yara-rules

Collection of YARA signatures from recent malware research

Ruleset

Dacls Trojan

• Rule: Dacls_Linux.yara
• Rule: Dacls_Windows.yara
• Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/

APT32 KerrDown

• Rule: APT32_KerrDown.yara
• Reference: https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

ACBackdoor - Linux build

• Rule: ACBackdoor_Linux.rule
• Reference: Intezer

Unnamed Linux Golang Ransomware

• Rule: Linux_Golang_Ransomware.rule
• Reference: Fortinet Blog

KPOT v2

• Rule: KPOT_v2.yara
• Reference: (ProofPoint Threat Insight)[https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal]

WatchBog Linux botnet

• Rule: WatchBog_Linux.yara
• References:
  • https://twitter.com/polarply/status/1153232987762376704
  • https://www.alibabacloud.com/blog/return-of-watchbog-exploiting-jenkins-cve-2018-1000861_594798

EvilGnome Linux malware

• Rule: EvilGnome_Linux.yara
• Reference: Intezer

APT34 PICKPOCKET

• Rule: APT34_PICKPOCKET.yara
• Reference: FireEye Threat Reseearch

APT34 LONGWATCH

• Rule: APT34_LONGWATCH.yara
• Reference: FireEye Threat Reseearch

APT34 VALUEVAULT

• Rule: APT34_VALUEVAULT.yara
• Reference: FireEye Threat Reseearch

RedGhost Linux tool

• Rule: RedGhost_Linux
• Reference: RedGhost Gitub repo

SilentTrinity

• Rule: SilentTrinity_Payload.rule
• Rule: SilentTrinity_Delivery.rule
• Reference: Countercept

DNSpionage

• Rule: DNSpionage.yara
• References: Talos Intelligence, Talos Intelligence #2

TA505 FlowerPippi

• Rule: TA505_FlowerPippi.yara
• Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/latest-spam-campaigns-from-ta505-now-using-new-malware-tools-gelup-and-flowerpippi/

REMCOS RAT

• Rule: REMCOS_RAT_2019.yara
• Reference: https://exchange.xforce.ibmcloud.com/collection/Remcos-Rat-Delivered-via-Email-Campaign-056f98e4fc97bd142337d6b2271aeaa7

GodLua Linux Backdoor

• Rule: godlua_linux.yara
• Reference: https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/

APT32 Ratsnif

• Rule: apt32-ratsnif.yara
• Reference: https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html

OSX/CrescentCore

• Rule: crescentcore_dmg.yara
• Reference: https://www.intego.com/mac-security-blog/osx-crescentcore-mac-malware-designed-to-evade-antivirus/

side note: when will we all decide to change mac sig names to macOS/? its way past time, imho

WarZone RAT aka Ave Maria Stealer

• Rule: avemaria_warzone.yara
• Reference: http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery

Winnti Linux

• Rule: winnti_linux.yara
• Reference: https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a