chainguard-dev · tstromberg · Nov 6, 2024 · Nov 5, 2024 · Nov 5, 2024 · Nov 5, 2024
diff --git a/rules/impact/ransom/linux.yara b/rules/impact/ransom/linux.yara
@@ -0,0 +1,82 @@
+rule encrypter: high {
+  meta:
+    description = "probable Linux ransomware encrypter"
+
+  strings:
+    $ENCRYPTER = "ENCRYPTER"
+    $Encrypter = "Encrypter"
+    $f_readdir = "readdir"
+    $f_fopen   = "fopen"
+    $f_pthread = "pthread"
+
+  condition:
+    filesize < 1MB and uint32(0) == 1179403647 and any of ($E*) and all of ($f*)
+}
+
+rule esxi_chacha: high {
+  meta:
+    description = "probable Linux ransomware encrypter"
+
+  strings:
+    $E_esxi    = "esxi" fullword
+    $E_chacha  = "chacha20" fullword
+    $f_readdir = "readdir"
+    $f_fopen   = "fopen"
+    $f_pthread = "pthread"
+
+  condition:
+    filesize < 128KB and uint32(0) == 1179403647 and any of ($E*) and all of ($f*)
+}
+
+rule linux_syscalls: high {
+  meta:
+    description = "possible Linux ransomware encrypter"
+
+  strings:
+    $e_Encrypt     = "ENCRYPT"
+    $e_crypto      = "crypto"
+    $e_encrypt     = "encrypt"
+    $e_chacha      = "chacha20"
+    $e_Processed   = "Processed:"
+    $e_total_files = "Total files"
+    $e_esxi        = "esxi" fullword
+    $e_vmsvc       = "vmscvc" fullword
+
+    $f_fork     = "fork" fullword
+    $f_popen    = "popen" fullword
+    $f_strcpy   = "strcpy" fullword
+    $f_closedir = "closedir" fullword
+    $f_readdir  = "readdir" fullword
+    $f_fopen    = "fopen" fullword
+    $f_pthread  = "pthread" fullword
+    $f_feof     = "feof" fullword
+    $f_opendir  = "opendir" fullword
+    $f_seek     = "fseek" fullword
+    $f_read     = "fread" fullword
+    $f_rename   = "rename" fullword
+    $f_atoi     = "atoi" fullword
+
+  condition:
+    filesize < 1MB and uint32(0) == 1179403647 and $f_readdir and 85 % of ($f*) and any of ($e*)
+}
+
+rule conti_alike: high posix {
+  meta:
+    description = "Reads directories, renames files, encrypts files"
+    filetypes   = "so,elf,macho"
+
+  strings:
+    $readdir       = "readdir" fullword
+    $rename        = "rename" fullword
+    $enc1          = "encrypted by"
+    $enc2          = "RSA PUBLIC KEY"
+    $enc3          = "Encrypting file"
+    $enc4          = "files_encrypted"
+    $enc5          = "encrypts files"
+    $enc6          = "ENCRYPTER"
+    $not_fscrypt_h = "#define _LINUX_FSCRYPT_H"
+
+  condition:
+    filesize < 512KB and $readdir and $rename and 2 of ($enc*) and none of ($not*)
+}
+
diff --git a/rules/impact/ransom/readdir_rename_encrypt.yara b/rules/impact/ransom/readdir_rename_encrypt.yara
diff --git a/rules/lateral/vmware/vms.yara b/rules/lateral/vmware/vms.yara
@@ -0,0 +1,12 @@
+rule vmware_vms: medium {
+  meta:
+    description = "gets a list of VMware VM IDs"
+
+  strings:
+    $ref  = "vim-cmd"
+    $ref2 = "vmsvc"
+    $ref3 = "getallvm"
+
+  condition:
+    all of them
+}
diff --git a/rules/malware/family/beast.yara b/rules/malware/family/beast.yara
@@ -0,0 +1,19 @@
+rule beast: critical {
+  meta:
+    description = "Beast Ransomware"
+    ref         = "https://www.cybereason.com/blog/threat-analysis-beast-ransomware"
+
+  strings:
+    $beast       = "beast.log" fullword
+    $esxi        = "esxi" fullword
+    $chacha20    = "chacha20" fullword
+    $encyrpter   = "ENCRYPTER: DAEMON"
+    $note        = "Write note in each folder"
+    $note2       = "include note from eXternal file"
+    $default_key = "default.key"
+    $BEAST       = "BEASTWASHERE"
+    $vm          = "vmsvc/getallvms"
+
+  condition:
+    filesize < 1MB and 80 % of them
+}
diff --git a/...inux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple b/...inux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple
@@ -9,6 +9,7 @@ fs/path/tmp: medium
 fs/symlink_resolve: low
 impact/ransom/note: high
 impact/services/esxcli: critical
+lateral/vmware/vms: medium
 net/p2p/tor: high
 persist/daemon: medium
 process/multithreaded: low