junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b16df15544d42c2940134dd41d2235b4580940b8
spl/yara/volt_typhoon_cisa.md
junk 07719f8123 Update yara/volt_typhoon_cisa.md
2025-01-08 23:34:19 -05:00

4.9 KiB
Raw Blame History 

rule ShellJSP {
meta:
    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
strings:
$s1 = "decrypt(fpath)"
$s2 = "decrypt(fcontext)"
$s3 = "decrypt(commandEnc)"
$s4 = "upload failed!"
$s5 = "aes.encrypt(allStr)"
$s6 = "newid"
condition:
filesize < 50KB and 4 of them
}

rule EncryptJSP {
meta:
    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
strings:
$s1 = "AEScrypt"
$s2 = "AES/CBC/PKCS5Padding"
$s3 = "SecretKeySpec"
$s4 = "FileOutputStream"
$s5 = "getParameter"
$s6 = "new ProcessBuilder"
$s7 = "new BufferedReader"
$s8 = "readLine()"
condition:
filesize < 50KB and 6 of them
}

rule CustomFRPClient {
meta:
    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
description=”Identify instances of the actor's custom FRP tool based
on unique strings chosen by the actor and included in the tool”
strings:
$s1 = "%!PS-Adobe-" nocase ascii wide
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
ascii wide
$s4 = "MAGA2024!!!" nocase ascii wide
$s5 = "HTTP_PROXYHost: %s" nocase ascii wide
condition:
all of them
}

rule HACKTOOL_FRPClient {
meta:
    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
description=”Identify instances of FRP tool (Note: This tool is
known to be used by multiple actors, so hits would not necessarily imply
activity by the specific actor described in this report)”
strings:
$s1 = "%!PS-Adobe-" nocase ascii wide
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
ascii wide
$s4 = "HTTP_PROXYHost: %s" nocase ascii wide
condition:
3 of them
}

rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell : webshell vanguard_panda 
{
    meta:
        copyright = "(c) 2023 CrowdStrike Inc."
        description = "Timewarp Java webshell in malicious Tomcat module"
        version = "202306131008"
        last_modified = "2023-06-13"
        actor = "VANGUARD PANDA"
    strings:
        $ = "setKey"
        $ = "ProcessBuilder"
        $ = "AES/ECB/PKCS5Padding"
        $ = "tmp.log"
        $ = "byteKey"
        $ = "method0"
        $ = "failed to read output from process"
    condition:
        filesize<50KB and 4 of them
}

rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell_jar : java vanguard_panda 
{
    meta:
        copyright = "(c) 2023 CrowdStrike Inc."
        description = "JAR file containing Timewarp webshell"
        version = "202306131011"
        last_modified = "2023-06-13"
        actor = "VANGUARD PANDA"
        reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
    strings:
        $WsSci = "/WsSci.class"
        $abc1 = "/A.class"
        $abc2 = "/B.class"
        $abc3 = "/C.class"
        $timewarp1 = "/Timewarp.class"
        $timewarp2 = "/Timewarp2.class"
        $timewarp3 = "/Timewarp3.class"
    condition:
        uint16(0)==0x4b50 and filesize<1MB and $WsSci and (all of ($abc*) or all of ($timewarp*))
}

rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda
{
    meta:
        copyright = "(c) 2023 CrowdStrike Inc."
        description = "ClassLoader - Java webshell install and execute script"
        version = "202306131012"
        last_modified = "2023-06-13"
        actor = "VANGUARD PANDA"
        reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
    strings:
        $ = ""
        $ = "customEndpoint1"
        $ = "move true 
"
        $ = "inject true 
"
        $ = "ListName_jsp"
        $ = "photohelp_jsp"
        $ = "photoparse_jsp"
        $ = "Timewarp.class"
        $ = "WsSci.class"
        $ = "/A.class"
        $ = "srcZipfs.getPath"
    condition:
        filesize<50KB and 4 of them
}

rule Volt_Suspicious_IPs
{
    meta:
        description = "Detects known malicious Volt Typhoon IP addresses"
        author = "Cpl Iverson"
        date = "2025-01-08"

    strings:
        $ip1 = "46.10.197.206"
        $ip2 = "176.102.35.175"
        $ip3 = "93.62.0.77"
        $ip4 = "194.50.159.3"
        $ip5 = "80.64.80.169"
        $ip6 = "24.212.225.54"
        $ip7 = "208.97.106.10"
        $ip8 = "70.60.30.222"
        $ip9 = "184.67.141.110"
        $ip10 = "202.22.227.179"
        $ip11 = "49.204.75.92"
        $ip12 = "61.2.141.161"
        $ip13 = "49.204.75.90"
        $ip14 = "114.143.222.242"
        $ip15 = "117.211.166.22"
        $ip16 = "49.204.65.90"
        $ip17 = "49.204.73.250"
        $ip18 = "192.149.47.110"
        $ip19 = "212.11.106.139"
        $ip20 = "89.203.140.246"
        $ip21 = "94.125.218.19"
        $ip22 = "183.82.110.178"
        $ip23 = "117.239.157.74"
        $ip24 = "210.212.224.124"
        $ip25 = "109.166.39.139"
        $ip26 = "23.227.198.247"
        $ip27 = "104.161.54.203"

    condition:
        any of them
}