7 minutes
100 Days of YARA later
100 Days of YARA is a self-enforced challenge to learn YARA for the first time, or learn new techniques for creating rules, or submit rules for cool malware you’ve observed!
Day 💯 of #100DaysofYARA
I wrote my first YARA rule on 2022-01-02 during the first #100DaysofYARA (after sourcing malware on day one) and it was pretty fun. Initially, I focused on common cryptographic algorithms that I missed from the Flare-On 8 CTF challenges. If I could recognize these in YARA signatures I could save myself time in reverse engineering. Heading into this year of the challenge my goals were pretty reasonable:
- Go further than I did last year (18 days)
- Focus on more malicious code analysis
- More deeply understand what I was doing and validate findings
What is YARA
YARA is a pattern matching rule language used across the security industry for a variety of use cases since it was built in 2008. Today it’s used to help with efforts across the spectrum of defensive security operations: - Antivirus/Incident Response: find malicious items across files or process memory - Reverse Engineer: Identify common code, constants, or strings to classify malware families - Threat Intelligence: hunt for previously seen or emerging threats
A sample rule:
rule shellcromancer_was_here
{
meta:
description = "A rule to find myself on the internet."
author = "@shellcromancer"
version = "1.0"
date = "2023.04.10"
DaysofYARA = "100/100"
strings:
$str = "shellcromancer" xor
$hex = { 40 ?? 73 68 65 6C 6C [0-4] 63 72 6F 6D 61 6E 63 65 72 }
condition:
any of them
}
Part of the reason it’s successful today is due to the great community around writing rules, and that once you codify analysis in a YARA rule it can be tested by others (locally, in VirusTotal, YARAify, UnpacMe, or many of the other services that support it) and stored historically with labeling.
The last 100 days
For those following along you’ll notice that somewhere along day 7 I decided to look at macOS specific items and stuck on that for almost the rest of the challenge. Most people I care about use macOS machines, and most services I care about run on Linux servers so I stay away from Windows as much as I can… and it turns out I can! 🫡 There’s a ton of threat actors abusing macOS and Linux with folks just needing to spend more time looking. Plus resources like Objective-See have a macOS focused malware collection where you can get started.
$ git log --author 'shellcromancer' --pretty=format:"%h%x09%ad%x09%s" --date=short --reverse
8d08cfd 2023-01-02 shellcromancer/elf_golf.yar days 1 & 2
9896dd8 2023-01-03 add shellcromancer day 3
a086160 2023-01-04 add lang_zig.yar
fce1c65 2023-01-05 add tool_network_free_code.yar
4d62367 2023-01-06 add money.yar
9cb18f9 2023-01-07 fix: update rule metadata
208e4da 2023-01-07 add file_dmg.yar
fb40b19 2023-01-08 add dmg.hexpat
c30fa42 2023-01-09 add XAR related files
60786af 2023-01-10 add file_dmg_condition_only
ec93772 2023-01-11 add go_lang_garble
f40e187 2023-01-12 add file_plist.yar
1f522bd 2023-01-13 add file_scpt.yar
6068a09 2023-01-14 add lang_swift.yar
a980800 2023-01-15 macho_discovery.yar
225abdf 2023-01-16 add file_scpt_jxa.yar
3a227a8 2023-01-17 add file_wasm.yar
c4ab3c4 2023-01-18 add wasm_miner.yar
668ae30 2023-01-19 add susp_macos_browsers
4d9167b 2023-01-20 add file_one and susp_onenote_embedded_pe
1fdd22d 2023-01-21 add mal_macos_cointicker.yar
4ef6492 2023-01-22 add hacktool_shc
