Improve findings for Mirai, vncjew, alfa, custom RAT

pkg/action/testdata/scan_archive

@@ -70,7 +70,7 @@ net/ip/parse: medium
 net/mac/address: medium
 net/sendfile: low
 net/socket/listen: low
-net/socket/local/address: low
+net/socket/local_addr: low
 net/socket/peer/address: low
 net/socket/receive: low
 net/socket/send: low

rules/combo/backdoor/dl_iterate.yara

@@ -0,0 +1,14 @@
+
+rule dl_iterate_cpu_pthreads : high linux {
+  meta:
+	description = "possible backdoor interested in shared libraries and CPU info"
+  strings:
+	$iterate = "dl_iterate_phdr" fullword
+	$pthread = "pthread" fullword
+	$nprocs = "nprocs_cpu" fullword
+	$chattr = "chattr" fullword
+	$osrelease = "/proc/sys/kernel/osrelease"
+  condition:
+    filesize < 1200KB and uint32(0) == 1179403647 and all of them
+}
+

rules/combo/backdoor/router.yara

@@ -35,3 +35,31 @@ rule vaguely_gafygt : critical {
   condition:
     filesize < 122880 and 90% of ($ref*) and none of ($not*)
 }
+
+rule mirai_like : high linux {
+	meta:
+		description = "Mirai-like backdoor capabilities"
+		filetypes = "elf"
+		ref = "https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/"
+	strings:
+	   $ = "/proc/%d"
+   	   $ = "/proc/cpuinfo"
+       $ = "/proc/self/fd"
+       $ = "/proc/stat"
+	   $ = "/dev/null"
+	   $ = "getdents64" fullword
+	   $ = "environ" fullword
+	   $ = "fork" fullword
+	   $ = "fcntl" fullword
+	   $ = "open" fullword
+	   $ = "pagesize" fullword
+	   $ = "progname_full" fullword
+	   $ = "pthread_mutex_init" fullword
+	   $ = "srandom" fullword
+	   $ = "socket" fullword
+	   $ = "program_invocation_short_name" fullword
+	   $ = "mbsnrtowcs" fullword
+	   $ = "getsockname" fullword
+	condition:
+	   uint32(0) == 1179403647 and filesize > 40KB and filesize < 95KB and 94% of them
+}

rules/combo/degrader/linux_paths.yara

@@ -5,8 +5,8 @@ rule linux_critical_system_paths : medium {
   strings:
     $p_etc_crontab = "/etc/crontab"
 	$p_etc_sysctl_conf = "/etc/sysctl.conf"
-	$p_etc_init_d = /\/etc\/init.d[\w\/\.\-]{0,32}/
-	$p_etc_cron_d = /\/etc\/cron.d[\w\/\.\-]{0,32}/
+	$p_etc_init_d = /\/etc\/init\.d[\w\/\.\-]{0,32}/
+	$p_etc_cron_d = /\/etc\/cron\.d[\w\/\.\-]{0,32}/
 	$p_etc_selinux = /\/etc\/selinux[\w\/\.\-]{0,32}/
 	$p_etc_systemd = /\/etc\/systemd[\w\/\.\-]{0,32}/
 	$p_etc_preload = "/etc/ld.so.preload"
@@ -36,17 +36,76 @@ rule linux_critical_system_paths : medium {
 rule linux_critical_system_paths_small_elf : high {
   meta:
     description = "ELF accesses multiple critical Linux paths"
+	linux_critical_system_paths = "high"
   strings:
+	// a repeat of linux_critical_system_paths because we can't see
+	// the strings in our results otherwise
+    $p_etc_crontab = "/etc/crontab"
+	$p_etc_sysctl_conf = "/etc/sysctl.conf"
+	$p_etc_init_d = /\/etc\/init.d[\w\/\.\-]{0,32}/
+	$p_etc_cron_d = /\/etc\/cron.d[\w\/\.\-]{0,32}/
+	$p_etc_selinux = /\/etc\/selinux[\w\/\.\-]{0,32}/
+	$p_etc_systemd = /\/etc\/systemd[\w\/\.\-]{0,32}/
+	$p_etc_preload = "/etc/ld.so.preload"
+	$p_ld_so_cache = "/etc/ld.so.cache"
+    $p_var_run = /\/var\/run[\w\/\.\-]{0,32}/
+    $p_var_log = /\/var\/log[\w\/\.\-]{0,32}/
+    $p_usr_libexec = /\/usr\/libexec[\w\/\.\-]{0,32}/
+    $p_tmp = /\/tmp\/[\w\/\.\-]{0,32}/
+    $p_sbin = /\/sbin\/[\w\/\.\-]{0,32}/
+    $p_lib_systemd = /\/lib\/systemd[\w\/\.\-]{0,32}/
+    $p_boot = /\/boot\/[\w\/\.\-]{0,32}/
+	$proc_self_cmdline = "/proc/self/cmdline"
+	$proc_self_cgroup = "/proc/self/cgroup"
+	$p_lib = "/usr/lib/x86_64-linux-gnu/"
+	$p_lib_ld = "/lib64/ld-linux-x86-64.so.2"
+    $p_sys = /\/sys\/(devices|class)[\w\/\.\-]{0,32}/
+    $p_sysctl = /sysctl[ -a-z]{0,32}/
+	$p_dev_watchdog = "/dev/watchdog"
+	$p_ps = "/usr/bin/ps"
+	$p_ss = "/usr/bin/lsof"
+	$p_ssh = "/usr/bin/ssh"
+	$p_dev_shm = "/dev/shm"
+
 	$not_vim = "VIMRUNTIME" fullword
+	$not_systemd = "SYSTEMD_OS_RELEASE"
   condition:
-    filesize < 10MB and uint32(0) == 1179403647 and linux_critical_system_paths and none of ($not*)
+    filesize < 10MB and uint32(0) == 1179403647 and any of ($p_etc*) and 5 of ($p*) and none of ($not*)
 }
 
