100 Days of YARA – Day 37: PRISM

PRISM is a stealthy backdoor for *nix hosts. It listens for magic ICMP packets, spawning a reverse shell to an attacker-controlled IP address: https://github.com/andreafabrizi/prism

I encountered this during the Pros Versus Joes CTF. After discovering this malware running, I found it running on all of my team’s additional Linux hosts. Reversing the sample quickly revealed the hard-coded password in this backdoor. Strangely enough, this password was also used on the other teams’ systems.

My team exploited this finding by leveraging PRISM to spawn beacons on the other team’s hosts during the offensive leg of the contest. This allowed us to rack up points and establish a commanding lead on the scoreboard, ultimately winning the contest.

rule prism
{
	meta:
		author = "Daniel Roberson"
		description = "https://github.com/andreafabrizi/prism"

	strings:
		$a = "PRISM"
		$b = "I'm not root :("

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 37: PRISM

  1. Pingback: Week 05 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s