Add rule for recent Crate compromises; run fmt to pick up new yara-x newline formatting

rules/anti-static/obfuscation/obfuscate.yara

@@ -20,4 +20,3 @@ rule obfuscator {
   condition:
     $obfuscate
 }
-

rules/anti-static/xor/xor-paths.yara

@@ -29,4 +29,3 @@ rule xor_paths: high {
   condition:
     filesize < 10MB and any of them
 }
-

rules/c2/addr/discord.yara

@@ -9,4 +9,3 @@ rule discord: medium {
   condition:
     any of them
 }
-

rules/c2/addr/telegram.yara

@@ -9,4 +9,3 @@ rule telegram: medium {
   condition:
     any of them
 }
-

rules/c2/addr/url.yara

@@ -76,6 +76,18 @@ rule http_url_with_question: medium {
     filesize < 256KB and any of ($f*) and $ref and none of ($not*)
 }
 
+rule binary_with_malicious_url: critical {
+  meta:
+    description = "binary contains hardcoded, malicious URL"
+    filetypes   = "elf,macho"
+
+  strings:
+    $ = "https://mainnet.solana-rpc-pool.workers.dev"
+
+  condition:
+    filesize < 150MB and elf_or_macho and any of them
+}
+
 rule binary_with_url: low {
   meta:
     description = "binary contains hardcoded URL"

rules/c2/connect/curl_easy.yara

@@ -8,4 +8,3 @@ rule curl_easy: medium {
   condition:
     filesize < 1MB and all of them
 }
-

rules/c2/connect/ping_pong.yara

@@ -10,4 +10,3 @@ rule ping_pong: medium {
   condition:
     filesize < 1MB and all of them
 }
-

rules/c2/connect/server.yara

@@ -8,4 +8,3 @@ rule connect_server: medium {
   condition:
     filesize < 1MB and any of them
 }
-

rules/c2/tool_transfer/bitsadmin.yara

@@ -21,4 +21,3 @@ rule bitsadmin_transfer: high {
   condition:
     filesize < 250KB and all of them
 }
-

rules/credential/cloud/gcloud.yara

@@ -9,4 +9,3 @@ rule gcloud_config_value: medium {
   condition:
     any of them
 }
-

rules/credential/gaming/minecraft.yara

@@ -33,4 +33,3 @@ rule essential_microsoft_accounts: high {
   condition:
     all of them
 }
-

rules/crypto/public_key.yara

@@ -19,4 +19,3 @@ rule verifies_public_key: medium {
   condition:
     any of them
 }
-

rules/data/embedded/base64.yara

@@ -19,4 +19,3 @@ rule base64_content_reversed: high {
   condition:
     any of them
 }
-

rules/data/embedded/embedded-pem-certificate.yara

@@ -8,4 +8,3 @@ rule begin_cert {
   condition:
     any of them
 }
-

rules/data/embedded/embedded-pem-test_key.yara

@@ -8,4 +8,3 @@ rule testing_key {
   condition:
     any of them
 }
-

rules/data/embedded/embedded-ssh-signature.yara

@@ -8,4 +8,3 @@ rule ssh_signature: medium {
   condition:
     any of them
 }
-

rules/data/encoding/audio-pcm.yara

@@ -7,4 +7,3 @@ rule pcm: harmless {
   condition:
     any of them
 }
-

rules/data/encoding/marshal.yara

@@ -8,4 +8,3 @@ rule encoding_py_marshal: medium {
   condition:
     filesize < 1MB and any of them
 }
-

rules/data/random/insecure.yara

@@ -22,4 +22,3 @@ rule insecure_rand {
   condition:
     any of them in (1000..3000)
 }
-

rules/discover/cloud/aws-metadata.yara

@@ -8,4 +8,3 @@ rule aws_metadata {
   condition:
     any of them
 }
-

rules/discover/cloud/google-docs.yara

@@ -6,4 +6,3 @@ rule google_docs_user: high {
   condition:
     any of them
 }
-

rules/discover/cloud/google-metadata.yara

@@ -8,4 +8,3 @@ rule google_metadata {
   condition:
     any of them
 }
-

rules/discover/cloud/google-storage.yara

@@ -8,4 +8,3 @@ rule go_import {
   condition:
     any of them
 }
-

rules/evasion/bypass_security/linux/iptables.yara

@@ -58,4 +58,3 @@ rule iptables_delete: medium {
   condition:
     any of them
 }
-

