100 Days of YARA – Day 18: Yanluowang Ransomware

Another ransomware strain is known as Yanluowang. Here are some of my bookmarks that I've tagged as Yanluowang: https://pinboard.in/u:droberson/t:yanluowang/ This blog post by Symantec was very interesting to me, as it presented a lot of generic examples of post-exploitation activity that was observed by the operators of this ransomware: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue Particularly, this article mentions the …

Continue reading 100 Days of YARA – Day 18: Yanluowang Ransomware

100 Days of YARA – Day 16: Public Services

Malware authors often abuse free or public services to distribute malicious content. They may host payloads on DropBox or Discord, Google Drive, PasteBin, or a number of services. Searching for the domains used by these services can uncover malware in surprising places. Ngrok ngrok is used to tunnel traffic through HTTP. Despite being a legitimate …

Continue reading 100 Days of YARA – Day 16: Public Services

100 Days of YARA – Day 8: Salsa20

Salsa20 is a stream cipher used by various ransomware software: https://appuals.com/grandcrab-ransomware-v4-1-2-theft-prevented-with-salsa20-algorithm/https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.htmlhttps://www.acronis.com/en-us/articles/sodinokibi-ransomware/ I took a similar approach to the rules in previous posts to find MD5 and SHA256 implementations. I found a constant by reading the source code of a Salsa20 implementation on GitHub and looking for unique constants: https://github.com/alexwebr/salsa20/blob/master/salsa20.c#L118-L125 This was able to detect Sodinokibi …

Continue reading 100 Days of YARA – Day 8: Salsa20

100 Days of YARA – Day 7: SHA256

Here is an example using the same approach outlined in the previous post about identifying MD5 constants, but applied to SHA256. I used OpenSSL's source code to determine these constants and re-arranged each constant into little-endian byte sequences: https://github.com/openssl/openssl/blob/master/crypto/sha/sha256.c rule sha256_constants { meta: description = "SHA256 constants" strings: $ = { 852c7292 } $ = …

Continue reading 100 Days of YARA – Day 7: SHA256