From 51ba3d6a59ac5dbcccbab565a86e404ce995a7b4 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Fri, 26 Sep 2025 13:22:47 -0500 Subject: [PATCH 1/3] Add rule for recent Crate compromises; run fmt to pick up new yara-x newline formatting Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/anti-static/obfuscation/obfuscate.yara | 1 - rules/anti-static/xor/xor-paths.yara | 1 - rules/c2/addr/discord.yara | 1 - rules/c2/addr/telegram.yara | 1 - rules/c2/connect/curl_easy.yara | 1 - rules/c2/connect/ping_pong.yara | 1 - rules/c2/connect/server.yara | 1 - rules/c2/tool_transfer/bitsadmin.yara | 1 - rules/credential/cloud/gcloud.yara | 1 - rules/credential/gaming/minecraft.yara | 1 - rules/crypto/public_key.yara | 1 - rules/data/embedded/base64.yara | 1 - .../embedded/embedded-pem-certificate.yara | 1 - .../data/embedded/embedded-pem-test_key.yara | 1 - .../data/embedded/embedded-ssh-signature.yara | 1 - rules/data/encoding/audio-pcm.yara | 1 - rules/data/encoding/marshal.yara | 1 - rules/data/random/insecure.yara | 1 - rules/discover/cloud/aws-metadata.yara | 1 - rules/discover/cloud/google-docs.yara | 1 - rules/discover/cloud/google-metadata.yara | 1 - rules/discover/cloud/google-storage.yara | 1 - .../bypass_security/linux/iptables.yara | 1 - rules/evasion/file/location/dev-mqueue.yara | 1 - rules/evasion/file/location/lib.yara | 1 - rules/evasion/file/location/var-tmp.yara | 1 - rules/evasion/file/location/x11-unix.yara | 1 - rules/evasion/file/prefix/proc.yara | 1 - rules/evasion/mimicry/fake-library.yara | 1 - rules/exec/dylib/iterate.yara | 1 - rules/exec/dylib/open.yara | 1 - rules/exfil/curl_post.yara | 1 - rules/exfil/stealer/creds.yara | 19 +++++++++++++++++++ rules/exfil/stealer/file.yara | 1 - rules/exfil/stealer/telegram.yara | 1 - rules/false_positives/fzf.yara | 1 - rules/false_positives/kandji.yara | 1 - rules/false_positives/osqueryd.yara | 1 - rules/fs/event-monitoring.yara | 1 - rules/fs/file/file-truncate.yara | 1 - rules/fs/path/home-config.yara | 1 - rules/fs/path/home_library.yara | 1 - rules/fs/proc/pid-statistics.yara | 1 - rules/hw/cpu.yara | 1 - rules/impact/remote_access/base64_exec.yara | 1 - rules/impact/remote_access/dl_iterate.yara | 1 - rules/impact/remote_access/ssh.yara | 1 - rules/impact/ui/x11-auth.yara | 1 - rules/impact/ui/xsession.yara | 1 - rules/lateral/ssh/worm.yara | 1 - rules/malware/family/gelsemium.yara | 1 - rules/malware/family/platypus.yara | 1 - rules/malware/family/tinyshell.yara | 1 - rules/malware/family/yakuza.yara | 1 - rules/malware/ref.yara | 1 - rules/net/ssl/socket.yara | 1 - rules/os/fd/sendfile.yara | 1 - rules/os/fd/write.yara | 1 - rules/os/kernel/kcore.yara | 1 - rules/os/kernel/key-management.yara | 1 - rules/os/kernel/sysctl.yara | 1 - rules/os/time/tzinfo.yara | 1 - rules/privesc/setuid.yara | 1 - rules/process/group/create.yara | 1 - rules/process/group/set.yara | 1 - rules/process/terminate/arbitrary.yara | 1 - rules/process/terminate/taskkill.yara | 1 - rules/process/terminate/terminate.yara | 1 - rules/process/unshare.yara | 1 - 69 files changed, 19 insertions(+), 68 deletions(-) diff --git a/rules/anti-static/obfuscation/obfuscate.yara b/rules/anti-static/obfuscation/obfuscate.yara index fa631b7e0..0cdfa550a 100644 --- a/rules/anti-static/obfuscation/obfuscate.yara +++ b/rules/anti-static/obfuscation/obfuscate.yara @@ -20,4 +20,3 @@ rule obfuscator { condition: $obfuscate } - diff --git a/rules/anti-static/xor/xor-paths.yara b/rules/anti-static/xor/xor-paths.yara index 8c243288c..ca97e0aa7 100644 --- a/rules/anti-static/xor/xor-paths.yara +++ b/rules/anti-static/xor/xor-paths.yara @@ -29,4 +29,3 @@ rule xor_paths: high { condition: filesize < 10MB and any of them } - diff --git a/rules/c2/addr/discord.yara b/rules/c2/addr/discord.yara index 3e4bfee40..2a21e507d 100644 --- a/rules/c2/addr/discord.yara +++ b/rules/c2/addr/discord.yara @@ -9,4 +9,3 @@ rule discord: medium { condition: any of them } - diff --git a/rules/c2/addr/telegram.yara b/rules/c2/addr/telegram.yara index 342357ad2..35d398a4b 100644 --- a/rules/c2/addr/telegram.yara +++ b/rules/c2/addr/telegram.yara @@ -9,4 +9,3 @@ rule telegram: medium { condition: any of them } - diff --git a/rules/c2/connect/curl_easy.yara b/rules/c2/connect/curl_easy.yara index 9243bb835..7a22de6b2 100644 --- a/rules/c2/connect/curl_easy.yara +++ b/rules/c2/connect/curl_easy.yara @@ -8,4 +8,3 @@ rule curl_easy: medium { condition: filesize < 1MB and all of them } - diff --git a/rules/c2/connect/ping_pong.yara b/rules/c2/connect/ping_pong.yara index cbea87f0d..a3c903067 100644 --- a/rules/c2/connect/ping_pong.yara +++ b/rules/c2/connect/ping_pong.yara @@ -10,4 +10,3 @@ rule ping_pong: medium { condition: filesize < 1MB and all of them } - diff --git a/rules/c2/connect/server.yara b/rules/c2/connect/server.yara index 3c2f0df3f..057780ea3 100644 --- a/rules/c2/connect/server.yara +++ b/rules/c2/connect/server.yara @@ -8,4 +8,3 @@ rule connect_server: medium { condition: filesize < 1MB and any of them } - diff --git a/rules/c2/tool_transfer/bitsadmin.yara b/rules/c2/tool_transfer/bitsadmin.yara index 4031b9d85..bdbafce19 100644 --- a/rules/c2/tool_transfer/bitsadmin.yara +++ b/rules/c2/tool_transfer/bitsadmin.yara @@ -21,4 +21,3 @@ rule bitsadmin_transfer: high { condition: filesize < 250KB and all of them } - diff --git a/rules/credential/cloud/gcloud.yara b/rules/credential/cloud/gcloud.yara index b9b1cbf25..33271b098 100644 --- a/rules/credential/cloud/gcloud.yara +++ b/rules/credential/cloud/gcloud.yara @@ -9,4 +9,3 @@ rule gcloud_config_value: medium { condition: any of them } - diff --git a/rules/credential/gaming/minecraft.yara b/rules/credential/gaming/minecraft.yara index 31a8e91c5..85bb163f0 100644 --- a/rules/credential/gaming/minecraft.yara +++ b/rules/credential/gaming/minecraft.yara @@ -33,4 +33,3 @@ rule essential_microsoft_accounts: high { condition: all of them } - diff --git a/rules/crypto/public_key.yara b/rules/crypto/public_key.yara index 0bf020649..c3ee9cf2d 100644 --- a/rules/crypto/public_key.yara +++ b/rules/crypto/public_key.yara @@ -19,4 +19,3 @@ rule verifies_public_key: medium { condition: any of them } - diff --git a/rules/data/embedded/base64.yara b/rules/data/embedded/base64.yara index a362cf46d..55b7b5457 100644 --- a/rules/data/embedded/base64.yara +++ b/rules/data/embedded/base64.yara @@ -19,4 +19,3 @@ rule base64_content_reversed: high { condition: any of them } - diff --git a/rules/data/embedded/embedded-pem-certificate.yara b/rules/data/embedded/embedded-pem-certificate.yara index 47b7b51ba..01acc6bff 100644 --- a/rules/data/embedded/embedded-pem-certificate.yara +++ b/rules/data/embedded/embedded-pem-certificate.yara @@ -8,4 +8,3 @@ rule begin_cert { condition: any of them } - diff --git a/rules/data/embedded/embedded-pem-test_key.yara b/rules/data/embedded/embedded-pem-test_key.yara index d86bd5908..4b70b03c4 100644 --- a/rules/data/embedded/embedded-pem-test_key.yara +++ b/rules/data/embedded/embedded-pem-test_key.yara @@ -8,4 +8,3 @@ rule testing_key { condition: any of them } - diff --git a/rules/data/embedded/embedded-ssh-signature.yara b/rules/data/embedded/embedded-ssh-signature.yara index 4f8599acf..243abeffb 100644 --- a/rules/data/embedded/embedded-ssh-signature.yara +++ b/rules/data/embedded/embedded-ssh-signature.yara @@ -8,4 +8,3 @@ rule ssh_signature: medium { condition: any of them } - diff --git a/rules/data/encoding/audio-pcm.yara b/rules/data/encoding/audio-pcm.yara index 26d8b4db3..1e0334e28 100644 --- a/rules/data/encoding/audio-pcm.yara +++ b/rules/data/encoding/audio-pcm.yara @@ -7,4 +7,3 @@ rule pcm: harmless { condition: any of them } - diff --git a/rules/data/encoding/marshal.yara b/rules/data/encoding/marshal.yara index e91ccc893..6b3d96458 100644 --- a/rules/data/encoding/marshal.yara +++ b/rules/data/encoding/marshal.yara @@ -8,4 +8,3 @@ rule encoding_py_marshal: medium { condition: filesize < 1MB and any of them } - diff --git a/rules/data/random/insecure.yara b/rules/data/random/insecure.yara index 1b9ef1b43..e3154e1b2 100644 --- a/rules/data/random/insecure.yara +++ b/rules/data/random/insecure.yara @@ -22,4 +22,3 @@ rule insecure_rand { condition: any of them in (1000..3000) } - diff --git a/rules/discover/cloud/aws-metadata.yara b/rules/discover/cloud/aws-metadata.yara index 6fe4bd36f..572de2d2e 100644 --- a/rules/discover/cloud/aws-metadata.yara +++ b/rules/discover/cloud/aws-metadata.yara @@ -8,4 +8,3 @@ rule aws_metadata { condition: any of them } - diff --git a/rules/discover/cloud/google-docs.yara b/rules/discover/cloud/google-docs.yara index 86f0cfb00..68fbb6c02 100644 --- a/rules/discover/cloud/google-docs.yara +++ b/rules/discover/cloud/google-docs.yara @@ -6,4 +6,3 @@ rule google_docs_user: high { condition: any of them } - diff --git a/rules/discover/cloud/google-metadata.yara b/rules/discover/cloud/google-metadata.yara index 968e46ccd..00ce05660 100644 --- a/rules/discover/cloud/google-metadata.yara +++ b/rules/discover/cloud/google-metadata.yara @@ -8,4 +8,3 @@ rule google_metadata { condition: any of them } - diff --git a/rules/discover/cloud/google-storage.yara b/rules/discover/cloud/google-storage.yara index 18e39bfed..8c16af01d 100644 --- a/rules/discover/cloud/google-storage.yara +++ b/rules/discover/cloud/google-storage.yara @@ -8,4 +8,3 @@ rule go_import { condition: any of them } - diff --git a/rules/evasion/bypass_security/linux/iptables.yara b/rules/evasion/bypass_security/linux/iptables.yara index b585bb52b..43dacde20 100644 --- a/rules/evasion/bypass_security/linux/iptables.yara +++ b/rules/evasion/bypass_security/linux/iptables.yara @@ -58,4 +58,3 @@ rule iptables_delete: medium { condition: any of them } - diff --git a/rules/evasion/file/location/dev-mqueue.yara b/rules/evasion/file/location/dev-mqueue.yara index 455bed404..309bcc1a9 100644 --- a/rules/evasion/file/location/dev-mqueue.yara +++ b/rules/evasion/file/location/dev-mqueue.yara @@ -8,4 +8,3 @@ rule dev_mqueue: medium { condition: any of them } - diff --git a/rules/evasion/file/location/lib.yara b/rules/evasion/file/location/lib.yara index c0156c97c..114ded1b2 100644 --- a/rules/evasion/file/location/lib.yara +++ b/rules/evasion/file/location/lib.yara @@ -44,4 +44,3 @@ rule multiple_lib_so_high: medium linux { condition: filesize < 10MB and uint32(0) == 1179403647 and #lib > 1 } - diff --git a/rules/evasion/file/location/var-tmp.yara b/rules/evasion/file/location/var-tmp.yara index e94e5b21b..0f736bd6c 100644 --- a/rules/evasion/file/location/var-tmp.yara +++ b/rules/evasion/file/location/var-tmp.yara @@ -21,4 +21,3 @@ rule var_tmp_path_hidden: high { condition: $ref and none of ($not*) } - diff --git a/rules/evasion/file/location/x11-unix.yara b/rules/evasion/file/location/x11-unix.yara index 1a04c6526..163cedd1a 100644 --- a/rules/evasion/file/location/x11-unix.yara +++ b/rules/evasion/file/location/x11-unix.yara @@ -30,4 +30,3 @@ rule hidden_x11_unexpected: high { condition: filesize < 10MB and $x11 and none of ($not*) } - diff --git a/rules/evasion/file/prefix/proc.yara b/rules/evasion/file/prefix/proc.yara index 8ccaebbbd..f542901fa 100644 --- a/rules/evasion/file/prefix/proc.yara +++ b/rules/evasion/file/prefix/proc.yara @@ -8,4 +8,3 @@ rule hidden_proc: high linux { condition: filesize < 10MB and all of them } - diff --git a/rules/evasion/mimicry/fake-library.yara b/rules/evasion/mimicry/fake-library.yara index bc9c19ca3..e749e2bd5 100644 --- a/rules/evasion/mimicry/fake-library.yara +++ b/rules/evasion/mimicry/fake-library.yara @@ -34,4 +34,3 @@ rule libc_fake_number_val: high { condition: $ref and none of ($not*) } - diff --git a/rules/exec/dylib/iterate.yara b/rules/exec/dylib/iterate.yara index f6bb503fe..d05bfe54d 100644 --- a/rules/exec/dylib/iterate.yara +++ b/rules/exec/dylib/iterate.yara @@ -9,4 +9,3 @@ rule dl_iterate_phdr { condition: any of them } - diff --git a/rules/exec/dylib/open.yara b/rules/exec/dylib/open.yara index c5cf89467..1bb64bdfb 100644 --- a/rules/exec/dylib/open.yara +++ b/rules/exec/dylib/open.yara @@ -21,4 +21,3 @@ rule ruby_dylib: low ruby { condition: any of them } - diff --git a/rules/exfil/curl_post.yara b/rules/exfil/curl_post.yara index b564ec868..f5ce24f26 100644 --- a/rules/exfil/curl_post.yara +++ b/rules/exfil/curl_post.yara @@ -11,4 +11,3 @@ rule curl_post: medium { condition: filesize < 8KB and $curl and $post and any of ($http*) } - diff --git a/rules/exfil/stealer/creds.yara b/rules/exfil/stealer/creds.yara index 40ee5909d..e05368279 100644 --- a/rules/exfil/stealer/creds.yara +++ b/rules/exfil/stealer/creds.yara @@ -96,3 +96,22 @@ rule STRRat_critical: critical { condition: filesize < 128KB and all of ($p*) and any of ($browser*) and any of ($mail*) } + +rule RustEthereumSolanaStealer: critical { + meta: + description = "steals ethereum and solana wallet keys via compromised Crates" + filetypes = "rs" + + strings: + $base58 = "base58" nocase + $base58_alphabet = "const BASE58_ALPHABET: &[u8] = b\"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\";" + $endpoint_sub1 = "mainnet" + $endpoint_sub2 = "solana-rpc-pool" + $endpoint_domain = "workers.dev" + $regex1 = "Regex::new(r#\"\\[(?:\\s*0x[0-9a-fA-F]{1,2}\\s*,?