rules/evasion/file/location/dev-mqueue.yara

@@ -8,4 +8,3 @@ rule dev_mqueue: medium {
   condition:
     any of them
 }
-

rules/evasion/file/location/lib.yara

@@ -44,4 +44,3 @@ rule multiple_lib_so_high: medium linux {
   condition:
     filesize < 10MB and uint32(0) == 1179403647 and #lib > 1
 }
-

rules/evasion/file/location/var-tmp.yara

@@ -21,4 +21,3 @@ rule var_tmp_path_hidden: high {
   condition:
     $ref and none of ($not*)
 }
-

rules/evasion/file/location/x11-unix.yara

@@ -30,4 +30,3 @@ rule hidden_x11_unexpected: high {
   condition:
     filesize < 10MB and $x11 and none of ($not*)
 }
-

rules/evasion/file/prefix/proc.yara

@@ -8,4 +8,3 @@ rule hidden_proc: high linux {
   condition:
     filesize < 10MB and all of them
 }
-

rules/evasion/mimicry/fake-library.yara

@@ -34,4 +34,3 @@ rule libc_fake_number_val: high {
   condition:
     $ref and none of ($not*)
 }
-

rules/exec/dylib/iterate.yara

@@ -9,4 +9,3 @@ rule dl_iterate_phdr {
   condition:
     any of them
 }
-

rules/exec/dylib/open.yara

@@ -21,4 +21,3 @@ rule ruby_dylib: low ruby {
   condition:
     any of them
 }
-

rules/exfil/curl_post.yara

@@ -11,4 +11,3 @@ rule curl_post: medium {
   condition:
     filesize < 8KB and $curl and $post and any of ($http*)
 }
-

rules/exfil/stealer/creds.yara

@@ -96,3 +96,22 @@ rule STRRat_critical: critical {
   condition:
     filesize < 128KB and all of ($p*) and any of ($browser*) and any of ($mail*)
 }
+
+rule RustEthereumSolanaStealer: critical {
+  meta:
+    description = "steals ethereum and solana wallet keys via compromised Crates"
+    filetypes   = "rs"
+
+  strings:
+    $base58           = "base58" nocase
+    $base58_alphabet  = "const BASE58_ALPHABET: &[u8] = b\"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\";"
+    $endpoint_sub1    = "mainnet"
+    $endpoint_sub2    = "solana-rpc-pool"
+    $endpoint_domain  = "workers.dev"
+    $regex_byte_array = "Regex::new(r#\"\\[(?:\\s*0x[0-9a-fA-F]{1,2}\\s*,?\\s*)+\\]|\\[(?:\\s*\\d{1,3}\\s*,?\\s*)+\\]\"#)?"
+    $regex_address    = "Regex::new(r#\"\"[1-9A-HJ-NP-Za-km-z]{32,44}\"\"#)?"
+    $regex_hex        = "Regex::new(r#\"\"0x[0-9a-fA-F]{64}\"\"#)?"
+
+  condition:
+    filesize < 128KB and any of ($base58*) and all of ($endpoint*) and any of ($regex*)
+}

rules/exfil/stealer/file.yara

@@ -103,4 +103,3 @@ rule curl_easy_exfil: high {
   condition:
     filesize < 1MB and all of them
 }
-

rules/exfil/stealer/telegram.yara

@@ -34,4 +34,3 @@ rule telegram_content: critical {
   condition:
     filesize < 32KB and all of them
 }
-

rules/false_positives/fzf.yara

@@ -9,4 +9,3 @@ rule fzf: override {
   condition:
     filesize < 6MB and any of them
 }
-

rules/false_positives/kandji.yara

@@ -9,4 +9,3 @@ rule kandji: override {
   condition:
     any of them
 }
-

rules/false_positives/osqueryd.yara

@@ -10,4 +10,3 @@ rule osqueryd: override {
   condition:
     filesize < 100MB and any of them
 }
-

rules/fs/event-monitoring.yara

@@ -10,4 +10,3 @@ rule syscall_fanotify_init: linux {
   condition:
     any of them
 }
-

rules/fs/file/file-truncate.yara

@@ -22,4 +22,3 @@ rule truncate: harmless {
   condition:
     any of them
 }
-

rules/fs/path/home-config.yara

@@ -8,4 +8,3 @@ rule home_config_path {
   condition:
     any of them
 }
-

rules/fs/path/home_library.yara

@@ -8,4 +8,3 @@ rule home_lib_path {
   condition:
     any of them
 }
-

rules/fs/proc/pid-statistics.yara

@@ -9,4 +9,3 @@ rule proc_pid_stat_val {
   condition:
     any of them
 }
-

rules/hw/cpu.yara

@@ -19,4 +19,3 @@ rule CpuInfoAndModel: macos medium {
   condition:
     any of them
 }
-

