#100daysofyara — Public Fediverse posts

#100DaysOfYARA - Day 15 (a little behind)

I used @REMnux 's MCP, to extract a payload from an (unknown to me) malware, I'm now tracking as AxolotlLoader. I used the MCP to build a YARA rule based off of the XOR decryption function.

Rule at end
1/5

@washi

“I partially blame the #100DaysOfYara trend. I understand the idea is to have people write many YARA rules for practice. However, the amount of garbage that enters our community because of it is astounding.”

#100DaysofYARA Day 14
Checkpoint published research on VoidLink C2 framework.
They call it "advanced malware framework"; but maybe I'm not sure what "advanced" means in this context.

Rule at end
1/2

#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.

I'll explain the malware and show the best I could come up with.

Rule at bottom
1/7

#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.

I'll explain the malware and show the best I could come up with.

Rule at bottom
1/7

#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.

I'll explain the malware and show the best I could come up with.

Rule at bottom
1/7

#100daysofYARA - day 12
VirusTotal uses CAPE sandbox to identify many malware families and determine if they can extract the malware's configuration. Since they use CAPE, we can often see their logic. Today, we'll suggest edits to a rule for AgentTesla.

Rule at end.
1/10

#100DaysofYARA - Day 11
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.

We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.

rule at bottom
1/5

#100DaysofYara - day 10
There are a few lines of thinking around automatic YARA generation. I'm exploring these as part of this challenge. Today's we'll look at MCRIT.

MCRIT asks what do we learn by comparing samples? Can we find functions unique to the family?

rule at end
1/5

#100DaysofYARA - Day 9
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.

Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892

Rule at end
1/3

#100DaysofYARA - Day 8
For many years, many attackers tried to keep their binaries small. However, the others found the opposite works too: extremely large binaries can cause problems with analysis.

What can be done about these large executables?

Rule at end
1/6

#100DaysofYARA - Day 7
@malwrhunterteam identified a suspicious file signed by "Xiamen Jialan Guang Information Technology Service Co., Ltd."

While we have a pretty good idea it'll be abused, it hasn't been yet.
So, lets watch for it to be abused.

Rule at end
1/5

#100DaysofYARA - Day 6
In December and again in January, an unknown actor replaced the download on EmEditor's website with a malicious installer. Each time, the download was a trojan installer with a valid code-signing signature.

How can we detect this?

Rule at end
1/6

#100DaysofYARA - day 5
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.

When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.

Rule at end
1/7

#100DaysofYARA - Day 4
One heavy user of code-signing certificates is Rhysida Ransomware.

In June, I created a YARA rule focusing on their malware to help me find and report their certificates. To do so, I had to create a YARA rule on the Rich PE Header.

Rule at end
1/7

#100DaysofYARA - Day 3
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.

If the dev is going to use hard-coded strings, lets use them to our advantage.

This thread will demo Malcat's YARA features.
Rule at end of thread
1/5

#100DaysofYARA - Day 2
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.

Rule at end
1/4

@squiblydoo nice to see #100DaysofYARA on this site 🙏

First day of #100daysOfYara
This YARA rule detects a technique used in #TrashAgent malware. The malware has a hard-coded list of apps to check for on the system. This YARA looks for the way they parse the list.
In the image, the list is demarcated with "nepo"

rule at end
1/7

🤓 Since the #100daysofYARA challenge started, I decided to release my YARA cheat sheet version 2, extracted from my book Visual Threat Intelligence!

I hope you will find it useful! Have fun 👇

And if you like this one you might like the full book: https://store.securitybreak.io/threatintel

#yara #malware #cheatsheet #book

🤩 2024 My Personal Rewind: What a Year!!

My rewind couldn’t fit into the post, so I wrote a blog!

Here are some highlights, but I recommend checking out the blog for more details and personal insights! 👇

🎉 January:
I started strong with #100DaysofYARA, released YaraToolkit, a tool for all things YARA, and DocYara, a RAG agent for YARA projects. I traveled to DC to present on Threat Intelligence + GenAI at the CTI Summit SANS Institute—one of the top talks of the year!

💻 February:
I presented at Jupyterthon, launched the Juniverse (catalog for InfoSec Jupyter notebooks), and released the ISOON Leak Investigation with GenAI capabilities for exploring leaked data.

🔬 March:
I created the MSTICpy GPT to assist with MSTICpy tasks. I spent a weekend analyzing the XZ Backdoor, creating 2 graphics to explain the threat during chaos, with over 1M views 🌟— it was featured by media, podcasts, and YouTube channels.

🥇 April:
We released the Unprotect Coin to reward top contributors with Jean-Pierre Lesueur and Loïs Marcinkowski 🏴‍☠️

🎙️ May:
I discussed the XZ Backdoor analysis on the Microsoft Threat Intelligence Podcast hosted by Sherrod DeGrippo and appeared on Andre Camillo's youtube channel to talk GenAI + Threat Intelligence.

🚀 June:
I taught the Blue Team Arsenal with Roberto Rodriguez (GenAI + Python for CTI) at x33fcon, amazing feedback! My book, Visual Threat Intelligence, won the Bronze Award 🥉 Foreword Reviews for Technology & Science.

