diff --git a/iocs/filename-iocs.txt b/iocs/filename-iocs.txt index b57d8a69..2753e953 100644 --- a/iocs/filename-iocs.txt +++ b/iocs/filename-iocs.txt @@ -4548,4 +4548,16 @@ C:\\perflogs\\RunSchedulerTaskOnce\.ps1;85 /tmp/shell\.sh;65 /tmp/shell\.txt;65 +# Lotusblossom Notepad++ Exploitation https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ +\\USOShared\\[a-zA-Z0-9]{1,15}\.(c|dll|exe);75 +\\AppData\\Roaming\\ProShow\\[a-zA-Z0-9]{1}.txt;75 +\\AppData\\Roaming\\Adobe\\Scripts\\[a-zA-Z0-9]{1}.txt;75 +\\AppData\\Roaming\\Bluetooth\\log\.dll;75 +\\AppData\\Roaming\\Bluetooth\\BluetoothService\.exe;75 +\\AppData\\Roaming\\ProShow\\load$;75 +\\AppData\\Roaming\\ProShow\\ProShow.\exe;75 +\\AppData\\Roaming\\Adobe\\Scripts\\alien\.ini;75 +\\AppData\\Roaming\\Adobe\\Scripts\\script.exe;75 +\\libtcc\.dll;60 + # End diff --git a/yara/lotusblossom_notepad_exploitation.yar b/yara/lotusblossom_notepad_exploitation.yar new file mode 100644 index 00000000..da3c54c0 --- /dev/null +++ b/yara/lotusblossom_notepad_exploitation.yar @@ -0,0 +1,83 @@ +rule MAL_Chrysalis_DllLoader_Feb26 { + meta: + description = "Detects DLL used to load Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom" + author = "X__Junior" + date = "2026-02-02" + reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" + hash = "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad" + score = 80 + strings: + $op1 = { 33 D2 8B C1 F7 F6 0F B6 C1 03 55 ?? 6B C0 ?? 32 02 88 04 0F 41 83 F9 ?? 72 } + $op2 = { 0F B6 04 31 41 33 C2 69 D0 ?? ?? ?? ?? 3B CB 72 } + condition: + uint16(0) == 0x5a4d and all of them +} + +rule MAL_Chrysalis_Shellcode_Loader_Feb26 { + meta: + description = "Detects shellcode used to load Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom" + author = "X__Junior" + date = "2026-02-02" + reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" + hash = "e2e3d78437cf9d48c2b2264e44bb36bc2235834fc45bbb50b5d6867f336711e3" + score = 80 + strings: + $op1 = { 8B C7 03 D7 83 E0 ?? 47 8A 4C 05 ?? 8A 04 13 02 C1 32 C1 2A C1 88 02 8B 55 ?? 3B FE 7C ?? 8B 5D ?? 8B 45 } + $op2 = { 03 F8 8B 45 ?? 8B 50 ?? 85 C9 79 ?? 0F B7 C1 EB ?? 8D 41 ?? 03 C3 50 FF 75 ?? FF D2 89 07 85 C0 74 ?? 8B 4D ?? 46 } + condition: + 1 of them +} + +rule MAL_Chrysalis_Backdoor_Feb26 { + meta: + description = "Detects Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom" + author = "X__Junior" + date = "2026-02-02" + reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" + hash = "e2e3d78437cf9d48c2b2264e44bb36bc2235834fc45bbb50b5d6867f336711e3" + score = 80 + strings: + $opa1 = { 8B 4D ?? C1 CF ?? C1 C1 ?? 03 F9 D1 C3 8B 4D ?? C1 C1 ?? 03 F9 03 FB 8B 5D ?? 69 CF ?? ?? ?? ?? BF ?? ?? ?? ?? 2B F9 EB } + $opa2 = { F7 E9 [0-1] 8B C2 C1 E8 ?? 03 C2 8D 0C 40 8A C3 34 ?? [0-2] 0F B6 [1-4] 0F B6 C3 8B 5D [1-3] 0F 45 D0 } + + $opb1 = { 0F B6 84 35 ?? ?? ?? ?? 88 84 3D ?? ?? ?? ?? 88 8C 35 ?? ?? ?? ?? 0F B6 84 3D ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 03 C2 0F B6 C0 0F B6 84 05 ?? ?? ?? ?? 30 04 19 43 3B 9D ?? ?? ?? ?? 7C } + condition: + (1 of ($opa*) and $opb1) + or + all of ($opa*) +} + +rule MAL_CobaltStrike_Beacon_Loader_Feb26 { + meta: + description = "Detects Cobalt Strike beacon loader" + author = "X__Junior" + date = "2026-02-02" + reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" + hash = "0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd" + hash = "b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3" + score = 80 + strings: + $opa1 = { 45 33 C9 41 B8 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 66 89 44 24 ?? 41 B8 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 0F B7 4C 24 ?? FF 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 } + $opa2 = { 4C 8D 4C 24 ?? 41 B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 89 4C 24 ?? 4C 8D 0D ?? ?? ?? ?? 