Day 7️⃣4️⃣ of #100DaysofYARA: Copied some macOS shellcode examples from @theevilbit's repo into hex strings and running them through a VT retrohunt to see if they've gotten put in anything fun 👀🤔

Love when there are results I can't access 😢 Maybe by the end of the run I'll have one for my plan lol

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/susp_macos_shellcode.yar

Day 7️⃣3️⃣ of #100DaysofYARA: You should definitely use the script (https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md) provided by Microsoft to scan for impact... but here's my attempt to scan for CVE-2023-23397 message files in YARA!

I tried replicating the POC from MdSec (https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/) but with it being my first time using dotnet locally patching MsgKit and was a pain given it uses an old dotnet version... so I got as close as I could get without the patched elements added then guessed rest (figured wide strings, OLE msg header, etc).

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/exploit-cve-2023-23397.yar

Day 7️⃣2️⃣ of #100DaysofYARA: Working through a hunting rule for Mach-O's that clear xattr's like "com.apple.quarantine” 🤔 There's a lot of false positives from software updaters but also catches malware like EliteKeylogger, Genieo, and MaMi in the @objective_see malware collection.

From a VT Retrohunt this surfaces some interesting things like:
* Blizzard Jailbreak exploits
* MacBooster PUPs

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/4409a0d61000de792172eda5ebb9b310727e6d03/shellcromancer/info_macos_xattrs.yar

Day 7️⃣ 1️⃣ of #100DaysofYARA: First uploaded to VT in 2012 SniperSpy is another macOS backdoor that won't run on modern machines due to 32-bit deprecation but noticed it wasn't getting flagged in XProtect yet 🤔

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/ecc60d5e8bf6e076366c21dfd5a3f83caf80c34b/shellcromancer/susp_macos_sniperspy.yar

Day 7️⃣0️⃣ of #100DaysofYARA: Checking for an old PoC macOS rootkit that was shared in Phrack back in 2009 👀 I doubt it would run anywhere these days given it was PowerPC, and using deprecated methods but who knows.

YARA: https://github.com/shellcromancer/DaysOfYARA-2023

Day 6️⃣9️⃣ of #100DaysofYARA: With the recent FBI seizure/action against the NetWire RAT (https://www.justice.gov/usao-cdca/pr/federal-authorities-seize-internet-domain-selling-malware-used-illegally-control-and) I figure it's a good of time as any to look at the malware and write a YARA rule 👀

Interestingly it uses some windows conventions like percent environment variables for %PATH% and more which you just don't see in macOS -- another giveaway is the user agent and this function nesting non-sense.

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/deeb7127794c961304895e4303812ed016c494f6/shellcromancer/mal_macos_netwire.yar

Day 6️⃣8️⃣ of #100DaysofYARA: In 2009 an indie game developer wrote some malware/art which deletes unrelated files on players computers for "fun” -- sounds more like a wiper to me 🤷‍♂️ Wrote a YARA rule for it. ✅

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/mal_macos_loselose.yar

Day 6️⃣7️⃣ of #100DaysofYARA: continuing to look at the look at the Pureland stealer by 0xfff -- I ran 2 versions of my rule's condition through a retrohunt, conditions of "all of them" and “60% of them" to give a buffer for strings being missing... and we found more samples! 🎉 Many of them still have 0-1 detection(s) across the vendors in VT.

To see which rule strings weren't present across all samples I showed matches with strings “-s”, filtered out rule names, and match addresses, then sorted based on the count:

$ yara -sr shellcromancer/mal_macos_pureland.yar ~/Samples/macOS/crypto_stealer/pureland | grep -v mal_macos_pureland | awk -F ':' '{ print $2 $3 }' | sort | uniq -c | sort
4 $s2 /Library/Application Support/Exodus/exodus.wallet/
12 $ext0 nkbihfbeogaeaoehlefnkodbefgpgknn
12 $ext1 bfnaelmomeimhlpmgjnjophhpkkoljpa
12 $ext2 ibnejdfjmmkpcnlpebklmnkoeoihofec
12 $ext3 efbglgofoippbgcjepnhiblaibcnclgk
12 $s0 system_profiler SPHardwareDataType > /Users/
12 $s1 security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}' > /Users/
12 $s3 /.dkdbsqtl/vakkdsr

So very few samples have the Exodus stealing code path 🤔Other build names used in these are CleanMyMacX, and “Installer Cthulhu” 📈

More hashes:
8507e76362664fe2ed9c9407e237fed900881472abd5fbbaf88d772268836031
8604a10bd97099e8e5539eff05c49bc518a774bf8e7c4ef6c36d902f7fdaeb6e
0e41d3e3b464f3fb8c140340e6a85a376c6c17499dd6bbf7de5940d401b9e71a
24ace87331051d7d2d83bb9a89781847f47b4c00789c19b5385fce94705c3c40
0b9a3b00302faf3297b60fff0714f2db87245a613dcd9849645bffa7c4a3df9b
82633f6fec78560d657f6eda76d11a57c5747030847b3bc14766cec7d33d42be
731cf0317f409c5e23411efccc94fe8ebd897f625da300ccb98ad7ff4a12741c
12f416e67d9cd74ec3488842b9bf61092f35c0ae4de467afaebba2cb3933fc26
738c7536ff7dbd95161517658f5438b5f9633ce9baef423a629ea7057a1e0c1b

#IOC

Day 6️⃣6️⃣ of #100DaysofYARA: I wanted to experiment with finding exploit primitives using YARA and one of the easiest is searching for a NOP sled -- I figured these would only be present in exploited memory payloads but turns out loads of legit software and malware alike will have these sleds on disk 🤷‍♂️

