junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8a2ce3645c89a905f65f18478a44a0c7d6998ca0
spl/yara/[X]volt_typhoon_cisa.md

280 lines
8.4 KiB
Markdown
Raw Blame History

[X] Updated
```
rule ShellJSP {
meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
strings:
$s1 = "decrypt(fpath)"
$s2 = "decrypt(fcontext)"
$s3 = "decrypt(commandEnc)"
$s4 = "upload failed!"
$s5 = "aes.encrypt(allStr)"
$s6 = "newid"
condition:
filesize < 50KB and 4 of them
}
```
```
rule EncryptJSP {
meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
strings:
$s1 = "AEScrypt"
$s2 = "AES/CBC/PKCS5Padding"
$s3 = "SecretKeySpec"
$s4 = "FileOutputStream"
$s5 = "getParameter"
$s6 = "new ProcessBuilder"
$s7 = "new BufferedReader"
$s8 = "readLine()"
condition:
filesize < 50KB and 6 of them
}
```
```
rule CustomFRPClient {
meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
description=”Identify instances of the actor's custom FRP tool based
on unique strings chosen by the actor and included in the tool”
strings:
$s1 = "%!PS-Adobe-" nocase ascii wide
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
ascii wide
$s4 = "MAGA2024!!!" nocase ascii wide
$s5 = "HTTP_PROXYHost: %s" nocase ascii wide
condition:
all of them
}
```
```
rule HACKTOOL_FRPClient {
meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
description=”Identify instances of FRP tool (Note: This tool is
known to be used by multiple actors, so hits would not necessarily imply
activity by the specific actor described in this report)”
strings:
$s1 = "%!PS-Adobe-" nocase ascii wide
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
ascii wide
$s4 = "HTTP_PROXYHost: %s" nocase ascii wide
condition:
3 of them
}
```
```
rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell : webshell vanguard_panda
{
meta:
copyright = "(c) 2023 CrowdStrike Inc."
description = "Timewarp Java webshell in malicious Tomcat module"
version = "202306131008"
last_modified = "2023-06-13"
actor = "VANGUARD PANDA"
strings:
$ = "setKey"
$ = "ProcessBuilder"
$ = "AES/ECB/PKCS5Padding"
$ = "tmp.log"
$ = "byteKey"
$ = "method0"
$ = "failed to read output from process"
condition:
filesize<50KB and 4 of them
}
```
```
rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell_jar : java vanguard_panda
{
meta:
copyright = "(c) 2023 CrowdStrike Inc."
description = "JAR file containing Timewarp webshell"
version = "202306131011"
last_modified = "2023-06-13"
actor = "VANGUARD PANDA"
reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
strings:
$WsSci = "/WsSci.class"
$abc1 = "/A.class"
$abc2 = "/B.class"
$abc3 = "/C.class"
$timewarp1 = "/Timewarp.class"
$timewarp2 = "/Timewarp2.class"
$timewarp3 = "/Timewarp3.class"
condition:
uint16(0)==0x4b50 and filesize<1MB and $WsSci and (all of ($abc*) or all of ($timewarp*))
}
```
```
rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda
{
meta:
copyright = "(c) 2023 CrowdStrike Inc."
description = "ClassLoader - Java webshell install and execute script"
version = "202306131012"
last_modified = "2023-06-13"
actor = "VANGUARD PANDA"
reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
strings:
$ = ""
$ = "customEndpoint1"
$ = "move true
"
$ = "inject true
"
$ = "ListName_jsp"
$ = "photohelp_jsp"
$ = "photoparse_jsp"
$ = "Timewarp.class"
$ = "WsSci.class"
$ = "/A.class"
$ = "srcZipfs.getPath"
condition:
filesize<50KB and 4 of them
}
```
```
rule Volt_Suspicious_IPs
{
meta:
description = "Detects known malicious Volt Typhoon IP addresses"
author = "Cpl Iverson"
date = "2025-01-08"
strings:
$ip1 = "46.10.197.206"
$ip2 = "176.102.35.175"
$ip3 = "93.62.0.77"
$ip4 = "194.50.159.3"
$ip5 = "80.64.80.169"
$ip6 = "24.212.225.54"
$ip7 = "208.97.106.10"
$ip8 = "70.60.30.222"
$ip9 = "184.67.141.110"
$ip10 = "202.22.227.179"
$ip11 = "49.204.75.92"
$ip12 = "61.2.141.161"
$ip13 = "49.204.75.90"
$ip14 = "114.143.222.242"
$ip15 = "117.211.166.22"
$ip16 = "49.204.65.90"
$ip17 = "49.204.73.250"
$ip18 = "192.149.47.110"
$ip19 = "212.11.106.139"
$ip20 = "89.203.140.246"
$ip21 = "94.125.218.19"
$ip22 = "183.82.110.178"
$ip23 = "117.239.157.74"
$ip24 = "210.212.224.124"
$ip25 = "109.166.39.139"
$ip26 = "23.227.198.247"
$ip27 = "104.161.54.203"
condition:
any of them
}
```
```
/*
YARA Rule Set
Author: [Daffi]
Date: [8 Mei 2024]
Identifier: redline
Description: Rules for detecting APT Volt Typhoon.