45 33 C0 33 D2 48 8B C8 FF 15 } + + $opb1 = { 48 8D 89 ?? ?? ?? ?? 0F 10 00 0F 10 48 ?? 48 8D 80 ?? ?? ?? ?? 0F 11 41 ?? 0F 10 40 ?? 0F 11 49 ?? 0F 10 48 ?? 0F 11 41 ?? 0F 10 40 ?? 0F 11 49 ?? 0F 10 48 ?? 0F 11 41 ?? 0F 10 40 ?? 0F 11 49 ?? 0F 10 48 ?? 0F 11 41 ?? 0F 11 49 ?? 48 83 EA } + $opb2 = { 45 33 C9 48 89 84 24 ?? ?? ?? ?? 41 B8 18 00 00 00 C7 84 24 ?? ?? ?? ?? 03 00 00 00 48 8D 94 24 ?? ?? ?? ?? 48 89 BC 24 ?? ?? ?? ?? B9 B9 00 00 00 FF 15 } + condition: + uint16(0) == 0x5a4d and + all of ($opa*) + or all of ($opb*) +} + +rule MAL_POC_Microsoft_Warbird_Loader_Feb26 { + meta: + description = "Detects a POC to turn Microsoft Warbird into a shellcode loader" + author = "X__Junior" + date = "2026-02-03" + reference = "https://cirosec.de/en/news/abusing-microsoft-warbird-for-shellcode-execution/" + hash = "29d0467ee452752286318f350ceb28a2b04ee4c6de550ba0edc34ae0fa7cbb03" + score = 75 + strings: + $op = { fe af fe ca ef be ad de } + condition: + uint16(0) == 0x5a4d and $op +} diff --git a/yara/yara_mixed_ext_vars.yar b/yara/yara_mixed_ext_vars.yar index 74778fca..566a5565 100644 --- a/yara/yara_mixed_ext_vars.yar +++ b/yara/yara_mixed_ext_vars.yar @@ -6,59 +6,58 @@ */ import "pe" -import "math" +import "math" rule Acrotray_Anomaly { - meta: - description = "Detects an acrotray.exe that does not contain the usual strings" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 75 - id = "e3fef644-e535-5137-ac98-2fd1b7ca4361" - strings: - $s1 = "PDF/X-3:2002" fullword wide - $s2 = "AcroTray - Adobe Acrobat Distiller helper application" fullword wide - $s3 = "MS Sans Serif" fullword wide - $s4 = "COOLTYPE.DLL" fullword ascii - condition: - uint16(0) == 0x5a4d and filesize < 3000KB - and ( filename == "acrotray.exe" or filename == "AcroTray.exe" ) - and not all of ($s*) + meta: + description = "Detects an acrotray.exe that does not contain the usual strings" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + score = 75 + id = "e3fef644-e535-5137-ac98-2fd1b7ca4361" + strings: + $s1 = "PDF/X-3:2002" fullword wide + $s2 = "AcroTray - Adobe Acrobat Distiller helper application" fullword wide + $s3 = "MS Sans Serif" fullword wide + $s4 = "COOLTYPE.DLL" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 3000KB + and (filename == "acrotray.exe" or filename == "AcroTray.exe") + and not all of ($s*) } rule COZY_FANCY_BEAR_modified_VmUpgradeHelper { - meta: - description = "Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - date = "2016-06-14" - id = "97b844a4-0fa4-5850-8803-2212a69e3d16" - strings: - $s1 = "VMware, Inc." wide fullword - $s2 = "Virtual hardware upgrade helper service" fullword wide - $s3 = "vmUpgradeHelper\\vmUpgradeHelper.pdb" ascii - condition: - uint16(0) == 0x5a4d and - filename == "VmUpgradeHelper.exe" and - not all of ($s*) + meta: + description = "Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + date = "2016-06-14" + id = "97b844a4-0fa4-5850-8803-2212a69e3d16" + strings: + $s1 = "VMware, Inc." wide fullword + $s2 = "Virtual hardware upgrade helper service" fullword wide + $s3 = "vmUpgradeHelper\\vmUpgradeHelper.pdb" ascii + condition: + uint16(0) == 0x5a4d and + filename == "VmUpgradeHelper.exe" and + not all of ($s*) } -rule IronTiger_Gh0stRAT_variant -{ - meta: - author = "Cyber Safety Solutions, Trend Micro" - description = "This is a detection for a s.exe variant seen in Op. Iron Tiger" - reference = "http://goo.gl/T5fSJC" - id = "e7eeee0f-d7a1-5359-bc1f-5a2a883c7227" - strings: - $str1 = "Game Over Good Luck By Wind" nocase wide ascii - $str2 = "ReleiceName" nocase wide ascii - $str3 = "jingtisanmenxiachuanxiao.vbs" nocase wide ascii - $str4 = "Winds Update" nocase wide ascii fullword - condition: - uint16(0) == 0x5a4d and (any of ($str*)) - and not filename == "UpdateSystemMib.exe" +rule IronTiger_Gh0stRAT_variant { + meta: + author = "Cyber Safety