Below are 2 Yara signatures for Russian malware that is targeted to USA industrial control systems that was discovered just a few hours ago. The sigs worked for me--there were no ClamWin scan errors during a scan after I saved them to the ClamWin database directory. I'm not sure what type of file extensions are involved, but it might be for Windows executable files, since there is a DOS header warning, which might indicate a Windows executable is involved. There may be a pdb file extension also, whatever that is. Anyway, there are probably no ClamWin users who are involved with industrial control systems, but who knows?

The Yara file should be saved in the ClamWin database folder and named as Triton2.yar and nothing else in the filename.

Thanks to Mandiant!


rule MTI_Hunting_AsRockDriver_Exploit_PDB
{
meta:
author = "Mandiant"
date = "03-23-2022"
description = "Searching for executables containing strings associated with AsRock driver Exploit."
strings:
$dos_stub = "This program cannot be run in DOS mode"
$pdb_bad = "dev projects\\SignSploit1\\x64\\Release\\ AsrDrv_exploit.pdb"
$pdb_good = "c:\\asrock\\work\\asrocksdk_v0.0.69\\asrrw\\ src\\driver\\src\\objfre_win7_amd64\\amd64\\AsrDrv103.pdb"
condition:
all of them and (@pdb_bad < @dos_stub[2]) and (#dos_stub == 2) and (@pdb_good > @dos_stub[2])
}

rule MTI_Hunting_AsRockDriver_Exploit_Generic
{
meta:
author = "Mandiant"
date = "03-23-2022"
description = "Searching for executables containing strings associated with AsRock driver Exploit."
strings:
$dos_stub = "This program cannot be run in DOS mode"
$pdb_good = "c:\\asrock\\work\\asrocksdk_v0.0.69\\asrrw\\ src\\driver\\src\\objfre_win7_amd64\\amd64\\AsrDrv103.pdb"
condition:
all of them and (#dos_stub == 2) and (@pdb_good > @dos_stub[2])
}