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/info_nop_sled.yar

Day 6️⃣5️⃣ of #100DaysofYARA: Elite Keylogger (https://www.elitekeyloggers.com/elite-keylogger-mac) claims to a “Free undetectable Mac keylogger" that worked up until macOS Catalina, but it's really trivial to detect with YARA given they throw their name all over the place in their classes 😬

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/susp_macos_elitelogger.yar

Day 6️⃣4️⃣ of #100DaysofYARA: Added a rule for the xmrig CoinMiner sample in the Objective-See collection -- pretty big overlap with the HonkBox reporting that SentinelOne and Jamf talked about over the last few weeks plus the XProtect of HonkBox detects this sample. Both tunnel xmrig miner traffic over the I2P protocol with similar configs

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/mal_macos_coinminer.yar

Day 6️⃣2️⃣ of #100DaysofYARA: Writing up a signature for the old XslCmd backdoor that FireEye/Mandiant wrote about in 2014 that XProtect doesn't have coverage for today. We can reliably detect this using strings across the file paths, and the debug statements the authors left in. 👾

One this I did was combine the two strings of “/tmp/osver.log" and "/tmp/osname.log" into 1 YARA hex string and a jump spanning a character ended up with the following: { 2f 74 6d 70 2f 6f 73 [3-4] 2e 6c 6f 67 } .

To decode matches and verify that jump still gets us what we want we add the “-s” flag to the YARA scan showing us the string matches, then append `| grep "\$s3" | awk -F ":" '{print $3}' | r.hex` to get the hex match strings and decode them Binary Refinery 🎉

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/mal_macos_xslcmd.yar

Day 6️⃣1️⃣ of #100DaysofYARA: re-worked the previous hunting rule for Mach-O's without a __PAGEZERO to operate without the module that way we can run in default YARA installation and places like VirusTotal.

This meant taking the offset for the mach_header->filetype of 0xc and comparing that with the MH_EXECUTE constant, than doing a wider search against the presence of the target segment names across the load commands region (up to mach_header->sizeofcmds)

I'm pretty happy with the results in VirusTotal - most things I'm looking at have little to no detections. Not sure if it's just old software submitted or something interesting 🤔

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/macho_no_pagezero.yar

Day 3️⃣ 1️⃣ of #100DaysofYara: PDF Downloaders used by IcedID
🔗​https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/031/031.md

#IcedID campaigns have previously leveraged PDFs files that download an archive from firebase:
📖​: https://github.com/pr0xylife/IcedID/blob/main/icedID_02.03.2023.txt

Todays yara rule detects these .pdf files!

RT @threathog
You may have never considered the performance impact of your YARA rules. Performance matters when we run at scale @InsideStairwell. Thankfully @cyb3rops has written (and recently updated) a guide, check it out https://github.com/Neo23x0/YARA-Performance-Guidelines/ #100daysofyara

Day 6️⃣0️⃣ of #100DaysofYARA: Quick antivirus solution: run YARA against all the processes on your computer:

for pid in $(ps -A | awk '{print $1}'); do sudo yara macho_missing_pagezero.yar "$pid"; done

This works by setting the scan target as all of the PIDs of your system which takes a but of time but works! Expect an error on some PIDs like for launchd 🫡

After taking some time off from work to reset lets pick back up #100DaysofYara with Day 3️⃣​0️⃣ : Internet Short Files & Batch Scripts
🔗​https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/030/030.md

Recently #Qakbot used .url files to download external .bat scripts:
📚​https://infosec.exchange/@sans_isc/109944693734761893

Today yara rule looks for suspicious .url files and found a ton of files that leverage the discord CDN to download scripts - some of them for trolling users :troll:​

Day 5️⃣9️⃣ of #100DaysofYARA: Looking at an classic macOS malware sample from 2017 that didn't have a signature in XProtect - osx.systemd

it's a C++ sample which makes is a little tougher to analyze than Objective-C or Go (for me at least) but even with unknown code structures we could still look at strings 🤣

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/mal_macos_systemd.yar

#100DaysofYARA Choose your own adventure challenge! 🧵

Both malware devs AND detection engineers make choices in their processes. I wanna see the blue choices 🔵

Pick 1 of 3 old samples! Extra bonus points for writing up WHY you're rule detects it and HOW you decided that

The samples are a fun set to choose from in my opinion - can grab them from MalwareBazaar

AcidBox: https://bazaar.abuse.ch/sample/eb30a1822bd6f503f8151cb04bfd315a62fa67dbfe1f573e6fcfd74636ecedd5/

HiKit: https://bazaar.abuse.ch/sample/3fc8afb4fa3a2d7b57128df0429c0a026d04f387b61dfec26b75a4bda193dcf9/

Reductor: https://bazaar.abuse.ch/sample/4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1/

All rules are accepted! The Unit42 team published a sweet rule for AcidBox, so feel free to use as inspiration.

Respond to this thread with your rule and analytic work flow

CC @xorhex @stvemillertime @shellcromancer

Day 5️⃣8️⃣ of #100DaysofYARA: I was stoked this morning when I got a hit from the machO tag in MalwareBazzar 🎉 https://twitter.com/geenensp uploaded some samples of the ddosia/GoStresser botnet client which is a Go app that users self-infect (??) for the cause. Writing a signature is pretty easy using to Go package/struct names, file names, and a regex pattern the app uses so with that down, what else is interesting in here? 🤔

The most fun part is the main.BackendLink global which embeds the C2 servers IP address of 94[.]140[.]115[.]129 - using this we can see the C2 server is still online, pull it's targeting list and checkout who's next.

If you need yet another reason to detect unexpected VPN clients, add Surfshark 🦈 to the list - the botnet operators specifically call it out before joining their network clients should enable it (see https://web.archive.org/web/20221013185306/https://dddosia.github.io/).

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/mal_ddosia.yar

#ddosia #go_stresser #IOC