Hamid-K · March 29, 2025 19:40
diff --git a/graphite.yara b/graphite.yara
 rule Paragon_Spyware_IOCs
 {
    meta:
        description = "Indicators of compromise (IOCs) for Paragon Solutions Graphite spyware from the Citizen Lab report 'Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations'"
        author = "ChatGPT"
        date = "2025-03-29"
        reference = "https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/"

    strings:
        // Suspected customer domains (Table 4)
        $dns1  = "external-astra.com"
        $dns2  = "internal-Abba.com"
        $dns3  = "external-cap.com"
        $dns4  = "external-drt.com"
        $dns5  = "forti.external-muki.com"
        $dns6  = "external-cag.com"
        $dns7  = "forti.external-sht-prd-4.com"
        $dns8  = "forti.external-shotgun3.com"
        $dns9  = "forti.external-sht.com"
        $dns10 = "forti.external-Sht_prd_2.com"
        $dns11 = "forti.internal-stg.com"

        // Tier 2 nodes in Israel
        $dns12 = "forti.paraccess.com"
        $dns13 = "modern-money.org"
        $dns14 = "ancient-thing.it"

        // Tier 1 certificate domains
        $dns15 = "forti.external-Staging-02.com"
        $dns16 = "awake-wood.io"

        // IP address patterns (using regex for variable last octets)
        // Australian customer deployments
        $ip1 = /120\.150\.253\.\d{1,3}/
        $ip2 = /150\.207\.167\.\d{1,3}/
        $ip3 = /67\.69\.21\.\d{1,3}/
        $ip4 = /195\.249\.167\.\d{1,3}/
        $ip5 = /31\.168\.219\.\d{1,3}/
        $ip6 = /217\.27\.58\.\d{1,3}/

        // Singapore customer deployments
        $ip7 = /58\.185\.8\.\d{1,3}/
        $ip8 = /61\.16\.116\.\d{1,3}/

        // Tier 1 servers observed (exact IPs)
        $ip9  = "84.110.122.27"
        $ip10 = "178.237.39.204"

        // Tier 2 nodes in Israel (exact IPs)
        $ip11 = "84.110.47.82"
        $ip12 = "84.110.47.83"
        $ip13 = "84.110.47.85"
        $ip14 = "84.110.47.86"

    condition:
        any of ($dns*) or any of ($ip*)
 }
	rule Paragon_Spyware_IOCs
	{
	meta:
	description = "Indicators of compromise (IOCs) for Paragon Solutions Graphite spyware from the Citizen Lab report 'Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations'"
	author = "ChatGPT"
	date = "2025-03-29"
	reference = "https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/"

	strings:
	// Suspected customer domains (Table 4)
	$dns1 = "external-astra.com"
	$dns2 = "internal-Abba.com"
	$dns3 = "external-cap.com"
	$dns4 = "external-drt.com"
	$dns5 = "forti.external-muki.com"
	$dns6 = "external-cag.com"
	$dns7 = "forti.external-sht-prd-4.com"
	$dns8 = "forti.external-shotgun3.com"
	$dns9 = "forti.external-sht.com"
	$dns10 = "forti.external-Sht_prd_2.com"
	$dns11 = "forti.internal-stg.com"

	// Tier 2 nodes in Israel
	$dns12 = "forti.paraccess.com"
	$dns13 = "modern-money.org"
	$dns14 = "ancient-thing.it"

	// Tier 1 certificate domains
	$dns15 = "forti.external-Staging-02.com"
	$dns16 = "awake-wood.io"

	// IP address patterns (using regex for variable last octets)
	// Australian customer deployments
	$ip1 = /120\.150\.253\.\d{1,3}/
	$ip2 = /150\.207\.167\.\d{1,3}/
	$ip3 = /67\.69\.21\.\d{1,3}/
	$ip4 = /195\.249\.167\.\d{1,3}/
	$ip5 = /31\.168\.219\.\d{1,3}/
	$ip6 = /217\.27\.58\.\d{1,3}/

	// Singapore customer deployments
	$ip7 = /58\.185\.8\.\d{1,3}/
	$ip8 = /61\.16\.116\.\d{1,3}/

	// Tier 1 servers observed (exact IPs)
	$ip9 = "84.110.122.27"
	$ip10 = "178.237.39.204"

	// Tier 2 nodes in Israel (exact IPs)
	$ip11 = "84.110.47.82"
	$ip12 = "84.110.47.83"
	$ip13 = "84.110.47.85"
	$ip14 = "84.110.47.86"

	condition:
	any of ($dns) or any of ($ip)
	}