 rule linux_critical_system_paths_small_shell : high {
   meta:
     description = "script accesses multiple critical Linux paths"
   strings:
     $hash_bang = "#!"
+	// a repeat of linux_critical_system_paths because we can't see
+	// the strings in our results otherwise
+    $p_etc_crontab = "/etc/crontab"
+	$p_etc_sysctl_conf = "/etc/sysctl.conf"
+	$p_etc_init_d = /\/etc\/init.d[\w\/\.\-]{0,32}/
+	$p_etc_cron_d = /\/etc\/cron.d[\w\/\.\-]{0,32}/
+	$p_etc_selinux = /\/etc\/selinux[\w\/\.\-]{0,32}/
+	$p_etc_systemd = /\/etc\/systemd[\w\/\.\-]{0,32}/
+	$p_etc_preload = "/etc/ld.so.preload"
+	$p_ld_so_cache = "/etc/ld.so.cache"
+    $p_var_run = /\/var\/run[\w\/\.\-]{0,32}/
+    $p_var_log = /\/var\/log[\w\/\.\-]{0,32}/
+    $p_usr_libexec = /\/usr\/libexec[\w\/\.\-]{0,32}/
+    $p_tmp = /\/tmp\/[\w\/\.\-]{0,32}/
+    $p_sbin = /\/sbin\/[\w\/\.\-]{0,32}/
+    $p_lib_systemd = /\/lib\/systemd[\w\/\.\-]{0,32}/
+    $p_boot = /\/boot\/[\w\/\.\-]{0,32}/
+	$proc_self_cmdline = "/proc/self/cmdline"
+	$proc_self_cgroup = "/proc/self/cgroup"
+	$p_lib = "/usr/lib/x86_64-linux-gnu/"
+	$p_lib_ld = "/lib64/ld-linux-x86-64.so.2"
+    $p_sys = /\/sys\/(devices|class)[\w\/\.\-]{0,32}/
+    $p_sysctl = /sysctl[ -a-z]{0,32}/
+	$p_dev_watchdog = "/dev/watchdog"
+	$p_ps = "/usr/bin/ps"
+	$p_ss = "/usr/bin/lsof"
+	$p_ssh = "/usr/bin/ssh"
+	$p_dev_shm = "/dev/shm"	
   condition:
-    filesize < 64KB and $hash_bang in (0..2) and linux_critical_system_paths
+    filesize < 64KB and $hash_bang in (0..2) and any of ($p_etc*) and 5 of ($p*)
 }

rules/combo/degrader/panic.yara

@@ -0,0 +1,10 @@
+
+rule raise_hard_error : medium windows {
+  meta:
+    description = "crashes (bluescreens) the machine"
+	filetypes = "py,exe"
+  strings:
+	$crash = "NtRaiseHardError" fullword
+  condition:
+    filesize < 1MB and any of them
+}

rules/combo/recon/upload_netinfo.yara

@@ -13,7 +13,7 @@ rule user_agent_ifconfig : high {
     filesize < 5MB and any of ($ua*) and math.abs(@net_ifconfig - @net_ifconfig_a) <= 8
 }
 
