealer","phishing", "static"] authors = ["Yasin Tas", "Eye Security"] + references = [ + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" + "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + ] enabled = True minimum = "1.2" ttps = ["T1111", "T1193", "T1140"] # MITRE v6 @@ -73,6 +78,11 @@ class HTMLPhisher_1(Signature): confidence = 100 categories = ["credential_access","evasion","infostealer","phishing", "static"] authors = ["Yasin Tas", "Eye Security"] + references = [ + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" + "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + ] enabled = True minimum = "1.2" ttps = ["T1111", "T1193", "T1140"] # MITRE v6 @@ -109,5 +119,4 @@ def run(self): self.data.append({"url": url.group(1)}) self.data.append({"user": user.group(1)}) return True - return False - + return False \ No newline at end of file diff --git a/modules/signatures/suspicious_html.py b/modules/signatures/suspicious_html.py index 16337a06..b71982f3 100644 --- a/modules/signatures/suspicious_html.py +++ b/modules/signatures/suspicious_html.py @@ -24,6 +24,12 @@ class htmlBody(Signature): confidence = 80 categories = ["phishing", "static"] authors = ["Yasin Tas", "Eye Security"] + references = [ + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" + "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + ] + references = [""] enabled = True minimum = "1.2" ttps = ["T1566.001"] # MITRE v6,7,8 @@ -37,6 +43,8 @@ def run(self): 'username', 'encoded_string', 'url', + 'emails' + '// remove email, and put ur mailer code', ] if self.results["info"]["package"] == "edge" or self.results["info"]["package"] == "html": @@ -57,6 +65,11 @@ class htmlTitle(Signature): confidence = 80 categories = ["phishing", "static"] authors = ["Yasin Tas", "Eye Security"] + references = [ + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" + "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + ] enabled = True minimum = "1.2" ttps = ["T1566.001"] # MITRE v6,7,8 @@ -91,6 +104,11 @@ class suspiciousHTMLname(Signature): confidence = 80 categories = ["phishing", "static"] authors = ["Yasin Tas", "Eye Security"] + references = [ + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" + "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + ] enabled = True minimum = "1.2" ttps = ["T1566.001"] # MITRE v6,7,8 @@ -124,6 +142,11 @@ class JSAtob(Signature): confidence = 80 categories = ["evasion","phishing", "static"] authors = ["Yasin Tas", "Eye Security"] + references = [ + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" + "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + ] enabled = True minimum = "1.2" ttps = ["T1140"] # MITRE v6 @@ -137,11 +160,6 @@ def run(self): strings = self.results["target"]["file"]["strings"] data = ''.join(strings) if "atob" in str(data): - times_atob = data.count("atob") - self.confidence = self.confidence + (times_atob * 5) - if self.confidence >= 100: - self.confidence = 100 - self.data.append({f"Found atob {times_atob} times"}) return True return False @@ -152,6 +170,11 @@ class URLDecode(Signature): confidence = 80 categories = ["evasion","phishing", "static"] authors = ["Yasin Tas", "Eye Security"] + references = [ + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" + "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + ] enabled = True minimum = "1.2" ttps = ["T1140"] # MITRE v6 @@ -174,6 +197,11 @@ class jsUnescape(Signature): confidence = 80 categories = ["evasion","phishing", "static"] authors = ["Yasin Tas", "Eye Security"] + references = [ + "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/", + "https://socradar.io/what-is-a-phishing-kit/" + "https://github.com/SteveD3/kit_hunter/tree/master/tag_files" + ] enabled = True minimum = "1.2" ttps = ["T1140"] # MITRE v6