Add Yara detection against LOLKEK,Spacecolon and ClamAV and Snort detecction against LummaStealer

ditekshen · ditekshen · commit 33a1aba35744 · 2023-08-13T19:07:48.000+03:00
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ A set of interrelated network and host detection rules with the aim of improving
 
 ## Supported Rules
 
-Currently, Snort, Yara and ClamAV rules are supported. Additional singatures and formats are work in progress.
+Currently, Snort 3, Yara and ClamAV rules are supported. Additional singatures and formats are work in progress.
 
 ## Scripts
 
diff --git a/clamav/clamav.ldb b/clamav/clamav.ldb
@@ -143,3 +143,4 @@ ditekSHen.MALWARE.Linux.Trojan.GolangBypassAV;Engine:51-255,Target:6;0;2f476f6c6
 ditekSHen.MALWARE.Win.Trojan.GolangBypassAV;Engine:51-255,Target:1;0;2f476f6c616e6742797061737341562f67656e2f
 ditekSHen.MALWARE.Linux.Trojan.GetShell;Engine:51-255,Target:6;((0&1)|(2&3))&(4|5|6|7|8|9)>2;636174203c286563686f2027407265626f6f74206563686f20736f636b73355f6261636b636f6e6e656374;2863642020262620292729203c2873656420272f736f636b73355f6261636b636f6e6e656374;636174203c286563686f202740;2863642020262620292729203c287365642027;7061636b65646970;7173656374696f6e706f7374;7175657279686561646572;636f707964617461;73796e73656e64;62635f636f6e6e656374
 ditekSHen.MALWARE.Win.Trojan.RookIE-Downloader;Engine:51-255,Target:1;0&1&2&3;7368656c6c3a3a3a7b32353539613166332d323164372d313164342d626461662d3030633034663630623966307d;7461736b6b696c6c202f66202f696d2068682e657865;526f6f6b49452f312e30;233332373730
+ditekSHen.MALWARE.Win.Trojan.LummaStealer;Engine:51-255,Target:1;(0|1)&(3|4|5)&(6|7|8);6332736f636b::w;6332636f6e66::w;2d20436f6d70757465724e616d65446e73486f73746e616d653a;2d20436f6d70757465724e616d654e657442494f533a;2d20506879736963616c20496e7374616c6c6564204d656d6f72793a;2a2e656d6c::w;5465736c6142726f77736572::w;6c69643d2573;534f4654574152455c4d6963726f736f66745c57696e646f77735c43757272656e7456657273696f6e5c556e696e7374616c6c::w
diff --git a/snort/snort3.rules b/snort/snort3.rules
@@ -304,6 +304,8 @@ alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Win.Adwa
 alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Vulturi infostealer outbound connection detected"; flow:to_server,established; http_uri; content:"/fetch_options?username=",fast_pattern; http_header; content:!"User-Agent"; metadata:ruleset community; classtype:trojan-activity; sid:920282; rev:1; )
 alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Vulturi infostealer outbound connection detected"; flow:to_server,established; http_uri; content:"/send_report?username=",fast_pattern; content:"&cookie"; content:"&password"; metadata:ruleset community; classtype:trojan-activity; sid:920283; rev:1; )
 alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NPlus cryptocurrency miner outbound connection detected"; flow:to_server,established; http_header:field user-agent; content:"NPlusMiner/",fast_pattern; metadata:ruleset community; rem:"yara:MALWARE_Win_NPlusMiner"; classtype:trojan-activity; sid:920284; rev:1; )
+alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.LummaStealer outbound connection detected"; flow:to_server,established; http_uri; content:"/c2conf",fast_pattern; bufferlen:7; http_client_body; content:"lid="; http_header; content:!"User-Agent"; http_method; content:"POST"; metadata:ruleset community, service http; rem:"yara:MALWARE_Win_LummaStealer, clamav:MALWARE.Win.Trojan.LummaStealer"; classtype:trojan-activity; sid:2023813001; rev:1; )
+alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.LummaStealer outbound connection detected"; flow:to_server,established; http_uri; content:"/c2sock",fast_pattern; bufferlen:7; http_header; http_header:field user-agent; content:"TeslaBrowser/";  http_method; content:"POST"; metadata:ruleset community, service http; rem:"yara:MALWARE_Win_LummaStealer, clamav:MALWARE.Win.Trojan.LummaStealer"; classtype:trojan-activity; sid:2023813002; rev:1; )
 ################################################
 # INDICATOR PACKED
 ################################################
@@ -375,4 +377,4 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"POLICY-OTHER Remote Administ
 alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; flow:to_client,established; content:"<rman_message version=",fast_pattern; content:"<code>3</code>"; content:"</rman_message>",distance 0; metadata:ruleset community; classtype:policy-violation; sid:950001; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_server,established; dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|",fast_pattern; metadata:ruleset community; classtype:policy-violation; sid:950002; rev:1;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_client,established; dsize:48; content:"|2C 00 00 00 02 00 00 00 01|",fast_pattern; content:"$",distance 2; metadata:ruleset community; classtype:policy-violation; sid:950003; rev:1;)
-alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-OTHER Iluminati proxy/anonymizer download/upgrade detected"; flow:to_server,established; http_uri; content:"/admin/rmt/luminati.io/",fast_pattern; metadata:ruleset community, service http; classtype:trojan-activity; sid:950004; rev:1;)
+alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-OTHER Iluminati proxy/anonymizer download/upgrade detected"; flow:to_server,established; http_uri; content:"/admin/rmt/luminati.io/",fast_pattern; metadata:ruleset community, service http; classtype:trojan-activity; sid:950004; rev:1;)
diff --git a/yara/malware.yar b/yara/malware.yar
@@ -9845,6 +9845,9 @@ rule MALWARE_Win_LummaStealer {
     meta:
         author = "ditekSHen"
         description = "Detects Lumma Stealer"
+        snort1 = "2023813001"
+        snort2 = "2023813002"
+        clamav1 = "MALWARE.Win.Trojan.LummaStealer"
     strings:
         $x1 = /Lum[0-9]{3}xedmaC2,\sBuild/ ascii
         $x2 = /LID\(Lu[0-9]{3}xedmma\sID\):/ ascii
@@ -10825,3 +10828,65 @@ rule MALWARE_Win_Fiber {
     condition:
         uint16(0) == 0x5a4d and ((1 of ($x*) and 3 of ($s*) and 2 of ($i*)) or (4 of ($s*) and 4 of ($i*)) or (2 of ($s*) and 6 of ($i*)) or (1 of ($x*) and 3 of ($v*)) or (all of ($v*)))
 }
+
+rule MALWARE_Win_Unknown_PackedLoader_01 {
+    meta:
+        author = "ditekShen"
+        description = "Detects unknown loader / packer. Observed running LummaStealer"
+    strings:
+        $s1 = "Error at hooking API \"%S\"" wide
+        $s2 = "Dumping first %d bytes:" wide
+        $s3 = "Error at initialization of bundled DLL: %s" wide
+        $s4 = "GetMemoryForDLL()" ascii
+        $s5 = "type=activation&code=" ascii
+        $s6 = "activation.php?code=" ascii
+        $s7 = "&hwid=" ascii
+        $s8 = "&hash=" ascii
+        $s9 = "type=deactivation&hash=" ascii
+        $s10 = "deactivation.php?hash=" ascii
+        $s11 = "BANNED" fullword ascii
+        $s12 = "GetAdaptersInfo" ascii
+    condition:
+        uint16(0) == 0x5a4d and 11 of them
+}
+
+rule MALWARE_Win_LOLKEK {
+    meta:
+        author = "ditekShen"
+        description = "Detects LOLKEK / GlobeImposter ransowmare"
+    strings:
+        $s1 = "$Recycle.bin" fullword wide
+        $s2 = "\\\\?\\%c:" fullword wide
+        $s3 = ".MMM" fullword wide
+        $s4 = "ReadMe.txt" fullword wide
+        $s5 = "select * from Win32_ShadowCopy" fullword wide
+        $s6 = "Win32_ShadowCopy.ID='%s'" fullword wide
+        $s7 = "W3CRYPTO LOCKER" ascii
+        $s8 = "http://mmcb" ascii
+        $s9 = "yip.su/2QstD5" ascii
+        $s10 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe" ascii
+    condition:
+        uint16(0) == 0x5a4d and 7 of them
+}
+
+rule MALWARE_Win_Spacecolon {
+    meta:
+        author = "ditekSHen"
+        description = "Detects Spacecolon ransomware"
+    strings:
+        $s1 = "eraseext" fullword ascii
+        $s2 = "*.encrypted" fullword ascii
+        $s3 = "TIMATOMA#" fullword wide
+        $s4 = ".Encrypted" fullword wide
+        $s5 = "Already Encrypted" wide
+        $s6 = "note.txt" fullword wide
+        $s7 = "HOW TO RECOVERY FILES.TXT" fullword wide
+        $s8 = "taskkill /f /im \"" wide nocase
+        $s9 = "\\kill.bat" wide
+        $s10 = "Search cancelled -" fullword wide
+        $s11 = "%d folder(s) searched and %d file(s) found - %.3f second(s)" fullword wide
+        $s12 = "Our TOX ID :" ascii
+        $s13 = "tufhackteam@gmail.com" ascii
+    condition:
+        uint16(0) == 0x5a4d and 8 of them
+}
