100 Days of YARA – Day 18: Yanluowang Ransomware

Another ransomware strain is known as Yanluowang. Here are some of my bookmarks that I’ve tagged as Yanluowang: https://pinboard.in/u:droberson/t:yanluowang/

This blog post by Symantec was very interesting to me, as it presented a lot of generic examples of post-exploitation activity that was observed by the operators of this ransomware: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue

Particularly, this article mentions the following software being used in these intrusions:

  • ConnectWise (formerly ScreenConnect)
  • ADFind
  • SoftPerfect Network Scanner
  • GrabFF
  • GrabChrome
  • BrowserPassView
  • KeeThief
  • secretsdump.exe
  • Screen capture tools
  • Cobalt Strike

This is interesting because this is how attackers actually operate. These are the tools that they are using. Reading other research articles such as the one linked above, these tools often make repeat appearances across different groups and malware families.

Being able to detect the tools that these folks are using can be helpful to incident responders. Many of these tools may be authorized or expected within your environment, but it is probably worth investigating if you discover any of them on your network.

I found a couple of samples of this ransomware on VX-Underground: https://samples.vx-underground.org/samples/Families/YanluowangRansomware/

These samples both included a string with the following PDB:

C:\Users\111\Desktop\wifi\project\ConsoleApplication2\Release\ConsoleApplication2.pdb

PDB paths can be used to track similar malware families and may provide attribution for malware. This is highlighted in the following post:

The following YARA rule may find variations of this ransomware:

rule yanluowang_pdb
{
	meta:
		description = "PDB path found in Yanluowang ransomware samples"

	strings:
		$ = "C:\\Users\\111\\Desktop\\wifi\\project\\ConsoleApplication2\\Release\\ConsoleApplication2.pdb"

	condition:
		all of them
}

YARA Rule Index

One thought on “100 Days of YARA – Day 18: Yanluowang Ransomware

  1. Pingback: Week 02 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s