\\s*)+\\]|\\[(?:\\s*\\d{1,3}\\s*,?\\s*)+\\]\"#)?" + $regex2 = "Regex::new(r#\"\"[1-9A-HJ-NP-Za-km-z]{32,44}\"\"#)?" + $regex3 = "Regex::new(r#\"\"0x[0-9a-fA-F]{64}\"\"#)?" + + condition: + filesize < 128KB and any of ($base58*) and all of ($endpoint*) and any of ($regex*) +} diff --git a/rules/exfil/stealer/file.yara b/rules/exfil/stealer/file.yara index 2d28fa782..5fd5b5939 100644 --- a/rules/exfil/stealer/file.yara +++ b/rules/exfil/stealer/file.yara @@ -103,4 +103,3 @@ rule curl_easy_exfil: high { condition: filesize < 1MB and all of them } - diff --git a/rules/exfil/stealer/telegram.yara b/rules/exfil/stealer/telegram.yara index 3aa9e414a..1a5d951c8 100644 --- a/rules/exfil/stealer/telegram.yara +++ b/rules/exfil/stealer/telegram.yara @@ -34,4 +34,3 @@ rule telegram_content: critical { condition: filesize < 32KB and all of them } - diff --git a/rules/false_positives/fzf.yara b/rules/false_positives/fzf.yara index 557e7a345..cca1300c3 100644 --- a/rules/false_positives/fzf.yara +++ b/rules/false_positives/fzf.yara @@ -9,4 +9,3 @@ rule fzf: override { condition: filesize < 6MB and any of them } - diff --git a/rules/false_positives/kandji.yara b/rules/false_positives/kandji.yara index 771fea014..8cea25b29 100644 --- a/rules/false_positives/kandji.yara +++ b/rules/false_positives/kandji.yara @@ -9,4 +9,3 @@ rule kandji: override { condition: any of them } - diff --git a/rules/false_positives/osqueryd.yara b/rules/false_positives/osqueryd.yara index c421f7c2f..0bcdc93d9 100644 --- a/rules/false_positives/osqueryd.yara +++ b/rules/false_positives/osqueryd.yara @@ -10,4 +10,3 @@ rule osqueryd: override { condition: filesize < 100MB and any of them } - diff --git a/rules/fs/event-monitoring.yara b/rules/fs/event-monitoring.yara index dbe379af3..51495b907 100644 --- a/rules/fs/event-monitoring.yara +++ b/rules/fs/event-monitoring.yara @@ -10,4 +10,3 @@ rule syscall_fanotify_init: linux { condition: any of them } - diff --git a/rules/fs/file/file-truncate.yara b/rules/fs/file/file-truncate.yara index 97b315f94..149950ce7 100644 --- a/rules/fs/file/file-truncate.yara +++ b/rules/fs/file/file-truncate.yara @@ -22,4 +22,3 @@ rule truncate: harmless { condition: any of them } - diff --git a/rules/fs/path/home-config.yara b/rules/fs/path/home-config.yara index 0a0f552b9..6a5f8db8b 100644 --- a/rules/fs/path/home-config.yara +++ b/rules/fs/path/home-config.yara @@ -8,4 +8,3 @@ rule home_config_path { condition: any of them } - diff --git a/rules/fs/path/home_library.yara b/rules/fs/path/home_library.yara index 47fb6e142..d01ffb81b 100644 --- a/rules/fs/path/home_library.yara +++ b/rules/fs/path/home_library.yara @@ -8,4 +8,3 @@ rule home_lib_path { condition: any of them } - diff --git a/rules/fs/proc/pid-statistics.yara b/rules/fs/proc/pid-statistics.yara index 2d583bb62..2a92efc29 100644 --- a/rules/fs/proc/pid-statistics.yara +++ b/rules/fs/proc/pid-statistics.yara @@ -9,4 +9,3 @@ rule proc_pid_stat_val { condition: any of them } - diff --git a/rules/hw/cpu.yara b/rules/hw/cpu.yara index 5a7b9bf6b..371377d31 100644 --- a/rules/hw/cpu.yara +++ b/rules/hw/cpu.yara @@ -19,4 +19,3 @@ rule CpuInfoAndModel: macos medium { condition: any of them } - diff --git a/rules/impact/remote_access/base64_exec.yara