|
| 1 | +import "hash" |
| 2 | + |
| 3 | +// start third-party |
| 4 | +// source: https://github.com/Neo23x0/signature-base/pull/395 |
| 5 | +rule MAL_NPM_SupplyChain_Attack_Mar26: critical js { |
| 6 | + meta: |
| 7 | + description = "Detects package.json which include the malicious plain-crypto-js package as dependency" |
| 8 | + author = "Marius Benthin" |
| 9 | + date = "2026-03-31" |
| 10 | + reference = "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" |
| 11 | + hash = "5e3e89c7351f385e36bb70286866a62957cc1aaab195539edb8c7bb62968a137" |
| 12 | + score = 80 |
| 13 | + |
| 14 | + strings: |
| 15 | + $s1 = "\"dependencies\":" |
| 16 | + // This is the specific malicious package that was added to the npm registry, which is a typo-squatting of the popular crypto-js package |
| 17 | + $s2 = { 22 70 6C 61 69 6E 2D 63 72 79 70 74 6F 2D 6A 73 22 3A [0-3] 22 [0-2] 34 2E 32 2E } // "plain-crypto-js": "^4.2." |
| 18 | +
|
| 19 | + condition: |
| 20 | + filesize < 10KB |
| 21 | + and all of them |
| 22 | +} |
| 23 | + |
| 24 | +// source: https://github.com/Neo23x0/signature-base/pull/395 |
| 25 | +rule SUSP_JS_Dropper_Mar26: critical js { |
| 26 | + meta: |
| 27 | + description = "Detects suspicious JavaScript dropper used in plain-crypto-js supply chain attacks" |
| 28 | + author = "Marius Benthin" |
| 29 | + date = "2026-03-31" |
| 30 | + reference = "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" |
| 31 | + hash = "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09" |
| 32 | + score = 70 |
| 33 | + |
| 34 | + strings: |
| 35 | + $sa1 = "Buffer.from(" |
| 36 | + $sa2 = "FileSync(" |
| 37 | + $sa3 = ".replaceAll(" |
| 38 | +
|
| 39 | + $sb1 = ".arch()" |
| 40 | + $sb2 = ".platform()" |
| 41 | + $sb3 = ".release()" |
| 42 | + $sb4 = ".type()" |
| 43 | +
|
| 44 | + condition: |
| 45 | + filesize < 10KB |
| 46 | + and all of ($sa*) |
| 47 | + and 2 of ($sb*) |
| 48 | +} |
| 49 | + |
| 50 | +/* |
| 51 | + * Axios npm Supply Chain Compromise - YARA Detection Rules |
| 52 | + * Date: 2026-03-31 | Version: 2 |
| 53 | + * Author: Automated Analysis (Claude Code) |
| 54 | + * Reference: https://gist.github.com/N3mes1s/0c0fc7a0c23cdb5e1c8f66b208053ed6 |
| 55 | + * Tested against all 5 payloads in isolated Lima VM |
| 56 | + */ |
| 57 | + |
| 58 | +// modified to include severity tags |
| 59 | + |
| 60 | +rule axios_dropper_setup_js: critical { |
| 61 | + meta: |
| 62 | + description = "Axios supply chain - obfuscated setup.js dropper" |
| 63 | + hash = "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09" |
| 64 | + date = "2026-03-31" |
| 65 | + |
| 66 | + strings: |
| 67 | + $xor = "OrDeR_7077" |
| 68 | + $entry = "_entry" |
| 69 | + $id = "6202033" |
| 70 | +
|
| 71 | + condition: |
| 72 | + filesize < 10KB and $xor and $entry and $id |
| 73 | +} |
| 74 | + |
| 75 | +rule axios_win_stage1: critical windows { |
| 76 | + meta: |
| 77 | + description = "Axios supply chain - Windows download cradle (system.bat)" |
| 78 | + hash = "f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd" |
| 79 | + date = "2026-03-31" |
| 80 | + |
| 81 | + strings: |
| 82 | + $cradle = "scriptblock]::Create" |
| 83 | + $post = "packages.npm.org/product1" |
| 84 | +
|
| 85 | + condition: |
| 86 | + filesize < 500 and $cradle and $post |
| 87 | +} |
| 88 | + |
| 89 | +rule axios_win_ps_rat: critical windows { |
| 90 | + meta: |
| 91 | + description = "Axios supply chain - Windows PowerShell RAT" |
| 92 | + hash = "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101" |
| 93 | + date = "2026-03-31" |
| 94 | + |
| 95 | + strings: |
| 96 | + $class = "Extension.SubRoutine" |
| 97 | + $var1 = "$rotjni" |
| 98 | + $var2 = "$daolyap" |
| 99 | + $rsp1 = "rsp_peinject" |
| 100 | + $rsp2 = "rsp_runscript" |
| 101 | + $rsp3 = "rsp_rundir" |
| 102 | + $rsp4 = "rsp_kill" |
| 103 | +
|
| 104 | + condition: |
| 105 | + $class or ($var1 and $var2) or (3 of ($rsp*)) |
