Yara rules for APT1/Comment Crew malware arsenal

February 20, 2013 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

I’m sure all of you have heard about Mandiant’s APT1 report published yesterday. As many of you probably know we have been tracking and exposing this group for a long time as well as other individuals and companies in the security industry. A couple of examples are:

http://labs.alienvault.com/labs/index.php/2012/win32coswid/ Win32/Coswid [no longer available]

During the last few years we have been producing content that we have used to track and detect Comment Crew’s artifacts such as Snort rules, Yara rules and IOCs. We have decided to publish some of this content and we’ve completed our information with the great intel Mandiant published.  The first package we are releasing is a set of 81 Yara rules that will help malware analysts and incident responders to detect, classify and track the malware arsenal used by Comment Crew.

Some of these rules have been built to specifically detect Comment Crew’s tools and others are more generic.

You can download the rules from here.

How can I use the rules?

The easiest way to use this content is installing Yara (http://code.google.com/p/yara-project/). Once installed you can use the cmd tool yara to  detect and classify files in your dataset. Example:

$ ../yara-1.6/yara apt1-2.yara files/

APT1_WEBC2_CLOVER files//01114c2b1212524c550bbae7b2bf9750aba70c7c98e2fda13970e05768d644cf

EclipseSunCloudRAT files//021b4ce5c4d9eb45ed016fe7d87abe745ea961b712a08ea4c6b1b81d791f1eca

APT1_TARSIP_ECLIPSE files//021b4ce5c4d9eb45ed016fe7d87abe745ea961b712a08ea4c6b1b81d791f1eca

APT1_WEBC2_Y21K files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898

APT1_WEBC2_CSON files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898

APT1_b64_cnc_commands files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898

APT1_WEBC2_Y21K files//060764506ad9134d5900fc0cd160fc14de80682f1861a3ef084c7c91a734881f

APT1_b64_cnc_commands files//060764506ad9134d5900fc0cd160fc14de80682f1861a3ef084c7c91a734881f

STARSYPOUND_APT1 files//082323fd0f3d24f8fe31895ad1246ae2116aee78d01be83a28c3cbb856541003

APT1_SY files//082323fd0f3d24f8fe31895ad1246ae2116aee78d01be83a28c3cbb856541003

APT1_WARP files//08af44d381df5250323cf196444aa90597f8049dad55712fe45e80b1a8d8cded

APT1_points files//08af44d381df5250323cf196444aa90597f8049dad55712fe45e80b1a8d8cded

APT1_readynewcmd files//0963ba541d56b9805713aa13d955b91f6bb875318698ba6119d5944d68c45afb

HACKSFASE2_APT1 files//0b9ca6fb32fcde1e6e55e8874982a2a921e73c6ebdf7246177fecf63542a4a83

ccrewSSLBack1 files//0b9ca6fb32fcde1e6e55e8874982a2a921e73c6ebdf7246177fecf63542a4a83

APT1_WEBC2_YAHOO files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20

APT1_uagent_iphone85 files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20

APT1_letusgo files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20

APT1_WEBC2_QBP files//0c8ad4824264dd09b3be02f462f968729bf7339438bf5fa69af9ca995353f6df

APT1_WEBC2_GREENCAT files//0e829513658a891006163ccbf24efc292e42cc291af85b957c1603733f0c99d4

On the other hand there are several projects and products that support Yara as a format. Here are some examples:

- JSUnpack

- Virustotal VTMIS

- Volatility

- Fireeye

We’ve reviewed the rules to minimize false positives but please send us your feedback and we will improve the Yara rules with that information.

Here is the complete list of Yara rules released:

LIGHTDART_APT1

AURIGA_APT1

AURIGA_driver_APT1

BANGAT_APT1

BISCUIT_GREENCAT_APT1

BOUNCER_APT1

BOUNCER_DLL_APT1

CALENDAR_APT1

COMBOS_APT1

DAIRY_APT1

GLOOXMAIL_APT1

GOGGLES_APT1

HACKSFASE1_APT1

HACKSFASE2_APT1

KURTON_APT1

LONGRUN_APT1

MACROMAIL_APT1

MANITSME_APT1

MINIASP_APT1

NEWSREELS_APT1

SEASALT_APT1

STARSYPOUND_APT1

SWORD_APT1

thequickbrow_APT1

TABMSGSQL_APT1

CCREWBACK1

TrojanCookies_CCREW

GEN_CCREW1

Elise

EclipseSunCloudRAT

MoonProject

ccrewDownloader1

ccrewDownloader2

ccrewMiniasp

ccrewSSLBack2

ccrewSSLBack3

ccrewSSLBack1

ccrewDownloader3

ccrewQAZ

metaxcd

MiniASP

DownloaderPossibleCCrew

APT1_MAPIGET

APT1_LIGHTBOLT

APT1_GETMAIL

APT1_GDOCUPLOAD

APT1_WEBC2_Y21K

APT1_WEBC2_YAHOO

APT1_WEBC2_UGX

APT1_WEBC2_TOCK

APT1_WEBC2_TABLE

APT1_WEBC2_RAVE

APT1_WEBC2_QBP

APT1_WEBC2_KT3

APT1_WEBC2_HEAD

APT1_WEBC2_GREENCAT

APT1_WEBC2_DIV

APT1_WEBC2_CSON

APT1_WEBC2_CLOVER

APT1_WEBC2_BOLID

APT1_WEBC2_ADSPACE

APT1_WEBC2_AUSOV

APT1_WARP

APT1_TARSIP_ECLIPSE

APT1_TARSIP_MOON

APT1_aspnetreport

APT1_Revird_svc

APT1_letusgo

APT1_dbg_mess

APT1_known_malicious_RARSilent

Update (02/22/2013): We have improved the ruleset, update to the latest version!

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL