signature-base/mal_lnx_implant_may22.yar at master · Neo23x0/signature-base
Tags
| attack-pattern: | Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002 |
Common Information
| Type | Value |
|---|---|
| UUID | 88973f22-c4c7-4abb-bfb0-d144d9a7537f |
| Fingerprint | 6e932e11ccbf2675 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | May 9, 2022, midnight |
| Added to db | Sept. 11, 2022, 12:42 p.m. |
| Last updated | Oct. 10, 2024, 8:48 a.m. |
| Headline | UNKNOWN |
| Title | signature-base/mal_lnx_implant_may22.yar at master · Neo23x0/signature-base |
| Detected Hints/Tags/Attributes | 18/1/27 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 11 | doublepulsar.com |
|
| Details | Domain | 5 | exatrack.com |
|
| Details | Domain | 6 | haldrund.pid |
|
| Details | File | 2 | tricephalic_hellkeeper.pdf |
|
| Details | sha256 | 5 | 07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d |
|
| Details | sha256 | 4 | 4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d |
|
| Details | sha256 | 5 | 599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683 |
|
| Details | sha256 | 4 | 5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9 |
|
| Details | sha256 | 4 | 5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3 |
|
| Details | sha256 | 4 | 93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c |
|
| Details | sha256 | 4 | 97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc |
|
| Details | sha256 | 3 | c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276 |
|
| Details | sha256 | 4 | f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27 |
|
| Details | sha256 | 4 | fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a |
|
| Details | sha256 | 5 | 76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925 |
|
| Details | sha256 | 5 | 96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9 |
|
| Details | sha256 | 4 | c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c |
|
| Details | sha256 | 5 | f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72 |
|
| Details | sha256 | 4 | 144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3 |
|
| Details | sha256 | 5 | fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73 |
|
| Details | sha256 | 3 | 1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345 |
|
| Details | sha256 | 5 | 591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78 |
|
| Details | Url | 2 | https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 |
|
| Details | Url | 2 | https://exatrack.com/public/tricephalic_hellkeeper.pdf |
|
| Details | Yara rule | 1 | rule APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_1 {
meta:
description = "Detects unknown Linux implants (uploads from KR and MO)"
author = "Florian Roth"
reference = "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
date = "2022-05-05"
score = 90
hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d"
hash2 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d"
hash3 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683"
hash4 = "5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9"
hash5 = "5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3"
hash6 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c"
hash7 = "97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc"
hash8 = "c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276"
hash9 = "f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27"
hash10 = "fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a"
strings:
$s1 = "[-] Connect failed." ascii fullword
$s2 = "export MYSQL_HISTFILE=" ascii fullword
$s3 = "udpcmd" ascii fullword
$s4 = "getshell" ascii fullword
$op1 = { E8 ?? FF FF FF 80 45 EE 01 0F B6 45 EE 3B 45 D4 7C 04 C6 45 EE 00 80 45 FF 01 80 7D FF 00 }
$op2 = { 55 48 89 E5 48 83 EC 30 89 7D EC 48 89 75 E0 89 55 DC 83 7D DC 00 75 0? }
$op3 = { E8 A? FE FF FF 0F B6 45 F6 48 03 45 E8 0F B6 10 0F B6 45 F7 48 03 45 E8 0F B6 00 8D 04 02 }
$op4 = { C6 80 01 01 00 00 00 48 8B 45 C8 0F B6 90 01 01 00 00 48 8B 45 C8 88 90 00 01 00 00 C6 45 EF 00 0F B6 45 EF 88 45 EE }
condition:
uint16(0) == 0x457f and filesize < 80KB and 2 of them or 5 of them
} |
|
| Details | Yara rule | 1 | rule APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3 {
meta:
description = "Detects BPFDoor implants used by Chinese actor Red Menshen"
author = "Florian Roth"
reference = "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
date = "2022-05-08"
score = 85
hash1 = "144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3"
hash2 = "fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73"
strings:
$s1 = "hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event" ascii fullword
$s2 = "/sbin/mingetty /dev" ascii fullword
$s3 = "pickup -l -t fifo -u" ascii fullword
condition:
uint16(0) == 0x457f and filesize < 200KB and 2 of them or all of them
} |
|
| Details | Yara rule | 1 | rule APT_MAL_LNX_RedMenshen_BPFDoor_Controller_Generic_May22_1 {
meta:
description = "Detects BPFDoor malware"
author = "Florian Roth"
reference = "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
date = "2022-05-09"
score = 90
hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d"
hash2 = "1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345"
hash3 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d"
hash4 = "591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78"
hash5 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683"
hash6 = "5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9"
hash7 = "5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3"
hash8 = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925"
hash9 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c"
hash10 = "96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9"
hash11 = "97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc"
hash12 = "c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276"
hash13 = "c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c"
hash14 = "f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72"
hash15 = "f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27"
hash16 = "fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73"
hash17 = "fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a"
strings:
$op1 = { C6 80 01 01 00 00 00 48 8B 45 ?8 0F B6 90 01 01 00 00 48 8B 45 ?8 88 90 00 01 00 00 C6 45 ?? 00 0F B6 45 ?? 88 45 }
$op2 = { 48 89 55 C8 48 8B 45 C8 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? 48 8B 45 C8 0F B6 80 01 01 00 00 }
$op3 = { 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? 48 8B 45 C8 0F B6 80 01 01 00 00 88 45 F? C7 45 F8 00 00 00 00 }
$op4 = { 48 89 7D D8 89 75 D4 48 89 55 C8 48 8B 45 C8 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? }
$op5 = { 48 8B 45 ?8 C6 80 01 01 00 00 00 48 8B 45 ?8 0F B6 90 01 01 00 00 48 8B 45 ?8 88 90 00 01 00 00 C6 45 ?? 00 0F B6 45 }
$op6 = { 89 75 D4 48 89 55 C8 48 8B 45 C8 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? 48 8B 45 C8 }
condition:
uint16(0) == 0x457f and filesize < 200KB and 2 of them or 4 of them
} |