kohnakagawa · May 2, 2024 12:56
diff --git a/XPR_pirrit_132.yara b/XPR_pirrit_132.yara
            private rule Macho
            {
                meta:
                    description = "private rule to match Mach-O binaries"
                condition:
                    uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
            }

            rule macos_pirrit_install_flash
            {
                strings:
                    $import_block = {
                        00 00 00 00 00
                        5f 5f 6d 68 5f
                        65 78 65 63 75
                        74 65 5f 68 65
                        61 64 65 72 00
                        5f 72 65 6d 6f
                        76 65 00 5f 73
                        79 73 74 65 6d
                        00 64 79 6c 64
                        5f 73 74 75 62
                        5f 62 69 6e 64
                        65 72 00 72 61
                        64 72 3a 2f 2f
                        35 36 31 34 35
                        34 32 00
                    }
                condition:
                    Macho and filesize < 100KB and $import_block
            }

        private rule Macho
        {
            meta:
                description = "private rule to match Mach-O binaries"
            condition:
                uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
        }

        rule hunt_macos_pirrit_obfuscation
        {
            strings:
                $codeA = { 80 7d ?? 00 b8 ?? ?? ?? ?? b9 ?? ?? ?? ?? 0f 45 c1 ( e9 | eb ) ?? ?? ?? ?? }
                $import_1 = "\x00_system\x00"
                $import_2 = "\x00_remove\x00"
                //movaps  xmm0, cs:xmmword_100004020 ; Move Aligned Four Packed Single-FP
                //xorps   xmm0, cs:xmmword_100003860 ; Bitwise Logical XOR for Single-FP Data
                $byte_1 = { 0F 28 05 ?? ?? 00 00  0F 57 05 ?? ?? 00 00 }
                // xor     cs:byte_100004110, 0Ch
                $byte_2 = { 80 35 ?? ?? 00 00 ?? }
                //movups  xmm0, cs:xmmword_100004121
                //xorps   xmm0, cs:xmmword_100003950
                $byte_3 = { 0F 10 05 ?? ?? 00 00 0F 57 05 ?? ?? 00 00 }
                //xorps   xmm0, cs:xmmword_100003C90
                //movups  cs:xmmword_10000448D, xmm0
                //movups  xmm0, cs:xmmword_10000449D
                $byte_4 = { 0F 57 ?? ?? ?? 00 00 0F 11 ?? ?? ?? 00 00 0F 10 ?? ?? ?? 00 00 }
            condition:
                Macho and filesize < 500KB and ($codeA or (all of ($import_*) and #byte_1 > 25 and #byte_2 > 50 and #byte_3 > 30 and #byte_4 > 50))
        }
        rule macos_pirrit_safari_extension
        {
            strings:
                $safariext = "SafariExtensionHandler"
                $symbolA = "sysctl"
                $symbolB = "IOServiceGetMatchingService"
            condition:
                all of them and hunt_macos_pirrit_obfuscation
        }
	private rule Macho
	{
	meta:
	description = "private rule to match Mach-O binaries"
	condition:
	uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
	}

	rule macos_pirrit_install_flash
	{
	strings:
	$import_block = {
	00 00 00 00 00
	5f 5f 6d 68 5f
	65 78 65 63 75
	74 65 5f 68 65
	61 64 65 72 00
	5f 72 65 6d 6f
	76 65 00 5f 73
	79 73 74 65 6d
	00 64 79 6c 64
	5f 73 74 75 62
	5f 62 69 6e 64
	65 72 00 72 61
	64 72 3a 2f 2f
	35 36 31 34 35
	34 32 00
	}
	condition:
	Macho and filesize < 100KB and $import_block
	}

	private rule Macho
	{
	meta:
	description = "private rule to match Mach-O binaries"
	condition:
	uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
	}

	rule hunt_macos_pirrit_obfuscation
	{
	strings:
	$codeA = { 80 7d ?? 00 b8 ?? ?? ?? ?? b9 ?? ?? ?? ?? 0f 45 c1 ( e9 \| eb ) ?? ?? ?? ?? }
	$import_1 = "\x00_system\x00"
	$import_2 = "\x00_remove\x00"
	//movaps xmm0, cs:xmmword_100004020 ; Move Aligned Four Packed Single-FP
	//xorps xmm0, cs:xmmword_100003860 ; Bitwise Logical XOR for Single-FP Data
	$byte_1 = { 0F 28 05 ?? ?? 00 00 0F 57 05 ?? ?? 00 00 }
	// xor cs:byte_100004110, 0Ch
	$byte_2 = { 80 35 ?? ?? 00 00 ?? }
	//movups xmm0, cs:xmmword_100004121
	//xorps xmm0, cs:xmmword_100003950
	$byte_3 = { 0F 10 05 ?? ?? 00 00 0F 57 05 ?? ?? 00 00 }
	//xorps xmm0, cs:xmmword_100003C90
	//movups cs:xmmword_10000448D, xmm0
	//movups xmm0, cs:xmmword_10000449D
	$byte_4 = { 0F 57 ?? ?? ?? 00 00 0F 11 ?? ?? ?? 00 00 0F 10 ?? ?? ?? 00 00 }
	condition:
	Macho and filesize < 500KB and ($codeA or (all of ($import_*) and #byte_1 > 25 and #byte_2 > 50 and #byte_3 > 30 and #byte_4 > 50))
	}
	rule macos_pirrit_safari_extension
	{
	strings:
	$safariext = "SafariExtensionHandler"
	$symbolA = "sysctl"
	$symbolB = "IOServiceGetMatchingService"
	condition:
	all of them and hunt_macos_pirrit_obfuscation
	}