📚 July:
My XZ Backdoor work was featured in PagedOut Zine from Gynvael Coldwind—an honor as a longtime fan of the zine.

🦾 August:
We taught our training at BlackHat and I presented at Defcon about my XZ Backdoor analysis on the War Stories main stage—over 500 attendees (maybe more) in the room! 🤯

🌟 September:
I released FabricUI and I was a finalist for the SANS Difference Maker Award. I also appeared on Yaniv Hoffman YouTube channel to discuss Defcon and Blackhat.

📖 October:
I received my signed copy of Evasive Malware by Kyle Cucci, which I reviewed and was featured in.

🎨 November:
I presented at BSides Gold Coast, Hack.Sydney, and BSides Melbourne, where we introduced a 3D-printing village. I launched the Unprotect Project Scanner with Jean-Pierre Lesueur and joined Ricki Burke for a career cybersecurity webinar. I also published a blog on building a GenAI CTI assistant with MCP, ORKL and Claude.

🎄 December:
I launched the GenAI x SEC Calendar, to share daily, code, experiments and tools for practical GenAI applications in cybersecurity. The feedback was overwhelming!

Thank you all for your continuous feedback and engagement, please have a look to the blog for all the links! I am also sharing the screenshot of my personal reflexion which couldn't fit in! 🙂

➡️ Blog: https://blog.securitybreak.io/2024-personal-rewind-what-a-year-8f2850e2fa0e

#cybersecurity #infosec

🎁 GenAI x Sec Advent #17

We already covered RAG and Agents. Let's talk today about blending both of them! 👇

Earlier this year, for the #100DaysOfYARA I built YaraToolkit, a website for all things YARA and I also created DocYara. 🤓

DocYara is a GenAI agent powered by a RAG packed with the YARA documentation and selected blogposts. DocYara can help you in the process of crafting YARA rules, refining it or optimizing it.

🎉 It's free! You can check it out here on my website: https://yaratoolkit.securitybreak.io

I'm also dropping the slides from my presentations at
@HCKSYD
and Bsides Gold Coast where I presented these tools!

And here’s a friendly reminder: #100DaysOfYARA kicks off in January. Maybe it’s time for me to update DocYara with automatic rule deployments as we already discussed! 😉

Slides: https://speakerdeck.com/fr0gger/yara-toolkit

#genAI #cybersecurity #YARA #malware #agents

Virus Total have released a (new?) cheat sheet for their Live Hunt YARA service, which requires the use of their custom "vt" YARA module:

https://assets.virustotal.com/reports/livehunt-cheatsheet.pdf

The original Virus Total Intelligence cheat sheet is available at:

https://storage.googleapis.com/vtpublic/reports/VTI%20Cheatsheet.pdf

#100DaysofYara #malwareanalysis

Picking backup #100DaysOfYara with Day 1️⃣​6️⃣​ - Fake installers archives with adobe AfterFX
🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/016/016.md

Recently @rmceoin shared details about a #RedLineStealer malvertizing campaign using fake installers:
📖​ https://infosec.exchange/@rmceoin/109763719160050309

Todays yara rule looks for these archives by detecting on the packaged legit adobe file, `AfterFXLib.dll`. Some of the #malware themes found were:
📍​ LastPass
📍​ OnionBrowser
📍​ Rufus
📍​ Notepad++

Day 1️⃣​0️⃣​ of #100DaysOfYara: MacOS Browser Hijacker Scripts🍎​
🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/010/010.md

Background on these MacOS malware scripts used by #ChromeLoader aka #ChoziosiLoader:
📖​ https://redcanary.com/blog/chromeloader/
📖​ https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
📖​ https://www.th3protocol.com/2022/Choziosi-Loader

Todays rule did a nice job of detecting the historical ChromeLoader scripts. A more generic yara rule for identifying .command script abuse would potentially be pretty interesting!

Day 7️⃣​​ of #100DaysOfYara: Detecting #Batloader JavaScript malware

🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md

Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖​ "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

I used the yara count module to help out with the detection!

Day 7️⃣​​ of #100DaysOfYara: Detecting #Batloader JavaScript malware

🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md

Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖​ "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

I used the yara count module to help out with the detection!

Day 7️⃣​​ of #100DaysOfYara: Detecting #Batloader JavaScript malware

🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md

Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖​ "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

I used the yara count module to help out with the detection!

Day 7️⃣​​ of #100DaysOfYara: Detecting #Batloader JavaScript malware

🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md

Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖​ "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

I used the yara count module to help out with the detection!

Day 7️⃣​​ of #100DaysOfYara: Detecting #Batloader JavaScript malware

🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md

Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖​ "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

I used the yara count module to help out with the detection!

After a brief hiatus (life happens😅)​ I'm picking back up #100DaysOfYara with Day 5️⃣ ​- Detecting clipboard patterns used by cryptocurrency stealers!

🔗​: https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/005/005.md

📖​ Background reading on #ViperSoftX clipboard stealer: https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/

I had trouble with this rule when using strings. Switching to hex-based detection worked a lot better!