b/rules/impact/remote_access/base64_exec.yara index 0d4784cca..1791d52f4 100644 --- a/rules/impact/remote_access/base64_exec.yara +++ b/rules/impact/remote_access/base64_exec.yara @@ -12,4 +12,3 @@ rule hex_convert_base64_ascii: high { condition: filesize < 32KB and any of ($lang*) and any of ($b*) and any of ($exec*) } - diff --git a/rules/impact/remote_access/dl_iterate.yara b/rules/impact/remote_access/dl_iterate.yara index fd4a9401f..b6ee1fd30 100644 --- a/rules/impact/remote_access/dl_iterate.yara +++ b/rules/impact/remote_access/dl_iterate.yara @@ -12,4 +12,3 @@ rule dl_iterate_cpu_pthreads: high linux { condition: filesize < 1200KB and uint32(0) == 1179403647 and all of them } - diff --git a/rules/impact/remote_access/ssh.yara b/rules/impact/remote_access/ssh.yara index 20e4b7b0c..1c4604d65 100644 --- a/rules/impact/remote_access/ssh.yara +++ b/rules/impact/remote_access/ssh.yara @@ -24,4 +24,3 @@ rule sshd_backdoor_private_key: critical { condition: filesize < 5MB and all of them } - diff --git a/rules/impact/ui/x11-auth.yara b/rules/impact/ui/x11-auth.yara index 56f8b722d..00c8bbdf5 100644 --- a/rules/impact/ui/x11-auth.yara +++ b/rules/impact/ui/x11-auth.yara @@ -10,4 +10,3 @@ rule x11_refs: medium { condition: any of them } - diff --git a/rules/impact/ui/xsession.yara b/rules/impact/ui/xsession.yara index 0a77552ee..bd37f7ce2 100644 --- a/rules/impact/ui/xsession.yara +++ b/rules/impact/ui/xsession.yara @@ -8,4 +8,3 @@ rule xsession: medium { condition: any of them } - diff --git a/rules/lateral/ssh/worm.yara b/rules/lateral/ssh/worm.yara index 0e80a1698..343c61602 100644 --- a/rules/lateral/ssh/worm.yara +++ b/rules/lateral/ssh/worm.yara @@ -46,4 +46,3 @@ rule ssh_worm_router: high { condition: filesize < 1MB and all of ($s*) and any of ($h*) and 2 of ($p*) } - diff --git a/rules/malware/family/gelsemium.yara b/rules/malware/family/gelsemium.yara index 19ba3407b..4fe5a0806 100644 --- a/rules/malware/family/gelsemium.yara +++ b/rules/malware/family/gelsemium.yara @@ -24,4 +24,3 @@ rule wolfsbane_rc4_key: critical linux { condition: filesize < 10MB and all of them } - diff --git a/rules/malware/family/platypus.yara b/rules/malware/family/platypus.yara index a59699311..eb7874ead 100644 --- a/rules/malware/family/platypus.yara +++ b/rules/malware/family/platypus.yara @@ -11,4 +11,3 @@ rule go_platypus: critical { condition: filesize < 17MB and 3 of them } - diff --git a/rules/malware/family/tinyshell.yara b/rules/malware/family/tinyshell.yara index 3e0719123..a901f0a7a 100644 --- a/rules/malware/family/tinyshell.yara +++ b/rules/malware/family/tinyshell.yara @@ -22,4 +22,3 @@ rule c_tinyshell: critical { condition: filesize < 1MB and all of them } - diff --git a/rules/malware/family/yakuza.yara b/rules/malware/family/yakuza.yara index da2d9c3cd..fa1c71039 100644 --- a/rules/malware/family/yakuza.yara +++ b/rules/malware/family/yakuza.yara @@ -9,4 +9,3 @@ rule yakuza: critical linux { condition: uint32(0) == 1179403647 and filesize > 100KB and filesize < 250KB and all of them } - diff --git a/rules/malware/ref.yara b/rules/malware/ref.yara index b58e2d895..6973f5849 100644 --- a/rules/malware/ref.yara +++ b/rules/malware/ref.yara @@ -19,4 +19,3 @@ rule inject_malware: high { condition: any of them } - diff --git