100DaysofYARA - In Memory Detection
Contents
100DaysofYARA - In Memory Detection
100DaysofYARA - In-Memory Detection
Happy 100 Days of YARA. We’re skipping the intros and getting right down to it.
One of the most useful ways to use YARA is on memory. However, doing so requires a lot more of a lift than what I normally talk about - the static scanning of files at rest, not dynamic analysis. However, since packers and detection evasion change more often than payloads do, if we can get our hands on unpacked samples we can write a signature to find them, regardless of the packer used.
Enter Hatching & their Triage product. Hatching is a sandbox like many others (they are owned by Recorded Future, where I used to work. I am not shilling their product but whats good for the goose is good for the gander as they say)
Hatching has two main advantages:
- it allows for custom YARA rules to be implemented …
100DaysofYARA - In-Memory Detection
Happy 100 Days of YARA. We’re skipping the intros and getting right down to it.
One of the most useful ways to use YARA is on memory. However, doing so requires a lot more of a lift than what I normally talk about - the static scanning of files at rest, not dynamic analysis. However, since packers and detection evasion change more often than payloads do, if we can get our hands on unpacked samples we can write a signature to find them, regardless of the packer used.
Enter Hatching & their Triage product. Hatching is a sandbox like many others (they are owned by Recorded Future, where I used to work. I am not shilling their product but whats good for the goose is good for the gander as they say)
Hatching has two main advantages:
- it allows for custom YARA rules to be implemented …
IoC
f794dd23878fbae2472178d00867302be69df5e5986f2f3991c4a15150a339b5
rule APT_NK_TA430_HazyLoad_Mem { meta: description = "GLES Rule: track HazyLoad proxy tool in memory" triage_description = "detect proxy-related strings loaded in memory by HazyLoad loader" reference = "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" reference = "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/" author = "Greg Lesnewich" date = "2023-12-14" version = "1.0" family = "HazyLoad" triage_score = 4 hash = "f794dd23878fbae2472178d00867302be69df5e5986f2f3991c4a15150a339b5" strings: $string1 = "[-] socket create error" ascii wide $string2 = "[-] socket connect error" ascii wide $string3 = "[-] WSAStartup error" ascii wide $string4 = "[+] Success to connect proxy" ascii wide $string5 = "[+] Success to handshake proxy" ascii wide $string6 = "[-] Main Thread Create error." ascii wide $string7 = "[+] disconnected from proxy" ascii wide $string8 = "[+] port [1-65535]" ascii wide $string9 = "[+] %s:%d" ascii wide $string10 = "Usage: socks4 [options] " ascii wide $string11 = "Options:" ascii wide $string12 = " -i ip of socks4 proxy " ascii wide $string13 = " -p port of socks4 proxy " ascii wide $string14 = "[-] invalid option: \"%s\"" ascii wide $string15 = "[-] option \"-c\" ip of socks4 proxy" ascii wide $string16 = "[-] option \"-s\" port of socks4 proxy" ascii wide $string17 = "[-] invalid option: \"%c\"" ascii wide condition: 12 of them }
rule APT_NK_TA430_HazyLoad_Mem { meta: description = "GLES Rule: track HazyLoad proxy tool in memory" triage_description = "detect proxy-related strings loaded in memory by HazyLoad loader" reference = "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" reference = "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/" author = "Greg Lesnewich" date = "2023-12-14" version = "1.0" family = "HazyLoad" triage_score = 4 hash = "f794dd23878fbae2472178d00867302be69df5e5986f2f3991c4a15150a339b5" strings: $string1 = "[-] socket create error" ascii wide $string2 = "[-] socket connect error" ascii wide $string3 = "[-] WSAStartup error" ascii wide $string4 = "[+] Success to connect proxy" ascii wide $string5 = "[+] Success to handshake proxy" ascii wide $string6 = "[-] Main Thread Create error." ascii wide $string7 = "[+] disconnected from proxy" ascii wide $string8 = "[+] port [1-65535]" ascii wide $string9 = "[+] %s:%d" ascii wide $string10 = "Usage: socks4 [options] " ascii wide $string11 = "Options:" ascii wide $string12 = " -i ip of socks4 proxy " ascii wide $string13 = " -p port of socks4 proxy " ascii wide $string14 = "[-] invalid option: \"%s\"" ascii wide $string15 = "[-] option \"-c\" ip of socks4 proxy" ascii wide $string16 = "[-] option \"-s\" port of socks4 proxy" ascii wide $string17 = "[-] invalid option: \"%c\"" ascii wide condition: 12 of them }