蔓灵花恶意chm yara规则

近几年监测发现持续出现蔓灵花chm投放,附件以压缩包形式,标题、内容及附件名极有针对性,符合鱼叉攻击特点。

https://www.freebuf.com/articles/network/271187.html

另:可以使用Easy CHM、HugeCHM打包chm

经测试经Easy CHM(注册后)打包的包含html的chm文件更贴合蔓灵花特点。

YARA规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
rule Bitter_Malicious_chm
{
    meta:
        author = "Demo"
        description = "检测Bitter恶意CHM文档"
        version = "1.0"
        date = "2023-02-16"
    strings:
        $header = { 49 54 53 46 03 00 00 00 60 00 00 00 01 00 00 00 }
		$string_doc = "doc.htm" nocase
        $string_url = "#URLTBL"
        $string_obj = "$OBJINST"
        $string_link = "$WWAssociativeLinks"
        $string_LZX = "7FC28940-9D31-11D0-9B27-00A0C91E9C7C"
    condition:
        ( $header at 0 ) and  ( all of ( $string* ) )
}

MD5

AB602191E08EA8B9B18B40728252048A

A23ED54CE55C04307A5C6DF0325BD9A7

931C3BAB6B786C2C6B96A50B79BEA2D8

30D071EC3CABC80D715DB70EEBA96204

E5E6DE1B80DDC27F7BF0F3C643668359

基础知识
#Yara
蔓灵花恶意chm yara规则
http://wangchenchina.github.io/2023/02/17/蔓灵花恶意chm-yara规则/
作者
Demo
发布于
2023年2月17日
许可协议