ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Yara Signature For New Turla Malware

Joined: 09 Jul 2006
Posts: 4935
Location: USA
Reply with quote
Below is a Yara signature for a new version of some Russian Turla malware targeting Austrian and Baltic computers for reconnaissance. Copy the signature to a new Notepad file from the word "rule" to the ending } and save it as a file named TurlaPNG.yar in the ClamWin database folder. Save it in All Files format. The file name should be TurlaPNG.yar and nothing else.

After you save a signature file in the ClamWin database folder, scan a file with ClamWin to make sure it works. If you get a scan error, accept my apology, and delete the signature file from the database folder.

Yara signatures can be kept permanently if they are not for a specific malware—keep this specific Yara file for two or three months.

Thanks to Sekoia!

rule apt_TURLA_ExternalPNGDocument_strings {
id = "51413d41-d0f4-4e1a-9f12-322921e48977"
version = "1.0"
intrusion_set = "TURLA"
description = "Detects external logo embedded in DOCX documents"
source = "SEKOIA"
creation_date = "2022-05-05"
modification_date = "2022-05-05"
classification = "TLP:GREEN"
$s1 = "/relationships/image"
$s2 = /[0-9]{3,10}\/logo\.png/
$s3 = "TargetMode=\"External\"/><"
$s1 in (filesize-400..filesize) and
$s2 in (filesize-400..filesize) and
$s3 in (filesize-400..filesize)

View user's profileSend private message
Yara Signature For New Turla Malware
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

 Reply to topic