| 106 | +} |
| 107 | + |
| 108 | +rule axios_macos_nukesped: critical macos { |
| 109 | + meta: |
| 110 | + description = "Axios supply chain - macOS NukeSped RAT" |
| 111 | + hash = "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a" |
| 112 | + date = "2026-03-31" |
| 113 | + |
| 114 | + strings: |
| 115 | + $mz = { CA FE BA BE } |
| 116 | + $build = "Jain_DEV" |
| 117 | + $project = "macWebT" |
| 118 | + $drop = "/private/tmp/.%s" |
| 119 | + $codesign = "codesign --force --deep --sign" |
| 120 | + $rsp1 = "rsp_peinject" |
| 121 | + $rsp2 = "rsp_runscript" |
| 122 | +
|
| 123 | + condition: |
| 124 | + $mz at 0 and ($build or $project or ($drop and $codesign) or ($rsp1 and $rsp2)) |
| 125 | +} |
| 126 | + |
| 127 | +rule axios_linux_python_rat: critical linux { |
| 128 | + meta: |
| 129 | + description = "Axios supply chain - Linux Python RAT (ld.py)" |
| 130 | + hash = "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf" |
| 131 | + date = "2026-03-31" |
| 132 | + |
| 133 | + strings: |
| 134 | + $fn1 = "do_action_ijt" |
| 135 | + $fn2 = "do_action_scpt" |
| 136 | + $fn3 = "do_action_dir" |
| 137 | + $rsp1 = "rsp_peinject" |
| 138 | + $rsp2 = "rsp_runscript" |
| 139 | + $rsp3 = "rsp_rundir" |
| 140 | +
|
| 141 | + condition: |
| 142 | + ($fn1 and $fn2 and $fn3) or (3 of ($rsp*)) |
| 143 | +} |
| 144 | + |
| 145 | +rule axios_rat_generic: critical { |
| 146 | + meta: |
| 147 | + description = "Generic detection for any axios supply chain RAT" |
| 148 | + date = "2026-03-31" |
| 149 | + |
| 150 | + strings: |
| 151 | + $ua = "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" |
| 152 | + $b1 = "FirstInfo" |
| 153 | + $b2 = "BaseInfo" |
| 154 | + $b3 = "CmdResult" |
| 155 | + $r1 = "rsp_peinject" |
| 156 | + $r2 = "rsp_runscript" |
| 157 | + $r3 = "rsp_rundir" |
| 158 | +
|
| 159 | + condition: |
| 160 | + ($ua and 2 of ($b*)) or (3 of ($r*)) |
| 161 | +} |
| 162 | + |
| 163 | +rule axios_c2_indicators: critical { |
| 164 | + meta: |
| 165 | + description = "Axios supply chain C2 network indicators" |
| 166 | + date = "2026-03-31" |
| 167 | + |
| 168 | + strings: |
| 169 | + $c2 = "sfrclak.com" |
| 170 | + $path = "/6202033" |
| 171 | + $p0 = "packages.npm.org/product0" |
| 172 | + $p1 = "packages.npm.org/product1" |
| 173 | + $p2 = "packages.npm.org/product2" |
| 174 | +
|
| 175 | + condition: |
| 176 | + $c2 or ($path and any of ($p*)) or (2 of ($p*)) |
| 177 | +} |
| 178 | + |
| 179 | +rule axios_injector_dll: critical windows { |
| 180 | + meta: |
| 181 | + description = "Extension.SubRoutine .NET injection DLL (DLL not recovered)" |
| 182 | + date = "2026-03-31" |
| 183 | + |
| 184 | + strings: |
| 185 | + $mz = { 4D 5A } |
| 186 | + $class = "Extension.SubRoutine" wide |
| 187 | + $method = "Run2" wide |
| 188 | +
|
| 189 | + condition: |
| 190 | + $mz at 0 and $class and $method |
| 191 | +} |
| 192 | +// end third-party |
| 193 | + |
| 194 | +rule axios_2026_03: critical { |
| 195 | + meta: |
| 196 | + description = "Contains IOCs from the 2026/03/19 Axios -> plain-crypto-js compromise" |
| 197 | + |
| 198 | + strings: |
| 199 | + $artifact1 = "/Library/Caches/com.apple.act.mond" |
| 200 | + $artifact2 = "%PROGRAMDATA%\wt.exe" |
| 201 | + $artifact3 = "/tmp/ld.py" |
| 202 | + $c2 = "sfrclak.com:8000/6202033" |
| 203 | + $domain1 = "sfrclak.com" |
| 204 | + $ip = "142.11.206.73" |
| 205 | + $url = "packages.npm.org/product2" |
| 206 | +
|
| 207 | + condition: |
| 208 | + (hash.sha256(0, filesize) == "f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd") |
| 209 | + or (hash.sha256(0, filesize) == "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101") |
| 210 | + or (hash.sha256(0, filesize) == "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a") |
| 211 | + or (hash.sha256(0, filesize) == "fcb81618bb15edfedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf") |
| 212 | + or any of them |
| 213 | +} |
0 commit comments