From 62facaa020a3f1d27f763bf01ba9d3e5f2aa45ea Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 9 Oct 2024 09:27:21 +0200 Subject: [PATCH] Create mal_perfctl_oct24.yar --- yara/mal_perfctl_oct24.yar | 40 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 yara/mal_perfctl_oct24.yar diff --git a/yara/mal_perfctl_oct24.yar b/yara/mal_perfctl_oct24.yar new file mode 100644 index 00000000..8f4fe4a7 --- /dev/null +++ b/yara/mal_perfctl_oct24.yar @@ -0,0 +1,40 @@ + +rule MAL_EXPL_Perfctl_Oct24 { + meta: + description = "Detects exploits used in relation with Perfctl malware campaigns" + author = "Florian Roth" + reference = "https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/" + date = "2024-10-09" + score = 80 + hash1 = "22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13" + strings: + $s1 = "Exploit failed. Target is most likely patched." ascii fullword + $s2 = "SHELL=pkexec" ascii fullword + $s3 = "/dump_" ascii fullword + $s4 = ".EYE$" ascii + condition: + uint16(0) == 0x457f + and filesize < 30000KB + and 2 of them + or all of them +} + +rule MAL_LNX_Perfctl_Oct24 { + meta: + description = "Detects Perfctl malware samples" + author = "Florian Roth" + reference = "https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/" + date = "2024-10-09" + score = 75 + hash1 = "a6d3c6b6359ae660d855f978057aab1115b418ed277bb9047cd488f9c7850747" + hash2 = "ca3f246d635bfa560f6c839111be554a14735513e90b3e6784bedfe1930bdfd6" + strings: + $op1 = { 83 45 f8 01 8b 45 f8 48 3b 45 98 0f 82 1b ff ff ff 90 c9 c3 55 } + $op2 = { 48 8b 55 a0 48 01 ca 0f b6 0a 48 8b 55 a8 89 c0 88 4c 02 18 8b 45 fc 83 e0 3f } + $op3 = { 88 4c 10 58 83 45 f8 01 83 7d f8 03 0f 86 68 ff ff ff 90 c9 c3 55 } + $op4 = { 48 83 ec 68 48 89 7d a8 48 89 75 a0 48 89 55 98 48 8b 45 a8 48 8b 00 83 e0 3f 89 45 fc } + condition: + uint16(0) == 0x457f + and filesize < 300KB + and 2 of them +}