Skip to content

Instantly share code, notes, and snippets.

@JohnHammond
Created March 30, 2023 09:09
Show Gist options
  • Save JohnHammond/b9912e2d2ba4418a8a4450a166b35cb4 to your computer and use it in GitHub Desktop.
Save JohnHammond/b9912e2d2ba4418a8a4450a166b35cb4 to your computer and use it in GitHub Desktop.
YARA rule to help detect malicious files included the 3CX supply chain attack
rule Malware_dprk_3cx
{
meta:
author = "HuntressLabs"
created = "2023/03/30"
strings:
$ffmpeg = {41 f7 da 44 01 d2 ff c2 4c 63 ca 46 8a 94 0c 50 03 00 00 45 00 d0 45 0f b6 d8 42 8a ac 1c 50 03 00 00 46 88 94 1c 50 03 00 00 42 88 ac 0c 50 03 00 00 42 02 ac 1c 50 03 00 00 44 0f b6 cd 46 8a 8c 0c 50 03 00 00}
$s1 = "D3dcompiler_47.dll" ascii
$s2 = "3jB(2bsG#@c7" ascii
$ror = {41 c1 cb 0d 0f be 03 48 ff c3 44 03 d8 80 7b ff 00}
$header = {31 32 30 30 20 32 34 30 30 20 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 33 43 58 44 65 73 6b 74 6f 70 41 70 70 2f 31 38 2e 31 31 2e 31 31 39 37 20 43 68 72 6f 6d 65 2f 31 30 32 2e 30 2e 35 30 30 35 2e 31 36 37 20 45 6c 65 63 74 72 6f 6e}
$downloader1 = {33 c1 41 69 d0 7d 50 bf 12 45 8b d1 83 c3 10 4c 0f af d7 49 c1 e9 20 81 c2 87 d6 12 00 4d 03 d1 44 69 ca 7d 50 bf 12}
$github = "https://raw.githubusercontent.com/IconStorages/" wide nocase
condition:
$ffmpeg or ($s1 and $s2) or ($ror and $header) or $downloader1 or $github
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment