 |
 | Yara Signature For New Turla Malware |  |
|
GuitarBob
|
|
Below is a Yara signature for a new version of some Russian Turla malware targeting Austrian and Baltic computers for reconnaissance. Copy the signature to a new Notepad file from the word "rule" to the ending } and save it as a file named TurlaPNG.yar in the ClamWin database folder. Save it in All Files format. The file name should be TurlaPNG.yar and nothing else.
After you save a signature file in the ClamWin database folder, scan a file with ClamWin to make sure it works. If you get a scan error, accept my apology, and delete the signature file from the database folder. Yara signatures can be kept permanently if they are not for a specific malware—keep this specific Yara file for two or three months. Thanks to Sekoia! rule apt_TURLA_ExternalPNGDocument_strings { meta: id = "51413d41-d0f4-4e1a-9f12-322921e48977" version = "1.0" intrusion_set = "TURLA" description = "Detects external logo embedded in DOCX documents" source = "SEKOIA" creation_date = "2022-05-05" modification_date = "2022-05-05" classification = "TLP:GREEN" strings: $s1 = "/relationships/image" $s2 = /[0-9]{3,10}\/logo\.png/ $s3 = "TargetMode=\"External\"/><" condition: $s1 in (filesize-400..filesize) and $s2 in (filesize-400..filesize) and $s3 in (filesize-400..filesize) } Regards, |
|||||||||||
|
|||||||||||||
 |
 | Yara Signature For New Turla Malware | |
|
|||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.