From 3aa689ab77bb1b6d2d927830449e4f6722ee9a00 Mon Sep 17 00:00:00 2001 From: junk Date: Thu, 9 Jan 2025 00:04:30 -0500 Subject: [PATCH] Update yara/volt_typhoon_cisa.md --- yara/volt_typhoon_cisa.md | 92 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/yara/volt_typhoon_cisa.md b/yara/volt_typhoon_cisa.md index 0675ebc..b39c093 100644 --- a/yara/volt_typhoon_cisa.md +++ b/yara/volt_typhoon_cisa.md @@ -183,3 +183,95 @@ rule Volt_Suspicious_IPs any of them } ``` + +``` +/* + YARA Rule Set + Author: [Daffi] + Date: [8 Mei 2024] + Identifier: redline + Description: Rules for detecting APT Volt Typhoon. +*/ + +rule volt_typhoon_strings { + strings: + $str1 = "CustomFRPClient" + $str2 = "HACKTOOL_FRPClient" + $str3 = "EncryptJSP" + $str4 = "contact@cyber.gc.ca" + $str5 = "incidents@ncsc.govt.nz" + condition: + any of ($str*) +} + +rule volt_typhoon_hashes { + strings: + $hash1 = "ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31" + $hash2 = "d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca" + $hash3 = "d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af" + $hash4 = "e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95" + $hash5 = "7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5" + $hash6 = "fd41134e8ead1c18ccad27c62a260aa6" + $hash7 = "3a97d9b6f17754dcd38ca7fc89caab04" + $hash8 = "b1de37bf229890ac181bdef1ad8ee0c2" + $hash9 = "04423659f175a6878b26ac7d6b6e47c6fd9194d1" + $hash10 = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34" + $hash11 = "ffdb3cc7ab5b01d276d23ac930eb21ffe3202d11" + $hash12 = "edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70" + $hash13 = "eaef901b31b5835035b75302f94fee27288ce46971c6db6221ecbea9ba7ff9d0" + $hash14 = "99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1" + $hash15 = "433331fe1a3ff11ea362fc772b67da38" + $hash16 = "472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d" + $hash17 = "93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066" + $hash18 = "3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642" + $hash19 = "3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f" + $hash20 = "6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff" + $hash21 = "d17317e1d5716b09cee904b8463a203" + condition: + any of ($hash*) +} +``` + +``` + +rule WEBSHELL_JAVA_VersaMem_JAR_Aug24_1 { + meta: + description = "Detects VersaMem Java webshell samples (as used by Volt Typhoon)" + author = "blacklotuslabs (modified by Florian Roth and X__Junior)" + reference = "https://x.com/ryanaraine/status/1828440883315999117" + date = "2024-08-27" + modified = "2024-08-29" + score = 75 + strings: + $sa1 = "com.versa.vnms.ui.TestMain" + $sa2 = "captureLoginPasswordCode" + $sa3 = "com/versa/vnms/ui/services/impl/VersaAuthenticationServiceImpl" + $sa4 = "/tmp/.temp.data" + $sa5 = "getInsertCode" + $sa6 = "VersaMem" + $sa7 = "Versa-Auth" + + $sb1 = "/tmp/.java_pid" + $sb2 = {2f 75 73 72 2f 62 69 6e 2f 70 67 72 65 70 01 00 02 2d 66 01 00 25 6f 72 67 2e 61 70 61 63 68 65 2e 63 61 74 61 6c 69 6e 61 2e 73 74 61 72 74 75 70 2e 42 6f 6f 74 73 74 72 61 70 07} + condition: + filesize < 5MB and ( 3 of them or all of ($sb*) ) +} + + +rule WEBSHELL_JAVA_VersaMem_JAR_Aug24_2 { + meta: + description = "Detects VersaMem Java webshell samples (as used by Volt Typhoon)" + author = "Florian Roth" + reference = "https://x.com/craiu/status/1828687700884336990" + date = "2024-08-29" + score = 75 + hash1 = "4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37" + strings: + $x1 = "tomcat_memShell" ascii + $x2 = "versa/vnms/ui/config/" ascii fullword + condition: + uint16(0) == 0x4b50 + and filesize < 3000KB + and 1 of them +} +```