100 Days of YARA – Day 29: MysterySnail

Recently, a campaign was discovered which was exploiting a zero-day privilege escalation bug which was later assigned as CVE-2021-40449.

This group has been named MysterySnail. The following rule matches on a RAT component belonging to this group.

rule mysterysnail
{
	meta:
		description = "MysterySnail RAT"
		reference = "https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/"
		hash = "b7fb3623e31fb36fc3d3a4d99829e42910cad4da4fa7429a2d99a838e004366e"

	strings:
		$ = "IP:%d.%d.%d.%d"
		$ = "IP:error"
		$ = "CONNECT %s:%d HTTP/1.1"

	condition:
		uint16(0) == 0x5a4d and all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 29: MysterySnail

  1. Pingback: Week 04 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s