So, the “modules,” in YARA make everything pretty easy. Want to catch Hancitor documents? There’s a rule for that:
import "magic"
rule hancitor {
meta:
description = "Rule to catch new versions of Hancitor dropper document"
author = "Brian C. Bell - @Biebermalware"
strings:
$api1 = "ntdll.dll" nocase
$api2 = "NtWriteVirtualMemory" nocase
$api3 = "NtAllocateVirtualMemory" nocase
condition: magic.type() contains "Document" and all of ($api*)
}
Sorry…the indentions are lost when I copy/pasta to wordpress. You can figure it out, I’m sure.
Anyway…easy way to catch Hancitor, right? But what if you’re running a shitty IDS that can’t use half the modules out there (I’m looking at you, Fidelis XPS)? No magic modules. Try implementing that rule without magic, and it’ll hit on just about every executable out there. What to do?!
Well…what does magic do? Really, it just looks at “magic numbers,” or unique file headers, to identify file types. In the case of traditional document files (not Structured Storage), the “magic number” is “d0 cf 11 e0” or “docfile,” because someone at Microsoft thought that was clever.
Now that we have that established, we see that the magic module isn’t doing anything magical at all. Instead of using that module, we can simply look for the file signature in the first 4 bytes.
rule hancitorNoMagic {
meta:
description = "Rule to catch new versions of Hancitor dropper document without using the magic module"
author = "Brian C. Bell - @Biebermalware"
strings:
$magic = { d0 cf 11 e0 }
$api1 = "ntdll.dll" nocase
$api2 = "NtWriteVirtualMemory" nocase
$api3 = "NtAllocateVirtualMemory" nocase
condition: $magic in (0..3) and all of ($api*)
}
Again, sorry for the lack of indention, but you can figure it out. All we did is identify a unique byte sequence instead of depending on a module which is, for all intents and purposes, “black box” to most of us.
Now, go forth and write YARA rules.
Article Link: https://biebermalware.wordpress.com/2018/01/19/lets-not-get-too-spoiled/