Below is a Yara signature for the Gold Backdoor malware from a North Korean APT group targeting journalists. Although it targets journalists now, this backdoor could be used to target lots of different computers. Copy the file to a new Notepad file from the word rule to the ending } and save it as a file named GoldBackDoor.yar in the ClamWin database folder. Save it in All Files format. The file name should be GoldBackDoor.yar and nothing else.

After you save a signature file (.hdb, .mdb or .yar) in the ClamWin database folder, scan a file with ClamWin to make sure it works. If you get a scan error, accept my apology, and delete the signature file from the database folder or delete only those signatures that you just posted to an existing mdb or hdb file and re-save it after first removing any blank lines in the signature file.

After 4 weeks, the malware will probably be updated, so you can delete mdb and hdb signatures then. The date (USA) and time (24 hr) are the last two items in each mdb and hdb signature. Yara signatures can be kept permanently if they are not for a specific malware. Keep specific Yara malware signature files for about 6 months.

A big thanks to Silas Cutler!

rule NK_GOLDBACKDOOR_Main
{
meta:
author= "Silas Cutler"
description = "Detection for Main component of GOLDBACKDOOR"
version = "0.1"
strings:
$str1 = "could not exec bash command." wide
$str2 = "%userprofile%\\AppData" wide
$str3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/90.0.3112.113 Safari/537.36" wide
$str4 = "tickount: %d"
$str5 = "Service-0x" wide
$str6 = "Main Returned"
$b64_1 = "TwBuAGUARAByAHYAVQBwAGQAYQB0AGUAAAA="
$b64_2 = "aGFnZW50dHJheQ=="
$b64_3 = "YXBwbGljYXRpb24vdm5kLmdvb2dsZS1hcHBzLmZvbGRlcg=="
$pdb = "D:\\Development\\GOLD-BACKDOOR\\"
condition:
4 of them or ( $pdb and 1 of them )
}