andretavares-bitsight

## privateloader2024.yara
rule win_privateloader
{
    meta:
        author      = "andretavare5"
        description = "Detects PrivateLoader malware."
        org         = "Bitsight"
        date        = "2024-01-29"
        sample1_md5 = "8f70a0f45532261cb4df2800b141551d" // loader module Jan 2022
        sample2_md5 = "dbf48bf522a272297266c35b965c6054" // service module Nov 2023
        sample3_md5 = "51bb70b9a31d07c7d57da0c5b26545d4" // core module Dez 2023

## privateloader2024.rules
alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BST MALWARE PrivateLoader"; flow:established,to_server; content:"POST"; http_method; pcre:"/(\/api\/(flash|firepro)\.php)/U"; pcre:"/data=[A-Za-z0-9%_-]+={0,2}/"; content:"application/x-www-form-urlencoded"; http_header; reference:url,https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service; sid:2008025;)

## privateloader2024.http
GET /api/bing_release.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Host: 77.105.147[.]130

HTTP/1.1 200 OK
Date: Mon, 05 Feb 2024 10:15:18 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Content-Length: 8

## tofsee_decompress.py
def decompress(data, size):
    def core(acu_0, acu_1, array, index):
        tmp_acu_1 = acu_1
        acu_1 = acu_1 - 1 & 0xFFFFFFFF

        if tmp_acu_1 == 0:
            acu_0 = ((array[index + 1] << 8) + array[index]) & 0xFFFFFFFF
            acu_1 = 0xF
            index += 2

## proxy_cfg
version 8
client.timeout_connect 30
client.timeout_read 60
client.timeout_write 60
server.sleep_connect 30
server.timeout_connect 30
server.timeout_read 60
server.timeout_write 60
target.timeout_connect 30
target.timeout_read 60

## miner_cfg
version 12
download_period 100
needmacrs $xmrcpu
kills cores_gt_1
tasks cores_gt_1
grabb.download_id 9
grabb.ifs
grabb.size_min 200000
grabb.size_max 350000
grabb.run $grabb

## tofsee.yara
rule win_tofsee
{
  meta:
    author       = "akrasuski1"
    published_at = "https://gist.github.com/akrasuski1/756ae39f96d2714087e6d7f252a95b19"
    revision_by  = "andretavare5"
    description  = "Tofsee malware"
    org          = "BitSight"
    date         = "2023-03-24"
    md5          = "92e466525e810b79ae23eac344a52027"

## tofsee_str_decrypt.py
def decrypt(enc_str, key1, key2):
    out = []
    for i in range(len(enc_str)):
        out.append(key1 ^ enc_str[i])
        if i % 2:
            key1 = (key1 + key2 - 1) & 0xFF
        else:
            key1 = (key1 + key2 + 1) & 0xFF
    return bytes(out)

## tofsee.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"BitSight MALWARE Possible Tofsee Server Hello"; flow:established,from_server; dsize:200; flowbits:set,TOFSEE_C2_GREET; flowbits:noalert; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.tofsee; sid:2008025; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"BitSight MALWARE Tofsee Hello"; flow:established,from_client; dsize:125; flowbits:isset,TOFSEE_C2_GREET; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.tofsee; sid:2008026; rev:1;)

## colibriloader.rules
alert http $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"BitSight MALWARE ColibriLoader"; flow:established,to_server; content:"GET";http_method; content:"gate.php?type=check&uid=";http_uri; pcre:"/^[a-zA-Z0-9]{20}$/V"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri; sid:2008025;)
	rule win_privateloader
	{
	meta:
	author = "andretavare5"
	description = "Detects PrivateLoader malware."
	org = "Bitsight"
	date = "2024-01-29"
	sample1_md5 = "8f70a0f45532261cb4df2800b141551d" // loader module Jan 2022
	sample2_md5 = "dbf48bf522a272297266c35b965c6054" // service module Nov 2023
	sample3_md5 = "51bb70b9a31d07c7d57da0c5b26545d4" // core module Dez 2023
	GET /api/bing_release.php HTTP/1.1
	Connection: Keep-Alive
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
	Host: 77.105.147[.]130

	HTTP/1.1 200 OK
	Date: Mon, 05 Feb 2024 10:15:18 GMT
	Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
	X-Powered-By: PHP/8.2.12
	Content-Length: 8
	def decompress(data, size):
	def core(acu_0, acu_1, array, index):
	tmp_acu_1 = acu_1
	acu_1 = acu_1 - 1 & 0xFFFFFFFF

	if tmp_acu_1 == 0:
	acu_0 = ((array[index + 1] << 8) + array[index]) & 0xFFFFFFFF
	acu_1 = 0xF
	index += 2
	version 8
	client.timeout_connect 30
	client.timeout_read 60
	client.timeout_write 60
	server.sleep_connect 30
	server.timeout_connect 30
	server.timeout_read 60
	server.timeout_write 60
	target.timeout_connect 30
	target.timeout_read 60
	version 12
	download_period 100
	needmacrs $xmrcpu
	kills cores_gt_1
	tasks cores_gt_1
	grabb.download_id 9
	grabb.ifs
	grabb.size_min 200000
	grabb.size_max 350000
	grabb.run $grabb
	rule win_tofsee
	{
	meta:
	author = "akrasuski1"
	published_at = "https://gist.github.com/akrasuski1/756ae39f96d2714087e6d7f252a95b19"
	revision_by = "andretavare5"
	description = "Tofsee malware"
	org = "BitSight"
	date = "2023-03-24"
	md5 = "92e466525e810b79ae23eac344a52027"
	def decrypt(enc_str, key1, key2):
	out = []
	for i in range(len(enc_str)):
	out.append(key1 ^ enc_str[i])
	if i % 2:
	key1 = (key1 + key2 - 1) & 0xFF
	else:
	key1 = (key1 + key2 + 1) & 0xFF
	return bytes(out)
	alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"BitSight MALWARE Possible Tofsee Server Hello"; flow:established,from_server; dsize:200; flowbits:set,TOFSEE_C2_GREET; flowbits:noalert; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.tofsee; sid:2008025; rev:1;)
	alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"BitSight MALWARE Tofsee Hello"; flow:established,from_client; dsize:125; flowbits:isset,TOFSEE_C2_GREET; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.tofsee; sid:2008026; rev:1;)