-rule user_agent_proc_net_route : high {
+rule user_agent_proc_net_route : medium {
   meta:
     description = "Has a user agent and collects network info"
     hash_2023_Unix_Dropper_Mirai_1703 = "1703bd27e0ae38a53e897b82554f95eaa5a88f2b0a6c2c9d973d7e34d05b2539"

rules/combo/stealer/browser.yara

@@ -154,3 +154,19 @@ rule chrome_encrypted_cookies : critical {
 	condition:
 		$select
 }
+
+rule leveldb_exfil : high {
+	meta:
+		description = "Reads values from browser leveldb files"
+	strings:
+		$h_urlopen = "urlopen"
+		$h_https = "https://"
+		$leveldb = "leveldb" fullword
+		$b_Yandox = "Yandex"
+		$b_Discord = "Discord"
+		$b_Chrome = "Google Chrome"
+		$b_Opera = "Opera"
+		$b_Brave = "Brave"
+	condition:
+		filesize < 3MB and $leveldb and any of ($h*) and 3 of ($b*)
+}

rules/combo/stealer/ditto.yara

@@ -1,4 +1,3 @@
-
 rule ditto_crypto_stealer : high {
   meta:
     description = "makes HTTP connections and creates archives using ditto"

rules/combo/stealer/keylogger.yara

@@ -0,0 +1,14 @@
+rule py_keylogger_exfil : high {
+  meta:
+    description = "listens for keyboard events and exfiltrates them"
+	filetypes = "py"
+  strings:
+    $http = "http"
+    $http_POST = /POST[ \/\w]{0,32}/
+	$http_Discord = "Discord"
+    $f_pynput = "pynput.keyboard"
+	$f_key = "Key" fullword
+	$f_listener = "Listener" fullword
+  condition:
+    filesize < 256KB and any of ($http*) and all of ($f*)
+}

rules/combo/stealer/pam.yara

@@ -20,7 +20,7 @@ rule pam_passwords : high {
 	$not_pam_service = "--pam-service"
 	$not_pam_acct = "pam_acct_mgmt"
   condition:
-    $auth and $pass and any of ($f*) and none of ($not*)
+    $auth and $pass and 2 of ($f*) and none of ($not*)
 }
 
 rule pam_passwords_rootkit : critical {

rules/device/webcam.yara

@@ -7,6 +7,7 @@ rule macos_webcam_user : medium {
   strings:
     $device_list = "SGGetChannelDeviceList"
     $set_channel = "SGSetChannelDevice"
+	$cv2 = "cv2.VideoCapture"
   condition:
     any of them
 }

rules/evasion/base64-eval.yara

@@ -76,7 +76,7 @@ rule echo_decode_bash_probable : high {
     $not_copyright = "Copyright (c)"
     $not_syntax = "syntax file"
   condition:
-    filesize < 1048576 and $echo and ($bash or $sh) and ($base64_decode or $base64_d) and none of ($not*)
+    filesize < 15KB and $echo and ($bash or $sh) and ($base64_decode or $base64_d) and none of ($not*)
 }
 
 rule acme_sh : override {

rules/evasion/base64-hidden.yara

@@ -9,6 +9,10 @@ rule base64_str_replace : critical {
     $a = /\wba\ws\we64/
     $b = /\wb\wa\ws\we\w6\w4/
     $c = /\wb\wa\wse\w6\w4/
+	$d = "'bas'.'e'.'6'.'4"
+	$e = "'ba'.'se'.'6'.'4"
+	$f = "'b'.'ase'.'6'.'4"
+	$g = "'bas'.'e'.'6'.'4"
   condition:
     any of them
 }

rules/evasion/bitwise_math.yara

@@ -9,7 +9,7 @@ rule large_bitwise_math : medium {
   strings:
     $x = /\-{0,1}\d{1,8} \<\< \-{0,1}\d{1,8}/
   condition:
-    filesize < 128000 and #x > 16
+    filesize < 256KB and #x > 16
 }
 
 rule excessive_bitwise_math : high {
@@ -28,7 +28,7 @@ rule excessive_bitwise_math : high {
     $not_jslint = "jslint bitwise"
 	$not_include = "#define "
   condition:
-    filesize < 128000 and #x > 64 and none of ($not*)
+    filesize < 192KB and #x > 64 and none of ($not*)
 }
 
 rule bitwise_math : low {
@@ -38,7 +38,7 @@ rule bitwise_math : low {
     $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/
     $y = /\-{0,1}[\da-z]{1,8} \>\> \-{0,1}\d{1,8}/
   condition:
-    filesize < 65535 and any of them
+    filesize < 192KB and any of them
 }
 
 rule bidirectional_bitwise_math : medium {
@@ -52,7 +52,7 @@ rule bidirectional_bitwise_math : medium {
     $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/
     $y = /\-{0,1}[\da-z]{1,8} \>\> \-{0,1}\d{1,8}/
   condition:
-    filesize < 65535 and all of them
+    filesize < 192KB and all of them
 }
 
 rule bitwise_python_string : medium {

rules/evasion/packer/elf.yara

@@ -1,6 +1,6 @@
 import "math"
 
