yara-rules
Collection of YARA signatures from recent malware research
Ruleset
APT32 KerrDown
- Rule: APT32_KerrDown.yara
- Reference: https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
KPOT v2
- Rule: KPOT_v2.yara
- Reference: https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal
WatchBog Linux botnet
- Rule: WatchBog_Linux.yara
- References: https://twitter.com/polarply/status/1153232987762376704, https://www.alibabacloud.com/blog/return-of-watchbog-exploiting-jenkins-cve-2018-1000861_594798
EvilGnome Linux malware
- Rule: EvilGnome_Linux.yara
- Reference: https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/
APT34 PICKPOCKET
- Rule: APT34_PICKPOCKET.yara
- Reference: https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
APT34 LONGWATCH
- Rule: APT34_LONGWATCH.yara
- Reference: https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
APT34 VALUEVAULT
- Rule: APT34_VALUEVAULT.yara
- Reference: https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
RedGhost Linux tool
SilentTrinity
- Rule: SilentTrinity_Payload.rule
- Rule: SilentTrinity_Delivery.rule
- Reference: https://countercept.com/blog/hunting-for-silenttrinity/
DNSpionage
- Rule: DNSpionage.yara
- References: https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html, https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
TA505 FlowerPippi
- Rule: TA505_FlowerPippi.yara
- Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/latest-spam-campaigns-from-ta505-now-using-new-malware-tools-gelup-and-flowerpippi/
REMCOS RAT
- Rule: REMCOS_RAT_2019.yara
- Reference: https://exchange.xforce.ibmcloud.com/collection/Remcos-Rat-Delivered-via-Email-Campaign-056f98e4fc97bd142337d6b2271aeaa7
GodLua Linux Backdoor
APT32 Ratsnif
- Rule: apt32-ratsnif.yara
- Reference: https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html
OSX/CrescentCore
- Rule: crescentcore_dmg.yara
- Reference: https://www.intego.com/mac-security-blog/osx-crescentcore-mac-malware-designed-to-evade-antivirus/
side note: when will we all decide to change mac sig names to macOS/? its way past time, imho
WarZone RAT aka Ave Maria Stealer
- Rule: avemaria_warzone.yara
- Reference: http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery
Winnti Linux