JohnGalt14

BlueCoat Inception APT Report Yara Rules

Dec 10th, 2014
482
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. rule InceptionDLL
  2. {
  3.     meta:
  4.         author = "Blue Coat Systems, Inc"
  5.         reference = "http://goo.gl/qr7BP4"
  6.         date = "12/10/2014"
  7.         description = "Used by unknown APT actors: Inception"
  8.     strings:
  9.         $a = "dll.polymorphed.dll"
  10.         $b = { 83 7d 08 00 0f 84 cf 00 00 00 83 7d 0c 00 0f 84 c5 00
  11.                00 00 83 7d 10 00 0f 84 bb 00 00 00 83 7d 14 08 0f 82
  12.                b1 00 00 00 c7 45 fc 00 00 00 00 8b 45 10 89 45 dc 68
  13.                00 00 }
  14.         $c = { FF 15 ?? ?? ?? ?? 8b 4d 08 8b 11 c7 42 14 00 00 00 00
  15.                8b 45 08 8b 08 8b 55 14 89 51 18 8b 45 08 8b 08 8b 55
  16.                0c 89 51 1c 8b 45 08 8b 08 8b 55 10 89 51 20 8b 45 08
  17.                8b 08 }
  18.         $d = { 68 10 27 00 00 FF 15 ?? ?? ?? ?? 83 7d CC 0a 0f 8d 47
  19.                01 00 00 83 7d d0 00 0f 85 3d 01 00 00 6a 20 6a 00 8d
  20.                4d d4 51 e8 ?? ?? ?? ?? 83 c4 0c 8b 55 08 89 55 e8 c7
  21.                45 d8 }
  22.         $e = { 55 8b ec 8b 45 08 8b 88 ac 23 03 00 51 8b 55 0c 52 8b
  23.                45 0c 8b 48 04 ff d1 83 c4 08 8b 55 08 8b 82 14 bb 03
  24.                00 50 8b 4d 0c 51 8b 55 0c 8b 42 04 }
  25.     condition:
  26.         any of them
  27. }
  28.  
  29. rule InceptionRTF {
  30.     meta:
  31.         author = "Blue Coat Systems, Inc"
  32.         reference = "http://goo.gl/qr7BP4"
  33.         date = "12/10/2014"
  34.         description = "Used by unknown APT actors: Inception"
  35.     strings:
  36.         $a = "}}PT@T"
  37.         $b = "XMLVERSION \"3.1.11.5604.5606"
  38.         $c = "objclass Word.Document.12}\\objw9355"
  39.     condition:
  40.         all of them
  41. }
  42.  
  43. rule InceptionMips {
  44.     meta:
  45.         author = "Blue Coat Systems, Inc"
  46.         reference = "http://goo.gl/qr7BP4"
  47.         date = "12/10/2014"
  48.         description = "Used by unknown APT actors: Inception"
  49.     strings:
  50.         $a = "start_sockat" ascii wide
  51.         $b = "start_sockss" ascii wide
  52.         $c = "13CStatusServer" ascii wide
  53.     condition:
  54.         all of them
  55. }
  56.  
  57. rule InceptionVBS {
  58.     meta:
  59.         author = "Blue Coat Systems, Inc; modified by Florian Roth"
  60.         reference = "http://goo.gl/qr7BP4"
  61.         date = "12/10/2014"
  62.         description = "Used by unknown APT actors: Inception"
  63.     strings:
  64.         $a = "c = Crypt(c,k)"
  65.         $b = "fso.BuildPath( WshShell.ExpandEnvironmentStrings(a)"
  66.         $c = "Dim p(4)" fullword ascii
  67.     condition:
  68.         all of them
  69. }
  70.  
  71. rule InceptionBlackberry {
  72.     meta:
  73.         author = "Blue Coat Systems, Inc; modified by Florian Roth"
  74.         reference = "http://goo.gl/qr7BP4"
  75.         date = "12/10/2014"
  76.         description = "Used by unknown APT actors: Inception"
  77.     strings:
  78.         $a1 = "POSTALCODE:"
  79.         $a2 = "SecurityCategory:"
  80.         $a3 = "amount of free flash:"
  81.         $a4 = { 24 d8 37 31 7c 27 31 27 7c 3a } /* replaced non ascii character srtring $Ø71|'1'|: */
  82.         $b1 = "God_Save_The_Queen"
  83.         $b2 = "UrlBlog"
  84.     condition:
  85.         all of ($a*) or all of ($b*)
  86. }
  87.  
  88. rule InceptionAndroid {
  89.     meta:
  90.         author = "Blue Coat Systems, Inc"
  91.         reference = "http://goo.gl/qr7BP4"
  92.         date = "12/10/2014"
  93.         description = "Used by unknown APT actors: Inception"
  94.     strings:
  95.         $a1 = "BLOGS AVAILABLE="
  96.         $a2 = "blog-index"
  97.         $a3 = "Cant create dex="
  98.     condition:
  99.         all of them
  100. }
  101.  
  102. rule InceptionIOS {
  103.     meta:
  104.         author = "Blue Coat Systems, Inc"
  105.         reference = "http://goo.gl/qr7BP4"
  106.         date = "12/10/2014"
  107.         description = "Used by unknown APT actors: Inception"
  108.     strings:
  109.         $a1 = "Developer/iOS/JohnClerk/"
  110.         $b1 = "SkypeUpdate"
  111.         $b2 = "/Syscat/"
  112.         $b3 = "WhatsAppUpdate"
  113.     condition:
  114.         $a1 and any of ($b*)
  115. }
  116.  
  117. rule InceptionCloudMe {
  118.     meta:
  119.         author = "Florian Roth"
  120.         reference = "http://goo.gl/qr7BP4"
  121.         date = "12/10/2014"
  122.         score = 65
  123.         description = "Compromised CloudMe accounts from BlueCoat operation Inception"
  124.     strings:
  125.         $s1 = "franko7046" fullword
  126.         $s2 = "sanmorinostar" fullword
  127.         $s3 = "tem5842" fullword
  128.         $s4 = "bimm4276" fullword
  129.         $s5 = "carter0648" fullword
  130.         $s6 = "depp3353" fullword
  131.         $s7 = "frogs6352" fullword
  132.         $s8 = "daw0996" fullword
  133.         $s9 = "chak2488" fullword
  134.         $s10 = "corn6814" fullword 
  135.         $s11 = "james9611" fullword
  136.         $s12 = "lisa.walker" fullword
  137.         $s13 = "billder1405" fullword
  138.         $s14 = "droll5587" fullword
  139.         $s15 = "samantha2064" fullword
  140.         $s16 = "chloe7400" fullword
  141.         $s17 = "browner8674935" fullword
  142.         $s18 = "parker2339915" fullword
  143.         $s19 = "young0498814" fullword
  144.         $s20 = "hurris4124867" fullword
  145.         $x1 = "cloudme" nocase fullword
  146.     condition:
  147.         1 of ($s*) and $x1
  148. }
RAW Paste Data