-rule obfuscated_elf : high {
+rule obfuscated_elf : high linux {
   meta:
     description = "Obfuscated ELF binary (missing symbols)"
     hash_2023_APT31_1d60 = "1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2"

rules/evasion/process-hide.yara

@@ -12,29 +12,49 @@ rule elf_processhide : high {
     all of them
 }
 
-rule elf_possible_prochid : high {
+rule linux_process_hider : critical linux {
   meta:
     description = "userland rootkit designed to hide processes"
     ref = "prochid.c"
     hash_2023_OK_c38c = "c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a"
     hash_2023_lib_pkit = "8faa04955eeb6f45043003e23af39b86f1dbfaa12695e0e1a1f0bc7a15d0d116"
     hash_2023_lib_pkitarm = "67de6ba64ee94f2a686e3162f2563c77a7d78b7e0404e338a891dc38ced5bd71"
   strings:
-    $proc_self_fd = "/proc/self/fd/%d"
-    $proc_stat = "/proc/%s/stat"
-    $readdir = "readdir"
+    $f_proc_self_fd = "/proc/self/fd/%d"
+    $f_proc_stat = "/proc/%s/stat"
+    $f_readdir = "readdir"
+	$f_dlsym = "dlsym"
+	$f_readlink = "readlink"
+    $x_hide_process = "hide_proc" fullword
+    $x_proc_hide = "proc_hide" fullword
+    $x_process_hide = "process_hide" fullword
+    $x_process_hiding = "process_hiding" fullword
+	$x_hidden_proc = "hidden_proc" fullword
+    $x_prochide = "processhide"
+    $x_process_to_filter = "process_to_filter"
+	$x_old_readdir = "old_readdir"
+	$x_orig_readdir = "orig_readdir"
+	$x_original_readdir = "original_readdir"
+	$x_readdirOriginal = "readdirOriginal"
+	$x_backdoor = "backdoor" fullword
+	$x_is_hidden = "is_hidden" fullword
+	$x_hidden_gid = "HIDDEN_GID" fullword
+	$x_revshell = "revshell" fullword
+	$x_cmdline = "/proc/self/cmdline"
+	$not_bpf = "/sys/fs/bpf"
   condition:
-    all of them
+    filesize < 250KB and all of ($f*) and any of ($x*) and none of ($not*)
 }
 
-rule process_hider {
+rule process_hider : high {
   meta:
-    description = "userland rootkit designed to hide processes"
+    description = "possible userland rootkit designed to hide processes"
   strings:
-    $hide_process = "hide_proc"
-    $proc_hide = "proc_hide"
-    $process_hide = "process_hide"
-    $process_hiding = "process_hiding"
+    $hide_process = "hide_proc" fullword
+    $proc_hide = "proc_hide" fullword
+    $process_hide = "process_hide" fullword
+    $process_hiding = "process_hiding" fullword
+	$hidden_proc = "hidden_proc" fullword
   condition:
-    any of them
+    filesize < 250KB and any of them
 }

rules/exfil/discord.yara

@@ -9,6 +9,7 @@ rule discord_bot : high {
   strings:
 	$ = /discordapp.com\/api\/webhooks[\/\d]{0,32}/
 	$ = /discord.com\/api\/webhooks[\/\d]{0,32}/
+	$ = "import discord"
   condition:
     any of them
 }

rules/false_positives/busybox.yara

@@ -1,10 +1,13 @@
 rule busybox : override {
   meta:
     description = "busybox"
-    infection_killer = "medium"
+    infection_killer = "ignore"
+	ubi = "low"
+	dev_mem = "low"
+	linux_critical_system_paths_small_elf = "low"
   strings:
     $description = /BusyBox is a multi-call binary that combines many common Unix\n\tutilities into a single executable./
     $license = "BusyBox is copyrighted by many authors between 1998-2015."
   condition:
-    filesize < 1MB and all of them
+    filesize < 3MB and all of them
 }

rules/false_positives/lslogins.yara

@@ -0,0 +1,10 @@
+rule lastlogins : override linux {
+  meta:
+    description = "lastlogins"
+    login_records = "low"
+  strings:
+	$lastlogin = "LAST-LOGIN"
+	$max = "LASTLOG_UID_MAX"
+  condition:
+    filesize < 100KB and uint32(0) == 1179403647 and any of them
+}

rules/false_positives/pastebinit.yara

@@ -0,0 +1,11 @@
+rule pastebinit : override {
+  meta:
+    description = "pastebinit user"
+    echo_decode_bash_probable = "ignore"
+	download_sites = "medium"
+  strings:
+    $pb = "pastebinit" fullword
+	$ubuntu = "ubuntu" fullword
+  condition:
+    filesize < 40KB and all of them
+}