100 Days of YARA – Day 16: Public Services

Malware authors often abuse free or public services to distribute malicious content. They may host payloads on DropBox or Discord, Google Drive, PasteBin, or a number of services.

Searching for the domains used by these services can uncover malware in surprising places.

Ngrok

ngrok is used to tunnel traffic through HTTP. Despite being a legitimate service, it is often used maliciously.

rule ngrok_url
{
	meta:
		description = "Contains ngrok.io string"

	strings:
		$ = ".ngrok.io" ascii wide

	condition:
		all of them
}

DropBox

rule dropbox_url
{
	meta:
		description = "Contains a DropBox URL"

	strings:
		$ = "https://dl.dropbox.com/" ascii wide

	condition:
		all of them
}

rule dropbox
{
	meta:
		description = "Contains dropbox.com"

	strings:
		$ = "dropbox.com" ascii wide

	condition:
		all of them
}

Others

I don’t think it makes a ton of sense to list all of the potentially abused services out there. As I encounter these being abused in the wild, I tend to create new rules for them.

These are low confidence rules, but I’ve found several samples that don’t match any of my rules except for these.

2 thoughts on “100 Days of YARA – Day 16: Public Services

  1. Pingback: YARA Rules Index – DMFR SECURITY

  2. Pingback: Week 02 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s