I’m sure all of you have heard about Mandiant’s APT1 report published yesterday. As many of you probably know we have been tracking and exposing this group for a long time as well as other individuals and companies in the security industry. A couple of examples are:
http://labs.alienvault.com/labs/index.php/2012/win32coswid/ Win32/Coswid [no longer available]
During the last few years we have been producing content that we have used to track and detect Comment Crew’s artifacts such as Snort rules, Yara rules and IOCs. We have decided to publish some of this content and we’ve completed our information with the great intel Mandiant published. The first package we are releasing is a set of 81 Yara rules that will help malware analysts and incident responders to detect, classify and track the malware arsenal used by Comment Crew.
Some of these rules have been built to specifically detect Comment Crew’s tools and others are more generic.
You can download the rules from here.
How can I use the rules?
The easiest way to use this content is installing Yara (http://code.google.com/p/yara-project/). Once installed you can use the cmd tool yara to detect and classify files in your dataset. Example:
$ ../yara-1.6/yara apt1-2.yara files/
APT1_WEBC2_CLOVER files//01114c2b1212524c550bbae7b2bf9750aba70c7c98e2fda13970e05768d644cf
EclipseSunCloudRAT files//021b4ce5c4d9eb45ed016fe7d87abe745ea961b712a08ea4c6b1b81d791f1eca
APT1_TARSIP_ECLIPSE files//021b4ce5c4d9eb45ed016fe7d87abe745ea961b712a08ea4c6b1b81d791f1eca
APT1_WEBC2_Y21K files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_WEBC2_CSON files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_b64_cnc_commands files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_WEBC2_Y21K files//060764506ad9134d5900fc0cd160fc14de80682f1861a3ef084c7c91a734881f
APT1_b64_cnc_commands files//060764506ad9134d5900fc0cd160fc14de80682f1861a3ef084c7c91a734881f
STARSYPOUND_APT1 files//082323fd0f3d24f8fe31895ad1246ae2116aee78d01be83a28c3cbb856541003
APT1_SY files//082323fd0f3d24f8fe31895ad1246ae2116aee78d01be83a28c3cbb856541003
APT1_WARP files//08af44d381df5250323cf196444aa90597f8049dad55712fe45e80b1a8d8cded
APT1_points files//08af44d381df5250323cf196444aa90597f8049dad55712fe45e80b1a8d8cded
APT1_readynewcmd files//0963ba541d56b9805713aa13d955b91f6bb875318698ba6119d5944d68c45afb
HACKSFASE2_APT1 files//0b9ca6fb32fcde1e6e55e8874982a2a921e73c6ebdf7246177fecf63542a4a83
ccrewSSLBack1 files//0b9ca6fb32fcde1e6e55e8874982a2a921e73c6ebdf7246177fecf63542a4a83
APT1_WEBC2_YAHOO files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_uagent_iphone85 files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_letusgo files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_WEBC2_QBP files//0c8ad4824264dd09b3be02f462f968729bf7339438bf5fa69af9ca995353f6df
APT1_WEBC2_GREENCAT files//0e829513658a891006163ccbf24efc292e42cc291af85b957c1603733f0c99d4
On the other hand there are several projects and products that support Yara as a format. Here are some examples:
- JSUnpack
- Fireeye
We’ve reviewed the rules to minimize false positives but please send us your feedback and we will improve the Yara rules with that information.
Here is the complete list of Yara rules released:
LIGHTDART_APT1
AURIGA_APT1
AURIGA_driver_APT1
BANGAT_APT1
BISCUIT_GREENCAT_APT1
BOUNCER_APT1
BOUNCER_DLL_APT1
CALENDAR_APT1
COMBOS_APT1
DAIRY_APT1
GLOOXMAIL_APT1
GOGGLES_APT1
HACKSFASE1_APT1
HACKSFASE2_APT1
KURTON_APT1
LONGRUN_APT1
MACROMAIL_APT1
MANITSME_APT1
MINIASP_APT1
NEWSREELS_APT1
SEASALT_APT1
STARSYPOUND_APT1
SWORD_APT1
thequickbrow_APT1
TABMSGSQL_APT1
CCREWBACK1
TrojanCookies_CCREW
GEN_CCREW1
Elise
EclipseSunCloudRAT
MoonProject
ccrewDownloader1
ccrewDownloader2
ccrewMiniasp
ccrewSSLBack2
ccrewSSLBack3
ccrewSSLBack1
ccrewDownloader3
ccrewQAZ
metaxcd
MiniASP
DownloaderPossibleCCrew
APT1_MAPIGET
APT1_LIGHTBOLT
APT1_GETMAIL
APT1_GDOCUPLOAD
APT1_WEBC2_Y21K
APT1_WEBC2_YAHOO
APT1_WEBC2_UGX
APT1_WEBC2_TOCK
APT1_WEBC2_TABLE
APT1_WEBC2_RAVE
APT1_WEBC2_QBP
APT1_WEBC2_KT3
APT1_WEBC2_HEAD
APT1_WEBC2_GREENCAT
APT1_WEBC2_DIV
APT1_WEBC2_CSON
APT1_WEBC2_CLOVER
APT1_WEBC2_BOLID
APT1_WEBC2_ADSPACE
APT1_WEBC2_AUSOV
APT1_WARP
APT1_TARSIP_ECLIPSE
APT1_TARSIP_MOON
APT1_aspnetreport
APT1_Revird_svc
APT1_letusgo
APT1_dbg_mess
APT1_known_malicious_RARSilent
Update (02/22/2013): We have improved the ruleset, update to the latest version!