-
Notifications
You must be signed in to change notification settings - Fork 36
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
- Loading branch information
Showing
4 changed files
with
204 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| ## Changed: macOS/2023.3CX/libffmpeg.dylib [😈 CRITICAL → 🟡 MEDIUM] | ||
|
|
||
| ### 22 removed behaviors | ||
|
|
||
| | RISK | KEY | DESCRIPTION | EVIDENCE | | ||
| |--|--|--|--| | ||
| | -CRITICAL | [3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_mac_smooth_operator.yar#L1-L16) | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) | | ||
| | -CRITICAL | [3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275) | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) | | ||
| | -CRITICAL | [3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214) | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | | | ||
| | -CRITICAL | [3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_xor_hunting.yar#L2-L25) | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | | | ||
| | -CRITICAL | [3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50) | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by threatintel@volexity.com | | | ||
| | -CRITICAL | [anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla) | XOR'ed user agent, often found in backdoors, by Florian Roth | | | ||
| | -CRITICAL | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl) | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)<br>[gethostname](https://github.com/search?q=gethostname&type=code)<br>[localtime](https://github.com/search?q=localtime&type=code)<br>[sprintf](https://github.com/search?q=sprintf&type=code)<br>[strncpy](https://github.com/search?q=strncpy&type=code)<br>[pclose](https://github.com/search?q=pclose&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code)<br>[flock](https://github.com/search?q=flock&type=code)<br>[popen](https://github.com/search?q=popen&type=code)<br>[sleep](https://github.com/search?q=sleep&type=code)<br>[rand](https://github.com/search?q=rand&type=code) | | ||
| | -HIGH | [exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null_quoted) | runs quoted templated commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) | | ||
| | -MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) | | ||
| | -MEDIUM | [exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen) | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)<br>[_popen](https://github.com/search?q=_popen&type=code) | | ||
| | -MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | | ||
| | -MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code)<br>[Accept](https://github.com/search?q=Accept&type=code) | | ||
| | -MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) | | ||
| | -MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code) | | ||
| | -LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | | ||
| | -LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)<br>[srand](https://github.com/search?q=srand&type=code) | | ||
| | -LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | ||
| | -LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)<br>[HOME](https://github.com/search?q=HOME&type=code) | | ||
| | -LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | | ||
| | -LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | | ||
| | -LOW | [os/kernel/dispatch_semaphore](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/dispatch-semaphore.yara#dispatch_sem) | [Uses Dispatch Semaphores](https://developer.apple.com/documentation/dispatch/dispatch_semaphore) | [dispatch_semaphore_signal](https://github.com/search?q=dispatch_semaphore_signal&type=code) | | ||
| | -LOW | [os/sync/semaphore_user](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/sync/semaphore-user.yara#semaphore_user) | uses semaphores to synchronize data between processes or threads | [semaphore_create](https://github.com/search?q=semaphore_create&type=code)<br>[semaphore_signal](https://github.com/search?q=semaphore_signal&type=code)<br>[semaphore_wait](https://github.com/search?q=semaphore_wait&type=code) | | ||
|
|
||
| ### 17 consistent behaviors | ||
|
|
||
| | RISK | KEY | DESCRIPTION | EVIDENCE | | ||
| |--|--|--|--| | ||
| | MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)<br>[Encryption info](https://github.com/search?q=Encryption+info&type=code) | | ||
| | MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | | ||
| | MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | ||
| | MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | | ||
| | MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | | ||
| | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) | | ||
| | LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://www.apple.com/certificateauthority/0](http://www.apple.com/certificateauthority/0)<br>[http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)<br>[http://crl.apple.com/timestamp.crl0](http://crl.apple.com/timestamp.crl0)<br>[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0)<br>[http://crl.apple.com/root.crl0](http://crl.apple.com/root.crl0)<br>[http://www.apple.com/appleca0](http://www.apple.com/appleca0)<br>[http://ocsp.apple.com/ocsp03](http://ocsp.apple.com/ocsp03) | | ||
| | LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)<br>[http://](http://)<br>[x86](https://github.com/search?q=x86&type=code) | | ||
| | LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [https://](https://)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://) | | ||
| | LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | | ||
| | LOW | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_ksa) | RC4 key scheduling algorithm, by Thomas Barabosch | | | ||
| | LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | | ||
| | LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | ||
| | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | ||
| | LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | | ||
| | LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code) | | ||
| | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | | ||
|
|
Oops, something went wrong.