a/rules/net/ssl/socket.yara b/rules/net/ssl/socket.yara index 3f9c9b976..10165fd94 100644 --- a/rules/net/ssl/socket.yara +++ b/rules/net/ssl/socket.yara @@ -9,4 +9,3 @@ rule py_ssl_socket: medium { condition: all of them } - diff --git a/rules/os/fd/sendfile.yara b/rules/os/fd/sendfile.yara index b311bbd5d..4f89d326e 100644 --- a/rules/os/fd/sendfile.yara +++ b/rules/os/fd/sendfile.yara @@ -11,4 +11,3 @@ rule sendfile { condition: any of them } - diff --git a/rules/os/fd/write.yara b/rules/os/fd/write.yara index d675c4b28..c0910fd6c 100644 --- a/rules/os/fd/write.yara +++ b/rules/os/fd/write.yara @@ -39,4 +39,3 @@ rule py_fd_write { condition: any of them } - diff --git a/rules/os/kernel/kcore.yara b/rules/os/kernel/kcore.yara index b558c9c00..b4b00347f 100644 --- a/rules/os/kernel/kcore.yara +++ b/rules/os/kernel/kcore.yara @@ -9,4 +9,3 @@ rule kcore: unusual { condition: any of them } - diff --git a/rules/os/kernel/key-management.yara b/rules/os/kernel/key-management.yara index f1e5166ae..992ce5205 100644 --- a/rules/os/kernel/key-management.yara +++ b/rules/os/kernel/key-management.yara @@ -9,4 +9,3 @@ rule syscall_keyctl { condition: any of them } - diff --git a/rules/os/kernel/sysctl.yara b/rules/os/kernel/sysctl.yara index d682a0e05..5c1379626 100644 --- a/rules/os/kernel/sysctl.yara +++ b/rules/os/kernel/sysctl.yara @@ -9,4 +9,3 @@ rule sysctl: harmless { condition: any of them } - diff --git a/rules/os/time/tzinfo.yara b/rules/os/time/tzinfo.yara index 87797236b..1ad8e2fe7 100644 --- a/rules/os/time/tzinfo.yara +++ b/rules/os/time/tzinfo.yara @@ -10,4 +10,3 @@ rule tzinfo { condition: any of them } - diff --git a/rules/privesc/setuid.yara b/rules/privesc/setuid.yara index 9a0944471..c1bf3011d 100644 --- a/rules/privesc/setuid.yara +++ b/rules/privesc/setuid.yara @@ -85,4 +85,3 @@ rule ruby_setuid_0: high { condition: any of them } - diff --git a/rules/process/group/create.yara b/rules/process/group/create.yara index 2090f86f6..fbb8fa40e 100644 --- a/rules/process/group/create.yara +++ b/rules/process/group/create.yara @@ -11,4 +11,3 @@ rule syscalls: harmless { condition: any of them } - diff --git a/rules/process/group/set.yara b/rules/process/group/set.yara index 4cfaea556..dff68d87f 100644 --- a/rules/process/group/set.yara +++ b/rules/process/group/set.yara @@ -10,4 +10,3 @@ rule setpgid: harmless { condition: any of them } - diff --git a/rules/process/terminate/arbitrary.yara b/rules/process/terminate/arbitrary.yara index 84d971d65..dfe42da46 100644 --- a/rules/process/terminate/arbitrary.yara +++ b/rules/process/terminate/arbitrary.yara @@ -19,4 +19,3 @@ rule kill_9_d: high { condition: any of them } - diff --git a/rules/process/terminate/taskkill.yara b/rules/process/terminate/taskkill.yara index a1121fef2..37de64d27 100644 --- a/rules/process/terminate/taskkill.yara +++ b/rules/process/terminate/taskkill.yara @@ -21,4 +21,3 @@ rule taskkill_force: high windows { condition: any of them } - diff --git a/rules/process/terminate/terminate.yara b/rules/process/terminate/terminate.yara index c239f02f9..2452b6f7d 100644 --- a/rules/process/terminate/terminate.yara +++ b/rules/process/terminate/terminate.yara @@ -9,4 +9,3 @@ rule TerminateProcess: medium { condition: any of them } - diff --git a/rules/process/unshare.yara