Update yara/volt_typhoon_cisa.md

2025-01-08 23:34:19 -05:00
parent 4a1efd5abb
commit 07719f8123
1 changed files with 42 additions and 0 deletions
--- a/yara/volt_typhoon_cisa.md
+++ b/yara/volt_typhoon_cisa.md
@ -141,3 +141,45 @@ rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda
        filesize<50KB and 4 of them
 }
 ```
+
+```
+rule Volt_Suspicious_IPs
+{
+    meta:
+        description = "Detects known malicious Volt Typhoon IP addresses"
+        author = "Cpl Iverson"
+        date = "2025-01-08"
+
+    strings:
+        $ip1 = "46.10.197.206"
+        $ip2 = "176.102.35.175"
+        $ip3 = "93.62.0.77"
+        $ip4 = "194.50.159.3"
+        $ip5 = "80.64.80.169"
+        $ip6 = "24.212.225.54"
+        $ip7 = "208.97.106.10"
+        $ip8 = "70.60.30.222"
+        $ip9 = "184.67.141.110"
+        $ip10 = "202.22.227.179"
+        $ip11 = "49.204.75.92"
+        $ip12 = "61.2.141.161"
+        $ip13 = "49.204.75.90"
+        $ip14 = "114.143.222.242"
+        $ip15 = "117.211.166.22"
+        $ip16 = "49.204.65.90"
+        $ip17 = "49.204.73.250"
+        $ip18 = "192.149.47.110"
+        $ip19 = "212.11.106.139"
+        $ip20 = "89.203.140.246"
+        $ip21 = "94.125.218.19"
+        $ip22 = "183.82.110.178"
+        $ip23 = "117.239.157.74"
+        $ip24 = "210.212.224.124"
+        $ip25 = "109.166.39.139"
+        $ip26 = "23.227.198.247"
+        $ip27 = "104.161.54.203"
+
+    condition:
+        any of them
+}
+```