Awesome
yara-rules
Collection of YARA signatures from recent malware research
Ruleset
Dacls Trojan
- Rule: Dacls_Linux.yara
- Rule: Dacls_Windows.yara
- Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/
APT32 KerrDown
- Rule: APT32_KerrDown.yara
- Reference: https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
ACBackdoor - Linux build
- Rule: ACBackdoor_Linux.rule
- Reference: Intezer
Unnamed Linux Golang Ransomware
- Rule: Linux_Golang_Ransomware.rule
- Reference: Fortinet Blog
KPOT v2
- Rule: KPOT_v2.yara
- Reference: (ProofPoint Threat Insight)[https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal]
WatchBog Linux botnet
- Rule: WatchBog_Linux.yara
- References:
EvilGnome Linux malware
- Rule: EvilGnome_Linux.yara
- Reference: Intezer
APT34 PICKPOCKET
- Rule: APT34_PICKPOCKET.yara
- Reference: FireEye Threat Reseearch
APT34 LONGWATCH
- Rule: APT34_LONGWATCH.yara
- Reference: FireEye Threat Reseearch
APT34 VALUEVAULT
- Rule: APT34_VALUEVAULT.yara
- Reference: FireEye Threat Reseearch
RedGhost Linux tool
- Rule: RedGhost_Linux
- Reference: RedGhost Gitub repo
SilentTrinity
- Rule: SilentTrinity_Payload.rule
- Rule: SilentTrinity_Delivery.rule
- Reference: Countercept
DNSpionage
- Rule: DNSpionage.yara
- References: Talos Intelligence, Talos Intelligence #2
TA505 FlowerPippi
- Rule: TA505_FlowerPippi.yara
- Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/latest-spam-campaigns-from-ta505-now-using-new-malware-tools-gelup-and-flowerpippi/
REMCOS RAT
- Rule: REMCOS_RAT_2019.yara
- Reference: https://exchange.xforce.ibmcloud.com/collection/Remcos-Rat-Delivered-via-Email-Campaign-056f98e4fc97bd142337d6b2271aeaa7
GodLua Linux Backdoor
APT32 Ratsnif
- Rule: apt32-ratsnif.yara
- Reference: https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html
OSX/CrescentCore
- Rule: crescentcore_dmg.yara
- Reference: https://www.intego.com/mac-security-blog/osx-crescentcore-mac-malware-designed-to-evade-antivirus/
side note: when will we all decide to change mac sig names to macOS/<malware>? its way past time, imho
WarZone RAT aka Ave Maria Stealer
- Rule: avemaria_warzone.yara
- Reference: http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery
Winnti Linux