b/rules/process/unshare.yara index ae298547c..09c44ea43 100644 --- a/rules/process/unshare.yara +++ b/rules/process/unshare.yara @@ -11,4 +11,3 @@ rule syscall_unshare { condition: any of them } - From 70c9b552738df7e2861362bf3852213eab829501 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Fri, 26 Sep 2025 13:40:01 -0500 Subject: [PATCH 2/3] Expand additional rules to capture the URL IOC Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/c2/addr/url.yara | 12 ++++++++++++ rules/net/url/embedded.yara | 11 +++++++++++ 2 files changed, 23 insertions(+) diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara index 963e89ffc..6573ff092 100644 --- a/rules/c2/addr/url.yara +++ b/rules/c2/addr/url.yara @@ -76,6 +76,18 @@ rule http_url_with_question: medium { filesize < 256KB and any of ($f*) and $ref and none of ($not*) } +rule binary_with_malicious_url: critical { + meta: + description = "binary contains hardcoded, malicious URL" + filetypes = "elf,macho" + + strings: + $ = "https://mainnet.solana-rpc-pool.workers.dev" + + condition: + filesize < 150MB and elf_or_macho and any of them +} + rule binary_with_url: low { meta: description = "binary contains hardcoded URL" diff --git a/rules/net/url/embedded.yara b/rules/net/url/embedded.yara index 86f392c74..d425db013 100644 --- a/rules/net/url/embedded.yara +++ b/rules/net/url/embedded.yara @@ -1,3 +1,14 @@ +rule malicious_https_url: critical { + meta: + description = "contains embedded, malicious HTTPS URLs" + + strings: + $ = "https://mainnet.solana-rpc-pool.workers.dev" + + condition: + any of them +} + rule https_url { meta: description = "contains embedded HTTPS URLs" From bf75db1173623087041b2fa7a97cd7089c3cfbfe Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Fri, 26 Sep 2025 13:43:26 -0500 Subject: [PATCH 3/3] Better regex string naming Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/exfil/stealer/creds.yara | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/exfil/stealer/creds.yara b/rules/exfil/stealer/creds.yara index e05368279..0639b9879 100644 --- a/rules/exfil/stealer/creds.yara +++ b/rules/exfil/stealer/creds.yara @@ -103,14 +103,14 @@ rule RustEthereumSolanaStealer: critical { filetypes = "rs" strings: - $base58 = "base58" nocase - $base58_alphabet = "const BASE58_ALPHABET: &[u8] = b\"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\";" - $endpoint_sub1 = "mainnet" - $endpoint_sub2 = "solana-rpc-pool" - $endpoint_domain = "workers.dev" - $regex1 = "Regex::new(r#\"\\[(?:\\s*0x[0-9a-fA-F]{1,2}\\s*,?\\s*)+\\]|\\[(?:\\s*\\d{1,3}\\s*,?\\s*)+\\]\"#)?" - $regex2 = "Regex::new(r#\"\"[1-9A-HJ-NP-Za-km-z]{32,44}\"\"#)?" - $regex3 = "Regex::new(r#\"\"0x[0-9a-fA-F]{64}\"\"#)?" + $base58 = "base58" nocase + $base58_alphabet = "const BASE58_ALPHABET: &[u8] = b\"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\";" + $endpoint_sub1 = "mainnet" + $endpoint_sub2 = "solana-rpc-pool" + $endpoint_domain = "workers.dev" + $regex_byte_array = "Regex::new(r#\"\\[(?:\\s*0x[0-9a-fA-F]{1,2}\\s*,?\\s*)+\\]|\\[(?:\\s*\\d{1,3}\\s*,?\\s*)+\\]\"#)?" + $regex_address = "Regex::new(r#\"\"[1-9A-HJ-NP-Za-km-z]{32,44}\"\"#)?" + $regex_hex = "Regex::new(r#\"\"0x[0-9a-fA-F]{64}\"\"#)?" condition: filesize < 128KB and any of ($base58*) and all of ($endpoint*) and any of ($regex*)