8ea4030 2023-01-23 add shc code identification
19bb4f7 2023-01-24 add mal_orat.yar
16fcd82 2023-01-24 mal_rat_spark.yara
168dcf1 2023-01-27 add info_macho_control_flow.yar
db9d1cf 2023-01-28 add macos_ui_frameworks
e67e853 2023-01-29 add mal_cia_ransomware
5d3bcb0 2023-01-30 add file_car
4ac1944 2023-01-31 add info_macho_lc_cmds
28ffb3c 2023-02-01 fix: hacktool_shc.yar
29d97b4 2023-02-02 add hacktool_ezuri.yar
25b8fdc 2023-02-03 add electron.yar
82de5f5 2023-02-04 add bundler_platypus
c95edc4 2023-02-05 add macho_entitlehash.yar
6fe29e6 2023-02-05 add macho_entitlehash_ex
5c5b182 2023-02-06 add susp_macho_entitlements
c1e77e2 2023-02-07 add info_dyld_env.yar
8ba1e73 2023-02-08 add macho_section_restricted
46ed8ae 2023-02-09 add macho_pagezero
9c18d49 2023-02-10 add macho_text_protected
22512e4 2023-02-11 add macho_missing_text.yar
14d52e1 2023-02-12 remove private rules with De Morgans Law
a11bcc9 2023-02-13 add macho_entrophy
68efa64 2023-02-14 add file_nib
d6a3c3c 2023-02-15 add macos_bundle_qlgenerator
849d5de 2023-02-16 add macos_bundle_mdimporter
517133c 2023-02-17 add macos_bundle_saver
c9d6008 2023-02-18 add macos_bundle_colorpicker
f551be4 2023-02-19 add mal_iwebservices
91c204e 2023-02-20 add file_icns
c837a37 2023-02-21 add macos_cloudmensis
c56fa46 2023-02-24 add susp_encoded_ip
d9f7686 2023-02-25 add mal_final_cut_pro
bc29242 2023-02-26 add i2pd
636f729 2023-02-27 add mal_ddosia.yar
1b3508f 2023-02-28 add mal_macos_systemd
625bf29 2023-03-02 add macho_no_pagezero
ec1b642 2023-03-03 add mal_macos_xslcmd
679cefa 2023-03-04 add mal_macos_pureland
8207868 2023-03-05 add mal_macos_coinminer
88e2486 2023-03-06 add susp_macos_elitelogger
4ed3eef 2023-03-07 add info_nop_sled.yar
dc73935 2023-03-08 fix: loosen pureland condition
7ea98af 2023-03-09 add mal_macos_loselose
deeb712 2023-03-10 add mal_macos_netwire
6e72700 2023-03-11 add mal_macos_weaponx
6c9ded5 2023-03-12 add susp_macos_sniperspy.yar
4409a0d 2023-03-13 add info_macos_xattrs
72b523c 2023-03-14 exploit-cve-2023-23397
6469401 2023-03-15 add susp_macos_shellcode
ad5913c 2023-03-16 add program_thing.yar
e099ce5 2023-03-17 add susp_macho_loader
00ea13e 2023-03-18 add crossrat
e1c8066 2023-03-19 add mal_macos_rshell.yar
a2b6cfc 2023-03-20 add mal_macos_ventir
1e51f29 2023-03-21 add mal_macos_ventir_keylog
4f92847 2023-03-22 add mal_macos_ventir_watchdog
992f1e0 2023-03-23 add mal_macos_silver_sparrow.yar
2d3c828 2023-03-24 add mal_macos_silver_sparrow
26296fc 2023-03-25 add mal_macos_fkcodec.yar
ab3d371 2023-03-26 add mal_macos_macstealer
0662b8a 2023-03-27 add lang_python_bytecode
2bd09df 2023-03-28 add info_python_nuitka
826e28b 2023-03-29 add file_ipsw
a73700f 2023-03-30 add mal_macos_smoothoperator
d2a8f16 2023-03-31 add info_macho_python
315905f 2023-04-01 add info_padded_dmg.yar
fb36697 2023-04-02 add file_sdef.yar
5e7f62c 2023-04-03 add mal_macos_smoothoperator_updateagent
79faa2d 2023-04-04 fix: mal_macos_smoothoperator
67e9abd 2023-04-05 add exploit-cve-2022-46689
74e92dc 2023-04-06 add info_macos_scpt_applet
4f7ec14 2023-04-07 add mal_macos_dacls
8eacd72 2023-04-08 add info_macos_file_metadata
ab25e9b 2023-04-09 add macos_bundle_findersync_appex
The best of rules and the worst of rules
My personal favorite rule for hunting/clustering malware families is the EntitleHash where we take the Mach-O entitlements in a code signed executable and hash those for clustering. It works fairly well to bucket malware in a TTP sense but not on authorship.