*/
rule volt_typhoon_strings {
strings:
$str1 = "CustomFRPClient"
$str2 = "HACKTOOL_FRPClient"
$str3 = "EncryptJSP"
$str4 = "contact@cyber.gc.ca"
$str5 = "incidents@ncsc.govt.nz"
condition:
any of ($str*)
}
rule volt_typhoon_hashes {
strings:
$hash1 = "ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31"
$hash2 = "d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca"
$hash3 = "d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af"
$hash4 = "e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95"
$hash5 = "7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5"
$hash6 = "fd41134e8ead1c18ccad27c62a260aa6"
$hash7 = "3a97d9b6f17754dcd38ca7fc89caab04"
$hash8 = "b1de37bf229890ac181bdef1ad8ee0c2"
$hash9 = "04423659f175a6878b26ac7d6b6e47c6fd9194d1"
$hash10 = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
$hash11 = "ffdb3cc7ab5b01d276d23ac930eb21ffe3202d11"
$hash12 = "edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70"
$hash13 = "eaef901b31b5835035b75302f94fee27288ce46971c6db6221ecbea9ba7ff9d0"
$hash14 = "99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1"
$hash15 = "433331fe1a3ff11ea362fc772b67da38"
$hash16 = "472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d"
$hash17 = "93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066"
$hash18 = "3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642"
$hash19 = "3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f"
$hash20 = "6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff"
$hash21 = "d17317e1d5716b09cee904b8463a203"
condition:
any of ($hash*)
}
```
```
rule WEBSHELL_JAVA_VersaMem_JAR_Aug24_1 {
meta:
description = "Detects VersaMem Java webshell samples (as used by Volt Typhoon)"
author = "blacklotuslabs (modified by Florian Roth and X__Junior)"
reference = "https://x.com/ryanaraine/status/1828440883315999117"
date = "2024-08-27"
modified = "2024-08-29"
score = 75
strings:
$sa1 = "com.versa.vnms.ui.TestMain"
$sa2 = "captureLoginPasswordCode"
$sa3 = "com/versa/vnms/ui/services/impl/VersaAuthenticationServiceImpl"
$sa4 = "/tmp/.temp.data"
$sa5 = "getInsertCode"
$sa6 = "VersaMem"
$sa7 = "Versa-Auth"
$sb1 = "/tmp/.java_pid"
$sb2 = {2f 75 73 72 2f 62 69 6e 2f 70 67 72 65 70 01 00 02 2d 66 01 00 25 6f 72 67 2e 61 70 61 63 68 65 2e 63 61 74 61 6c 69 6e 61 2e 73 74 61 72 74 75 70 2e 42 6f 6f 74 73 74 72 61 70 07}
condition:
filesize < 5MB and ( 3 of them or all of ($sb*) )
}
rule WEBSHELL_JAVA_VersaMem_JAR_Aug24_2 {
meta:
description = "Detects VersaMem Java webshell samples (as used by Volt Typhoon)"
author = "Florian Roth"
reference = "https://x.com/craiu/status/1828687700884336990"
date = "2024-08-29"
score = 75
hash1 = "4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37"
strings:
$x1 = "tomcat_memShell" ascii
$x2 = "versa/vnms/ui/config/" ascii fullword
condition:
uint16(0) == 0x4b50
and filesize < 3000KB
and 1 of them
}
```
Reference in New Issue View Git Blame Copy Permalink