From d2ea3f2deb6c25958b9ffe62e21d4e3d8bf4a2b9 Mon Sep 17 00:00:00 2001
From: junk <junk@noreply.localhost>
Date: Wed, 8 Jan 2025 23:17:50 -0500
Subject: [PATCH] Update yara/volt_typhoon_cisa.md

---
 yara/volt_typhoon_cisa.md | 83 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 81 insertions(+), 2 deletions(-)

diff --git a/yara/volt_typhoon_cisa.md b/yara/volt_typhoon_cisa.md
index a209660..55d915b 100644
--- a/yara/volt_typhoon_cisa.md
+++ b/yara/volt_typhoon_cisa.md
@@ -1,6 +1,7 @@
-
 ```
 rule ShellJSP {
+meta:
+    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
 strings:
 $s1 = "decrypt(fpath)"
 $s2 = "decrypt(fcontext)"
@@ -15,6 +16,8 @@ filesize < 50KB and 4 of them
 
 ```
 rule EncryptJSP {
+meta:
+    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
 strings:
 $s1 = "AEScrypt"
 $s2 = "AES/CBC/PKCS5Padding"
@@ -32,6 +35,7 @@ filesize < 50KB and 6 of them
 ```
 rule CustomFRPClient {
 meta:
+    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
 description=”Identify instances of the actor's custom FRP tool based
 on unique strings chosen by the actor and included in the tool”
 strings:
@@ -49,6 +53,7 @@ all of them
 ```
 rule HACKTOOL_FRPClient {
 meta:
+    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
 description=”Identify instances of FRP tool (Note: This tool is
 known to be used by multiple actors, so hits would not necessarily imply
 activity by the specific actor described in this report)”
@@ -61,4 +66,78 @@ $s4 = "HTTP_PROXYHost: %s" nocase ascii wide
 condition:
 3 of them
 }
-```
\ No newline at end of file
+```
+
+```
+rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell : webshell vanguard_panda 
+{
+    meta:
+        copyright = "(c) 2023 CrowdStrike Inc."
+        description = "Timewarp Java webshell in malicious Tomcat module"
+        version = "202306131008"
+        last_modified = "2023-06-13"
+        actor = "VANGUARD PANDA"
+    strings:
+        $ = "setKey"
+        $ = "ProcessBuilder"
+        $ = "AES/ECB/PKCS5Padding"
+        $ = "tmp.log"
+        $ = "byteKey"
+        $ = "method0"
+        $ = "failed to read output from process"
+    condition:
+        filesize<50KB and 4 of them
+}
+```
+
+```
+rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell_jar : java vanguard_panda 
+{
+    meta:
+        copyright = "(c) 2023 CrowdStrike Inc."
+        description = "JAR file containing Timewarp webshell"
+        version = "202306131011"
+        last_modified = "2023-06-13"
+        actor = "VANGUARD PANDA"
+        reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
+    strings:
+        $WsSci = "/WsSci.class"
+        $abc1 = "/A.class"
+        $abc2 = "/B.class"
+        $abc3 = "/C.class"
+        $timewarp1 = "/Timewarp.class"
+        $timewarp2 = "/Timewarp2.class"
+        $timewarp3 = "/Timewarp3.class"
+    condition:
+        uint16(0)==0x4b50 and filesize<1MB and $WsSci and (all of ($abc*) or all of ($timewarp*))
+}
+```
+
+```
+rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda
+{
+    meta:
+        copyright = "(c) 2023 CrowdStrike Inc."
+        description = "ClassLoader - Java webshell install and execute script"
+        version = "202306131012"
+        last_modified = "2023-06-13"
+        actor = "VANGUARD PANDA"
+        reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
+    strings:
+        $ = ""
+        $ = "customEndpoint1"
+        $ = "move true 
+"
+        $ = "inject true 
+"
+        $ = "ListName_jsp"
+        $ = "photohelp_jsp"
+        $ = "photoparse_jsp"
+        $ = "Timewarp.class"
+        $ = "WsSci.class"
+        $ = "/A.class"
+        $ = "srcZipfs.getPath"
+    condition:
+        filesize<50KB and 4 of them
+}
+```