Solutions, Trend Micro" + description = "This is a detection for a s.exe variant seen in Op. Iron Tiger" + reference = "http://goo.gl/T5fSJC" + id = "e7eeee0f-d7a1-5359-bc1f-5a2a883c7227" + strings: + $str1 = "Game Over Good Luck By Wind" nocase wide ascii + $str2 = "ReleiceName" nocase wide ascii + $str3 = "jingtisanmenxiachuanxiao.vbs" nocase wide ascii + $str4 = "Winds Update" nocase wide ascii fullword + condition: + uint16(0) == 0x5a4d and (any of ($str*)) + and not filename == "UpdateSystemMib.exe" } rule OpCloudHopper_Cloaked_PSCP { @@ -92,62 +91,60 @@ rule msi_dll_Anomaly { uint16(0) == 0x5a4d and filesize < 15KB and filename == "msi.dll" and $x1 } -rule PoS_Malware_MalumPOS_Config -{ - meta: - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" +rule PoS_Malware_MalumPOS_Config { + meta: + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" - date = "2015-06-25" - description = "MalumPOS Config File" - reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/" - id = "0fd2b9c2-d016-5db2-8fcc-618df6c815de" - strings: - $s1 = "[PARAMS]" - $s2 = "Name=" - $s3 = "InterfacesIP=" - $s4 = "Port=" - condition: - all of ($s*) and filename == "log.ini" and filesize < 20KB + date = "2015-06-25" + description = "MalumPOS Config File" + reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/" + id = "0fd2b9c2-d016-5db2-8fcc-618df6c815de" + strings: + $s1 = "[PARAMS]" + $s2 = "Name=" + $s3 = "InterfacesIP=" + $s4 = "Port=" + condition: + all of ($s*) and filename == "log.ini" and filesize < 20KB } rule Malware_QA_update_test { - meta: - description = "VT Research QA uploaded malware - file update_.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "VT Research QA" - date = "2016-08-29" - score = 80 - hash1 = "3b3392bc730ded1f97c51e23611740ff8b218abf0a1100903de07819eeb449aa" - id = "8f319277-1eaf-559e-87ad-f4ab89b04ca5" - strings: - $s1 = "test.exe" fullword ascii - $s2 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP" fullword ascii - condition: - uint16(0) == 0x5a4d and filesize < 1000KB and all of them and filename == "update.exe" + meta: + description = "VT Research QA uploaded malware - file update_.exe" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "VT Research QA" + date = "2016-08-29" + score = 80 + hash1 = "3b3392bc730ded1f97c51e23611740ff8b218abf0a1100903de07819eeb449aa" + id = "8f319277-1eaf-559e-87ad-f4ab89b04ca5" + strings: + $s1 = "test.exe" fullword ascii + $s2 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 1000KB and all of them and filename == "update.exe" } - /* These only work with external variable "filename" ------------------------ */ /* as used in LOKI, THOR, SPARK --------------------------------------------- */ rule SysInterals_PipeList_NameChanged { - meta: - description = "Detects NirSoft PipeList" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "https://goo.gl/Mr6M2J" - date = "2016-06-04" - score = 90 - hash1 = "83f0352c14fa62ae159ab532d85a2b481900fed50d32cc757aa3f4ccf6a13bee" - id = "01afcf29-a74c-5be2-8b24-694a2802ef34" - strings: - $s1 = "PipeList" ascii fullword - $s2 = "Sysinternals License" ascii fullword - condition: - uint16(0) == 0x5a4d and filesize < 170KB and all of them - and not filename contains "pipelist.exe" - and not filename contains "PipeList.exe" + meta: + description = "Detects NirSoft PipeList" + license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" + author = "Florian Roth (Nextron Systems)" + reference = "https://goo.gl/Mr6M2J" + date = "2016-06-04" + score = 90 + hash1 = "83f0352c14fa62ae159ab532d85a2b481900fed50d32cc757aa3f4ccf6a13bee" + id = "01afcf29-a74c-5be2-8b24-694a2802ef34" + strings: + $s1 = "PipeList" ascii fullword + $s2 = "Sysinternals License" ascii fullword + condition: + uint16(0) == 0x5a4d and filesize < 170KB and all of them + and not filename contains "pipelist.exe" + and not filename contains "PipeList.exe" } /* @@ -160,23 +157,22 @@ rule SysInterals_PipeList_NameChanged { /* Rule Set ----------------------------------------------------------------- */ rule SCT_Scriptlet_in_Temp_Inet_Files { - meta: - description = "Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass)" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "http://goo.gl/KAB8Jw" - date = "2016-04-26" - id = "8b729257-3676-59b2-961c-dae1085cbbf6" - strings: - $s1 = "" fullword ascii nocase - $s2 = "ActiveXObject(\"WScript.Shell\")" ascii - condition: - ( uint32(0) == 0x4D583F3C or uint32(0) == 0x6D78F3C ) /* " fullword ascii nocase + $s2 = "ActiveXObject(\"WScript.Shell\")" ascii + condition: + (uint32(0) == 0x4D583F3C or uint32(0) == 0x6D78F3C) /* 50000KB and not filename matches /WER/ } rule lsadump { meta: - description = "LSA dump programe (bootkey/syskey) - pwdump and others" - author = "Benjamin DELPY (gentilkiwi)" - score = 80 + description = "LSA dump programe (bootkey/syskey) - pwdump and others" + author = "Benjamin DELPY (gentilkiwi)" + score = 80 nodeepdive = 1 id = "3bfa8dd8-720d-5326-ac92-0fb96cf21219" strings: - $str_sam_inc = "\\Domains\\Account" ascii nocase - $str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase - $hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 } - $str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 } - $hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00} + $str_sam_inc = "\\Domains\\Account" ascii nocase + $str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase + $hex_api_call = { (41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 } + $str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 } + $hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00 } $fp1 = "Sysinternals" ascii $fp2 = "Apple Inc." ascii wide @@ -335,7 +328,7 @@ rule lsadump { $fp6 = "Bitdefender" wide fullword condition: uint16(0) == 0x5a4d and - (($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey ) + (($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey) and not 1 of ($fp*) and not filename contains "Regdat" and not filetype == "EXE" @@ -368,7 +361,7 @@ rule SUSP_ServU_Known_Mal_IP_Jul21_1 { score = 60 id = "118272a7-7ec9-568b-99e0-8cfe97f3f64e" strings: - $xip1 = "98.176.196.89" ascii fullword + $xip1 = "98.176.196.89" ascii fullword $xip2 = "68.235.178.32" ascii fullword $xip3 = "208.113.35.58" ascii fullword $xip4 = "144.34.179.162" ascii fullword @@ -387,7 +380,7 @@ rule SUSP_EXPL_Confluence_RCE_CVE_2021_26084_Indicators_Sep21 { score = 55 id = "395d37ea-1986-5fdd-b58c-562ae0d8be35" condition: - uint32be(0) == 0x7f454c46 /* ELF binary */ + uint32be(0) == 0x7f454c46 /* ELF binary */ and owner == "confluence" and not filepath contains "/confluence/" } @@ -406,7 +399,7 @@ rule SUSP_Blocked_Download_Proxy_Replacement_Jan23_1 { $x03 = " target=\"_blank\">Cloudflare Bitly displays this warning when a link has been flagged as suspect. There are many" $x08 = "Something went wrong. Don't worry, your files are still safe and the Dropbox team has been notified." $x09 = "

sinkhole

" @@ -421,7 +414,7 @@ rule SUSP_Blocked_Download_Proxy_Replacement_Jan23_1 { $x18 = "

Trend Micro Apex One

" $x19 = "Hitachi ID Identity and Access Management Suite" $x20 = ">http://www.fortinet.com/ve?vn=" - $x21 = "access to URL with fixed IP not allowed" // FritzBox + $x21 = "access to URL with fixed IP not allowed" // FritzBox $x23 = "Web Page Blocked" $x24 = "Malicious Website Blocked" $x25 = "

