Enrich NodeJS detection for supply-chain attacks similar to Solana we…

…b3 v1.95.7 (#678)

* update testdata

* tune post_hardcoded_hardcoded_host rule

* run yara-x-fmt

* add missing rule files

* remove duplicate string_reversal rule

---------

Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

rules/anti-static/obfuscation/nodejs.yara

@@ -19,4 +19,3 @@ rule nodejs_buffer_from_many: high {
   condition:
     any of them
 }
-

rules/anti-static/obfuscation/reverse.yara

@@ -0,0 +1,10 @@
+rule string_reversal: medium {
+  meta:
+    description = "reverses strings"
+
+  strings:
+    $ref = "split(\"\").reverse().join(\"\")"
+
+  condition:
+    any of them
+}

rules/c2/addr/url.yara

@@ -1,3 +1,5 @@
+import "math"
+
 private rule elf_or_macho {
   condition:
     uint32(0) == 1179403647 or (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178)
@@ -31,6 +33,24 @@ rule exotic_tld: high {
     filesize < 10MB and any of ($http*) and none of ($not_*)
 }
 
+rule post_exotic_tld: high {
+  meta:
+    description = "uploads content to hostname with unusual top-level domain"
+
+  strings:
+    $http_exotic_tld = /https*:\/\/[\w\-\.]{1,128}\.(vip|red|cc|wtf|top|pw|ke|space|zw|bd|ke|am|sbs|date|pw|quest|cd|bid|xyz|cm|xxx|casino|online|poker|ua)\//
+    $post            = /(post|POST)/ fullword
+    $not_electron    = "ELECTRON_RUN_AS_NODE"
+    $not_nips        = "nips.cc"
+    $not_gov_bd      = ".gov.bd"
+    $not_eol         = "endoflife.date"
+    $not_whois       = "bdia.btcl.com.bd"
+    $not_arduino     = "arduino.cc"
+
+  condition:
+    filesize < 10MB and $http_exotic_tld and $post and none of ($not_*) and math.abs(@http_exotic_tld - @post) <= 128
+}
+
 rule http_url_with_question: medium {
   meta:
     description = "contains hardcoded endpoint with a question mark"

rules/data/encoding/base58.yara

@@ -0,0 +1,10 @@
+rule b58 {
+  meta:
+    description = "Supports base58 encoded strings"
+
+  strings:
+    $base64 = "bs58" fullword
+
+  condition:
+    any of them
+}

rules/exfil/http_headers.yara

@@ -0,0 +1,17 @@
+rule weird_http_headers: high {
+  meta:
+    description = "references unusual HTTP headers"
+
+  strings:
+    $h_cf_id  = "x-amz-cf-id" fullword
+    $h_cf_pop = "x-amz-cf-pop" fullword
+
+    $v_fetch = "fetch" fullword
+    $v_GET   = "GET" fullword
+    $v_POST  = "POST" fullword
+    $v_get   = "get" fullword
+    $v_post  = "post" fullword
+
+  condition:
+    filesize < 1MB and any of ($h*) and any of ($v*)
+}

rules/exfil/nodejs.yara

@@ -1,3 +1,5 @@
+import "math"
+
 rule nodejs_sysinfoexfil: high {
   meta:
     description = "may gather and exfiltrate system information"
@@ -88,9 +90,21 @@ rule nodejs_phone_home_hardcoded_host: critical {
     description = "accesses system information and uploads it to hardcoded host"
 
   strings:
-    $ref = /hostname: "[\w\.]{5,63}",/
+    $ref = /hostname: "[\w\.\-]{5,63}",/
 
   condition:
     nodejs_phone_home and $ref
 }
 
+rule post_hardcoded_hardcoded_host: medium {
+  meta:
+    description = "posts content to a hardcoded host"
+
+  strings:
+    $ref  = /hostname: "[\w\.\-]{5,63}",/
+    $ref2 = /fetch\(\"https{0,1}:\/\/[\w\.\-]{5,63}.{0,64}/
+    $post = "POST" fullword
+
+  condition:
+    any of ($ref*) and $post and ((math.abs(@ref - @post) <= 128) or ((math.abs(@ref2 - @post) <= 128)))
+}

tests/javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js.simple

@@ -1,5 +1,6 @@
 # javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js: critical
 anti-static/obfuscation/js: high
+anti-static/obfuscation/reverse: medium
 exec/script/activex: medium
 exec/script/wsh: high
 exfil/stealer/vmware: high

tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple

@@ -1,4 +1,5 @@
 # javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js: medium
+anti-static/obfuscation/reverse: medium
 c2/addr/ip: medium
 c2/addr/server: medium
 c2/client: medium

tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple

@@ -1,5 +1,6 @@
 # javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js: medium
 anti-static/obfuscation/js: medium
+anti-static/obfuscation/reverse: medium
 c2/addr/ip: medium
 c2/addr/server: medium
 c2/client: medium

tests/javascript/clean/securityDashboards.plugin.js.simple

@@ -1,6 +1,7 @@
 # javascript/clean/securityDashboards.plugin.js: medium
 anti-static/obfuscation/bitwise: medium
 anti-static/obfuscation/js: medium
+anti-static/obfuscation/reverse: medium
 c2/tool_transfer/dropper: medium
 collect/databases/mysql: medium
 credential/gaming/minecraft: medium

tests/javascript/clean/zxcvbn.js.simple

@@ -1,4 +1,5 @@
 # javascript/clean/zxcvbn.js: medium
+anti-static/obfuscation/reverse: medium
 c2/tool_transfer/dropper: medium
 collect/databases/mysql: medium
 credential/gaming/minecraft: medium

tests/linux/clean/kibana/securitySolution.chunk.9.js.simple

@@ -1,5 +1,6 @@
 # linux/clean/kibana/securitySolution.chunk.9.js: critical
 anti-static/obfuscation/js: medium
+anti-static/obfuscation/reverse: medium
 c2/addr/ip: medium
 c2/addr/url: high
 c2/discovery/dyndns: medium

tests/npm/2024.ndoe-fethc/unhook.js.simple

@@ -1,8 +1,10 @@
 # npm/2024.ndoe-fethc/unhook.js: high
 credential/ssl/key: high
 credential/ssl/private_key: low
+data/encoding/base58: low
 data/encoding/json_encode: low
 discover/user/info: medium
+exfil/nodejs: medium
 exfil/stealer/crypto: high
 fs/file/read: low
 fs/lock_update: low