``` rule ShellJSP { meta: reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" strings: $s1 = "decrypt(fpath)" $s2 = "decrypt(fcontext)" $s3 = "decrypt(commandEnc)" $s4 = "upload failed!" $s5 = "aes.encrypt(allStr)" $s6 = "newid" condition: filesize < 50KB and 4 of them } ``` ``` rule EncryptJSP { meta: reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" strings: $s1 = "AEScrypt" $s2 = "AES/CBC/PKCS5Padding" $s3 = "SecretKeySpec" $s4 = "FileOutputStream" $s5 = "getParameter" $s6 = "new ProcessBuilder" $s7 = "new BufferedReader" $s8 = "readLine()" condition: filesize < 50KB and 6 of them } ``` ``` rule CustomFRPClient { meta: reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" description=”Identify instances of the actor's custom FRP tool based on unique strings chosen by the actor and included in the tool” strings: $s1 = "%!PS-Adobe-" nocase ascii wide $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide $s4 = "MAGA2024!!!" nocase ascii wide $s5 = "HTTP_PROXYHost: %s" nocase ascii wide condition: all of them } ``` ``` rule HACKTOOL_FRPClient { meta: reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" description=”Identify instances of FRP tool (Note: This tool is known to be used by multiple actors, so hits would not necessarily imply activity by the specific actor described in this report)” strings: $s1 = "%!PS-Adobe-" nocase ascii wide $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide $s4 = "HTTP_PROXYHost: %s" nocase ascii wide condition: 3 of them } ``` ``` rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell : webshell vanguard_panda { meta: copyright = "(c) 2023 CrowdStrike Inc." description = "Timewarp Java webshell in malicious Tomcat module" version = "202306131008" last_modified = "2023-06-13" actor = "VANGUARD PANDA" strings: $ = "setKey" $ = "ProcessBuilder" $ = "AES/ECB/PKCS5Padding" $ = "tmp.log" $ = "byteKey" $ = "method0" $ = "failed to read output from process" condition: filesize<50KB and 4 of them } ``` ``` rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell_jar : java vanguard_panda { meta: copyright = "(c) 2023 CrowdStrike Inc." description = "JAR file containing Timewarp webshell" version = "202306131011" last_modified = "2023-06-13" actor = "VANGUARD PANDA" reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/" strings: $WsSci = "/WsSci.class" $abc1 = "/A.class" $abc2 = "/B.class" $abc3 = "/C.class" $timewarp1 = "/Timewarp.class" $timewarp2 = "/Timewarp2.class" $timewarp3 = "/Timewarp3.class" condition: uint16(0)==0x4b50 and filesize<1MB and $WsSci and (all of ($abc*) or all of ($timewarp*)) } ``` ``` rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda { meta: copyright = "(c) 2023 CrowdStrike Inc." description = "ClassLoader - Java webshell install and execute script" version = "202306131012" last_modified = "2023-06-13" actor = "VANGUARD PANDA" reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/" strings: $ = "" $ = "customEndpoint1" $ = "move true " $ = "inject true " $ = "ListName_jsp" $ = "photohelp_jsp" $ = "photoparse_jsp" $ = "Timewarp.class" $ = "WsSci.class" $ = "/A.class" $ = "srcZipfs.getPath" condition: filesize<50KB and 4 of them } ``` ``` rule Volt_Suspicious_IPs { meta: description = "Detects known malicious Volt Typhoon IP addresses" author = "Cpl Iverson" date = "2025-01-08" strings: $ip1 = "46.10.197.206" $ip2 = "176.102.35.175" $ip3 = "93.62.0.77" $ip4 = "194.50.159.3" $ip5 = "80.64.80.169" $ip6 = "24.212.225.54" $ip7 = "208.97.106.10" $ip8 = "70.60.30.222" $ip9 = "184.67.141.110" $ip10 = "202.22.227.179" $ip11 = "49.204.75.92" $ip12 = "61.2.141.161" $ip13 = "49.204.75.90" $ip14 = "114.143.222.242" $ip15 = "117.211.166.22" $ip16 = "49.204.65.90" $ip17 = "49.204.73.250" $ip18 = "192.149.47.110" $ip19 = "212.11.106.139" $ip20 = "89.203.140.246" $ip21 = "94.125.218.19" $ip22 = "183.82.110.178" $ip23 = "117.239.157.74" $ip24 = "210.212.224.124" $ip25 = "109.166.39.139" $ip26 = "23.227.198.247" $ip27 = "104.161.54.203" condition: any of them } ``` ``` /* YARA Rule Set Author: [Daffi] Date: [8 Mei 2024] Identifier: redline Description: Rules for detecting APT Volt Typhoon. */ rule volt_typhoon_strings { strings: $str1 = "CustomFRPClient" $str2 = "HACKTOOL_FRPClient" $str3 = "EncryptJSP" $str4 = "contact@cyber.gc.ca" $str5 = "incidents@ncsc.govt.nz" condition: any of ($str*) } rule volt_typhoon_hashes { strings: $hash1 = "ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31" $hash2 = "d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca" $hash3 = "d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af" $hash4 = "e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95" $hash5 = "7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5" $hash6 = "fd41134e8ead1c18ccad27c62a260aa6" $hash7 = "3a97d9b6f17754dcd38ca7fc89caab04" $hash8 = "b1de37bf229890ac181bdef1ad8ee0c2" $hash9 = "04423659f175a6878b26ac7d6b6e47c6fd9194d1" $hash10 = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34" $hash11 = "ffdb3cc7ab5b01d276d23ac930eb21ffe3202d11" $hash12 = "edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70" $hash13 = "eaef901b31b5835035b75302f94fee27288ce46971c6db6221ecbea9ba7ff9d0" $hash14 = "99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1" $hash15 = "433331fe1a3ff11ea362fc772b67da38" $hash16 = "472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d" $hash17 = "93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066" $hash18 = "3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642" $hash19 = "3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f" $hash20 = "6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff" $hash21 = "d17317e1d5716b09cee904b8463a203" condition: any of ($hash*) } ``` ``` rule WEBSHELL_JAVA_VersaMem_JAR_Aug24_1 { meta: description = "Detects VersaMem Java webshell samples (as used by Volt Typhoon)" author = "blacklotuslabs (modified by Florian Roth and X__Junior)" reference = "https://x.com/ryanaraine/status/1828440883315999117" date = "2024-08-27" modified = "2024-08-29" score = 75 strings: $sa1 = "com.versa.vnms.ui.TestMain" $sa2 = "captureLoginPasswordCode" $sa3 = "com/versa/vnms/ui/services/impl/VersaAuthenticationServiceImpl" $sa4 = "/tmp/.temp.data" $sa5 = "getInsertCode" $sa6 = "VersaMem" $sa7 = "Versa-Auth" $sb1 = "/tmp/.java_pid" $sb2 = {2f 75 73 72 2f 62 69 6e 2f 70 67 72 65 70 01 00 02 2d 66 01 00 25 6f 72 67 2e 61 70 61 63 68 65 2e 63 61 74 61 6c 69 6e 61 2e 73 74 61 72 74 75 70 2e 42 6f 6f 74 73 74 72 61 70 07} condition: filesize < 5MB and ( 3 of them or all of ($sb*) ) } rule WEBSHELL_JAVA_VersaMem_JAR_Aug24_2 { meta: description = "Detects VersaMem Java webshell samples (as used by Volt Typhoon)" author = "Florian Roth" reference = "https://x.com/craiu/status/1828687700884336990" date = "2024-08-29" score = 75 hash1 = "4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37" strings: $x1 = "tomcat_memShell" ascii $x2 = "versa/vnms/ui/config/" ascii fullword condition: uint16(0) == 0x4b50 and filesize < 3000KB and 1 of them } ```