Find BlisterLoader with YARA.
100 Days of YARA – Day 54: Golang protobufs
Find golang binaries using protocol buffers with YARA.
100 Days of YARA – Day 53: AutoIt 3
Find AutoIt3-compiled binaries with YARA.
100 Days of YARA – Day 52: Golang ssh package
I was looking at some ABCbot samples and noticed that some of them included the golang ssh package. I thought this would be useful to know when looking at new samples. rule golang_ssh { meta: description = "Golang binary including golang.org/x/crypto/ssh" reference = "https://pkg.go.dev/golang.org/x/crypto/ssh" strings: $ = "golang.org/x/crypto/ssh" condition: all of them } YARA Rules …
Continue reading 100 Days of YARA – Day 52: Golang ssh package
100 Days of YARA – Day 51: bdvl
Find bdvl LD_PRELOAD rootkit with YARA.
100 Days of YARA – Day 50: libprocesshider
I have encountered libprocesshider being used in the wild. This is a userland rootkit that abuses LD_PRELOAD to hide processes. https://github.com/gianlucaborello/libprocesshider This library is simple; under 100 lines of C code. This rule matched on a malicious libprocesshider library found on a honeypot system. rule libprocesshider { meta: description = "libprocesshider userland rootkit" strings: $ …
100 Days of YARA – Day 49: RC4
I tried a few days ago to write a YARA rule to detect RC4 within samples and was having a hard time coming up with something that worked. RC4 is a simple to implement algorithm that is used commonly in malware. After Googling a bit, I found a blog post and a video on Youtube …
100 Days of YARA – Day 48: gscript
Find gscript payloads with YARA.
100 Days of YARA – Day 47: Private Keys
Find private key material with YARA.
100 Days of YARA – Day 46: NirSoft MailPassView
Find NirSoft's MailPassView with YARA.
100 Days of YARA – Day 45: Generic NirSoft Tools
Find NirSoft tools with YARA.
100 Days of YARA – Day 44: NirSoft LSA Secrets View
Find NirSoft LSA Secrets View with YARA.
DMFR SECURITY 