mirror of
https://github.com/blackorbird/APT_REPORT.git
synced 2025-06-12 02:04:17 +00:00
30 lines
1011 B
Plaintext
30 lines
1011 B
Plaintext
import “pe”
|
|
rule OceanLotus_Steganography_Loader
|
|
{
|
|
meta:
|
|
description = “OceanLotus Steganography Loader”
|
|
strings:
|
|
$data1 = “.?AVCBC_ModeBase@CryptoPP@@” ascii
|
|
condition:\
|
|
// Must be MZ file
|
|
uint16(0) == 0x5A4D and
|
|
// Must be smaller than 2MB
|
|
filesize < 2MB and
|
|
// Must be a DLL
|
|
pe.characteristics & pe.DLL and
|
|
// Must contain the following imports
|
|
pe.imports(“gdiplus.dll”, “GdipGetImageWidth”) and
|
|
pe.imports(“gdiplus.dll”, “GdipCreateBitmapFromFile”) and
|
|
pe.imports(“kernel32.dll”, “WriteProcessMemory”) and
|
|
// Check for strings in .data
|
|
for all of ($data*) :
|
|
(
|
|
$ in
|
|
(
|
|
pe.sections[pe.section_index(“.data”)].raw_data_offset
|
|
..
|
|
pe.sections[pe.section_index(“.data”)].raw_data_offset + pe.sections[pe.section_index(“.data”)].raw_data_size
|
|
)
|
|
)
|
|
}
|