junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update yara/volt_typhoon_cisa.md

Browse Source
This commit is contained in:
junk
2025-01-08 23:17:50 -05:00
parent 2bf137184b
commit d2ea3f2deb
1 changed files with 81 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
yara/volt_typhoon_cisa.md
View File

@ -1,6 +1,7 @@
``` ```
rule ShellJSP { rule ShellJSP {
meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
strings: strings:
$s1 = "decrypt(fpath)" $s1 = "decrypt(fpath)"
$s2 = "decrypt(fcontext)" $s2 = "decrypt(fcontext)"
@ -15,6 +16,8 @@ filesize < 50KB and 4 of them
``` ```
rule EncryptJSP { rule EncryptJSP {
meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
strings: strings:
$s1 = "AEScrypt" $s1 = "AEScrypt"
$s2 = "AES/CBC/PKCS5Padding" $s2 = "AES/CBC/PKCS5Padding"
@ -32,6 +35,7 @@ filesize < 50KB and 6 of them
``` ```
rule CustomFRPClient { rule CustomFRPClient {
meta: meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
description=”Identify instances of the actor's custom FRP tool based description=”Identify instances of the actor's custom FRP tool based
on unique strings chosen by the actor and included in the tool” on unique strings chosen by the actor and included in the tool”
strings: strings:
@ -49,6 +53,7 @@ all of them
``` ```
rule HACKTOOL_FRPClient { rule HACKTOOL_FRPClient {
meta: meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
description=”Identify instances of FRP tool (Note: This tool is description=”Identify instances of FRP tool (Note: This tool is
known to be used by multiple actors, so hits would not necessarily imply known to be used by multiple actors, so hits would not necessarily imply
activity by the specific actor described in this report)” activity by the specific actor described in this report)”
@ -61,4 +66,78 @@ $s4 = "HTTP_PROXYHost: %s" nocase ascii wide
condition: condition:
3 of them 3 of them
} }
``` ```
```
rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell : webshell vanguard_panda
{
meta:
copyright = "(c) 2023 CrowdStrike Inc."
description = "Timewarp Java webshell in malicious Tomcat module"
version = "202306131008"
last_modified = "2023-06-13"
actor = "VANGUARD PANDA"
strings:
$ = "setKey"
$ = "ProcessBuilder"
$ = "AES/ECB/PKCS5Padding"
$ = "tmp.log"
$ = "byteKey"
$ = "method0"
$ = "failed to read output from process"
condition:
filesize<50KB and 4 of them
}
```
```
rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell_jar : java vanguard_panda
{
meta:
copyright = "(c) 2023 CrowdStrike Inc."
description = "JAR file containing Timewarp webshell"
version = "202306131011"
last_modified = "2023-06-13"
actor = "VANGUARD PANDA"
reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
strings:
$WsSci = "/WsSci.class"
$abc1 = "/A.class"
$abc2 = "/B.class"
$abc3 = "/C.class"
$timewarp1 = "/Timewarp.class"
$timewarp2 = "/Timewarp2.class"
$timewarp3 = "/Timewarp3.class"
condition:
uint16(0)==0x4b50 and filesize<1MB and $WsSci and (all of ($abc*) or all of ($timewarp*))
}
```
```
rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda
{
meta:
copyright = "(c) 2023 CrowdStrike Inc."
description = "ClassLoader - Java webshell install and execute script"
version = "202306131012"
last_modified = "2023-06-13"
actor = "VANGUARD PANDA"
reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
strings:
$ = ""
$ = "customEndpoint1"
$ = "move true
"
$ = "inject true
"
$ = "ListName_jsp"
$ = "photohelp_jsp"
$ = "photoparse_jsp"
$ = "Timewarp.class"
$ = "WsSci.class"
$ = "/A.class"
$ = "srcZipfs.getPath"
condition:
filesize<50KB and 4 of them
}
```