100 Days of YARA – Day 16: Public Services

On By DanielIn 100 days of Yara

Malware authors often abuse free or public services to distribute malicious content. They may host payloads on DropBox or Discord, Google Drive, PasteBin, or a number of services.

Searching for the domains used by these services can uncover malware in surprising places.

Ngrok

ngrok is used to tunnel traffic through HTTP. Despite being a legitimate service, it is often used maliciously.

rule ngrok_url
{
	meta:
		description = "Contains ngrok.io string"

	strings:
		$ = ".ngrok.io" ascii wide

	condition:
		all of them
}

DropBox

rule dropbox_url
{
	meta:
		description = "Contains a DropBox URL"

	strings:
		$ = "https://dl.dropbox.com/" ascii wide

	condition:
		all of them
}

rule dropbox
{
	meta:
		description = "Contains dropbox.com"

	strings:
		$ = "dropbox.com" ascii wide

	condition:
		all of them
}

Others

I don’t think it makes a ton of sense to list all of the potentially abused services out there. As I encounter these being abused in the wild, I tend to create new rules for them.

These are low confidence rules, but I’ve found several samples that don’t match any of my rules except for these.

2 thoughts on “100 Days of YARA – Day 16: Public Services

  1. Pingback: YARA Rules Index – DMFR SECURITY

  2. Pingback: Week 02 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s