rules/impact/remote_access/base64_exec.yara

@@ -12,4 +12,3 @@ rule hex_convert_base64_ascii: high {
   condition:
     filesize < 32KB and any of ($lang*) and any of ($b*) and any of ($exec*)
 }
-

rules/impact/remote_access/dl_iterate.yara

@@ -12,4 +12,3 @@ rule dl_iterate_cpu_pthreads: high linux {
   condition:
     filesize < 1200KB and uint32(0) == 1179403647 and all of them
 }
-

rules/impact/remote_access/ssh.yara

@@ -24,4 +24,3 @@ rule sshd_backdoor_private_key: critical {
   condition:
     filesize < 5MB and all of them
 }
-

rules/impact/ui/x11-auth.yara

@@ -10,4 +10,3 @@ rule x11_refs: medium {
   condition:
     any of them
 }
-

rules/impact/ui/xsession.yara

@@ -8,4 +8,3 @@ rule xsession: medium {
   condition:
     any of them
 }
-

rules/lateral/ssh/worm.yara

@@ -46,4 +46,3 @@ rule ssh_worm_router: high {
   condition:
     filesize < 1MB and all of ($s*) and any of ($h*) and 2 of ($p*)
 }
-

rules/malware/family/gelsemium.yara

@@ -24,4 +24,3 @@ rule wolfsbane_rc4_key: critical linux {
   condition:
     filesize < 10MB and all of them
 }
-

rules/malware/family/platypus.yara

@@ -11,4 +11,3 @@ rule go_platypus: critical {
   condition:
     filesize < 17MB and 3 of them
 }
-

rules/malware/family/tinyshell.yara

@@ -22,4 +22,3 @@ rule c_tinyshell: critical {
   condition:
     filesize < 1MB and all of them
 }
-

rules/malware/family/yakuza.yara

@@ -9,4 +9,3 @@ rule yakuza: critical linux {
   condition:
     uint32(0) == 1179403647 and filesize > 100KB and filesize < 250KB and all of them
 }
-

rules/malware/ref.yara

@@ -19,4 +19,3 @@ rule inject_malware: high {
   condition:
     any of them
 }
-

rules/net/ssl/socket.yara

@@ -9,4 +9,3 @@ rule py_ssl_socket: medium {
   condition:
     all of them
 }
-

rules/net/url/embedded.yara

@@ -1,3 +1,14 @@
+rule malicious_https_url: critical {
+  meta:
+    description = "contains embedded, malicious HTTPS URLs"
+
+  strings:
+    $ = "https://mainnet.solana-rpc-pool.workers.dev"
+
+  condition:
+    any of them
+}
+
 rule https_url {
   meta:
     description = "contains embedded HTTPS URLs"

rules/os/fd/sendfile.yara

@@ -11,4 +11,3 @@ rule sendfile {
   condition:
     any of them
 }
-

rules/os/fd/write.yara

@@ -39,4 +39,3 @@ rule py_fd_write {
   condition:
     any of them
 }
-

rules/os/kernel/kcore.yara

@@ -9,4 +9,3 @@ rule kcore: unusual {
   condition:
     any of them
 }
-

rules/os/kernel/key-management.yara

@@ -9,4 +9,3 @@ rule syscall_keyctl {
   condition:
     any of them
 }
-

rules/os/kernel/sysctl.yara

@@ -9,4 +9,3 @@ rule sysctl: harmless {
   condition:
     any of them
 }
-

rules/os/time/tzinfo.yara

@@ -10,4 +10,3 @@ rule tzinfo {
   condition:
     any of them
 }
-

rules/privesc/setuid.yara

@@ -85,4 +85,3 @@ rule ruby_setuid_0: high {
   condition:
     any of them
 }
-

rules/process/group/create.yara

@@ -11,4 +11,3 @@ rule syscalls: harmless {
   condition:
     any of them
 }
-

rules/process/group/set.yara

@@ -10,4 +10,3 @@ rule setpgid: harmless {
   condition:
     any of them
 }
-

rules/process/terminate/arbitrary.yara

@@ -19,4 +19,3 @@ rule kill_9_d: high {
   condition:
     any of them
 }
-

rules/process/terminate/taskkill.yara

@@ -21,4 +21,3 @@ rule taskkill_force: high windows {
   condition:
     any of them
 }
-

rules/process/terminate/terminate.yara

@@ -9,4 +9,3 @@ rule TerminateProcess: medium {
   condition:
     any of them
 }
-

rules/process/unshare.yara

@@ -11,4 +11,3 @@ rule syscall_unshare {
   condition:
     any of them
 }
-