import "console"
import "hash"
private rule macho_entitlehash
{
meta:
description = "Identify code signed entitlements in Mach-o files, then hash them"
author = "@shellcromancer"
version = "1.0"
date = "2023.02.05"
DaysofYARA = "36/100"
strings:
$cs_magic = { fa de 0c 00 } private
$cs_magic_entitlement = { fa de 71 71 } private
condition:
(
uint32(0) == 0xfeedface or // Mach-O MH_MAGIC
uint32(0) == 0xcefaedfe or // Mach-O MH_CIGAM
uint32(0) == 0xfeedfacf or // Mach-O MH_MAGIC_64
uint32(0) == 0xcffaedfe or // Mach-O MH_CIGAM_64
uint32(0) == 0xcafebabe or // Mach-O FAT_MAGIC
uint32(0) == 0xbebafeca // Mach-O FAT_CIGAM
) and
all of them and
/*
Entitlements XML stored in:
@cs_magic_entitlement + 8 -> @cs_magic_entitlement + uint32be(@cs_magic_entitlement+4)
*/
for any i in (1 .. #cs_magic_entitlement) : (
console.log(
"Entitlehash: ",
hash.md5(
@cs_magic_entitlement[i] + 8,
@cs_magic_entitlement[i] + uint32be(@cs_magic_entitlement[i] + 4)
)
)
)
}
The rule I was most disappointed with was info_padded_dmg just because I was hoping it would be more helpful in finding malicious installers. Unfortunately, sorting through the high false positive rate isn’t feasible.
rule info_padded_dmg
{
meta:
description = "Identify Apple DMG with padding between the plist and trailer sections."
author = "@shellcromancer"
version = "1.0"
date = "2023.04.01"
reference = "https://objective-see.org/blog/blog_0x70.html"
DaysofYARA = "91/100"
strings:
$plist = "</plist>\x0a"
condition:
uint32be(filesize - 512) == 0x6b6f6c79 and // "koly" trailer of DMG
not $plist at filesize - 521 // trailer is not prefixed by property list
}
What’s next
While I keep writing rules I want figure out a better way to manage them so I’m scoping out loading samples into Synapse Vertex and using their YARA plugin for analysis. This seems like a great way to offload stuff from my laptop and dive into their modeling, but the YARA power-up seems to be gated for enterprise customers 😕.
In addition to analyzing macOS specific malware, I want to introduce some new features to the YARA macho module to bring it with parity the PE module. I don’t want to introduce bugs, and I need to learn Rust so maybe these are candidates to check out while porting the Mach-O module for yara-x!
- Mach-O module: add iterable load command list w/ offset, type, and size. Allows using static offsets into known structures for contents like reading LC_UUIDs, and more
- Mach-O module: add code signature information, including entitlements
- Mach-O module: add iterable export/import lists
To aid in triaging samples I want to see if some macOS Binary Refinery units can be added. Specifically around extracting contents from Apple archive formats like DMGs, PKGs, and individual Mach-O’s from a FAT archive (similar to the lipo tool on macOS but with pipe-able output).
Outside of macOS specifics I want to build out a more detailed YARA plugin for Binary Ninja to bring it’s quick signature toolkit close to what the Cutter YARA plugin does (a recent plugin by birch helps this a lot!).
Most importantly, I’m going to take some time off with my family since I’ll be a dad in a week 🎉 (some people don’t think my dog counts 🙄).
Shout-outs
Thank you to @greglesnewich for starting the #100DayofYARA trend last year, continuing it this year, and chatting with me as we went through the 2023 edition (and for the sick mug)!
Thank you to other folks contributing rules and keeping up the streak as well like @BitsOfBinary, @Qutluch, @silascutler, @stvemillertime (c’mon YARA is in his name!), @dan__mayer, @wxs, @notareverser, @th3_protoCOL, and I’m sure many others that I’m missing!
✌️