STOPzilla has detected" @@ -431,7 +424,7 @@ rule SUSP_Blocked_Download_Proxy_Replacement_Jan23_1 { $g01 = "blocked access" fullword $g02 = "policy violation" fullword - $g03 = "violation of " + $g03 = "violation of " $g04 = "blocked by" fullword $g05 = "Blocked by" fullword $g07 = "Suspected Phishing" @@ -448,8 +441,8 @@ rule SUSP_Blocked_Download_Proxy_Replacement_Jan23_1 { condition: extension == ".exe" and not uint16(0) == 0x5a4d and 1 of them or ( - extension == ".rar" or - extension == ".ps1" or + extension == ".rar" or + extension == ".ps1" or extension == ".vbs" or extension == ".bat" ) @@ -500,7 +493,6 @@ rule APT_MAL_RU_Snake_Malware_Queue_File_May23_1 { and math.entropy(0, 1024) >= 7.0 } - rule SUSP_Password_XLS_Unencrypted { meta: description = "Detects files named e.g. password.xls, which might contain unportected clear text passwords" @@ -512,24 +504,24 @@ rule SUSP_Password_XLS_Unencrypted { condition: // match password and the german passwort: ( - filename istartswith "passwor" or /* EN / DE */ - filename istartswith "contrase" or /* ES */ - filename istartswith "mot de pass" or /* FR */ - filename istartswith "mot_de_pass" or /* FR */ - filename istartswith "motdepass" or /* FR */ - filename istartswith "wachtwoord" /* NL */ + filename istartswith "passwor" or /* EN / DE */ + filename istartswith "contrase" or /* ES */ + filename istartswith "mot de pass" or /* FR */ + filename istartswith "mot_de_pass" or /* FR */ + filename istartswith "motdepass" or /* FR */ + filename istartswith "wachtwoord" /* NL */ ) and ( - // no need to check if an xls is password protected, because it's trivial to break - ( - filename iendswith ".xls" - and uint32be(0) == 0xd0cf11e0 // xls - ) - or - ( - filename iendswith ".xlsx" - and uint32be(0) == 0x504b0304 // unencrypted xlsx = pkzip - ) + // no need to check if an xls is password protected, because it's trivial to break + ( + filename iendswith ".xls" + and uint32be(0) == 0xd0cf11e0 // xls + ) + or + ( + filename iendswith ".xlsx" + and uint32be(0) == 0x504b0304 // unencrypted xlsx = pkzip + ) ) } @@ -544,13 +536,53 @@ rule SUSP_Password_XLS_Encrypted { condition: // match password and the german passwort: ( - filename istartswith "passwor" or /* EN / DE */ - filename istartswith "contrase" or /* ES */ - filename istartswith "mot de pass" or /* FR */ - filename istartswith "mot_de_pass" or /* FR */ - filename istartswith "motdepass" or /* FR */ - filename istartswith "wachtwoord" /* NL */ + filename istartswith "passwor" or /* EN / DE */ + filename istartswith "contrase" or /* ES */ + filename istartswith "mot de pass" or /* FR */ + filename istartswith "mot_de_pass" or /* FR */ + filename istartswith "motdepass" or /* FR */ + filename istartswith "wachtwoord" /* NL */ ) and filename iendswith ".xlsx" - and uint32be(0) == 0xd0cf11e0 // encrypted xlsx = CDFV2 + and uint32be(0) == 0xd0cf11e0 // encrypted xlsx = CDFV2 +} + +rule SUSP_DLL_SideLoading_Characteristics_Feb26 { + meta: + description = "Detects suspicious log.dll used by Bitdefender Submission Wizard and seen being used in LotusBlossom toolkit" + author = "Florian Roth" + reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" + date = "2026-02-03" + score = 70 + hash1 = "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad" + strings: + $s1 = "log.dll" fullword ascii + condition: + uint16(0) == 0x5a4d + and ( // this is what makes it suspicious + filesize < 300KB + or filesize > 500KB + ) + and pe.exports("LogInit") + and pe.exports("LogWrite") + and $s1 + and filename == "log.dll" +} + +rule SUSP_Renamed_Bitdefender_Submission_Wizard_Feb26 { + meta: + description = "Detects renamed Bitdefender Submission Wizard, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom" + author = "X__Junior" + reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" + date = "2026-02-03" + score = 65 + hash1 = "2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924" + strings: + $s1 = "BDSubWiz.exe" wide fullword + $s2 = "Bitdefender Submission Wizard" wide + $s3 = "Software\\Bitdefender" wide + condition: + uint16(0) == 0x5a4d + and all of ($s*) + and not filename == "BDSubWiz.exe" }