From e3966f095be804d4f7ad85aaaa487f3f2e3702fc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 10 Dec 2024 17:16:51 +0100 Subject: [PATCH] Update expl_cleo_dec24.yar --- yara/expl_cleo_dec24.yar | 41 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/yara/expl_cleo_dec24.yar b/yara/expl_cleo_dec24.yar index 55f1731c..00aa5030 100644 --- a/yara/expl_cleo_dec24.yar +++ b/yara/expl_cleo_dec24.yar @@ -67,3 +67,44 @@ rule SUSP_EXPL_JAR_Indicators_Dec24 { and filesize < 20KB and all of them } + +rule EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_1_1 { + meta: + description = "Detects characteristics of JAVA files used during Cleo software exploitation (as reported by Huntress in December 2024) - files Cli, ScSlot, Slot, SrvSlot" + author = "Florian Roth" + reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild" + date = "2024-12-10" + score = 75 + hash1 = "0c57b317b572d071afd8ccdb844dd6f117e20f818c6031d7ba8adcbd32be0617" + strings: + $a1 = "java/lang/StringBuffer" + + $x1 = "Start-Sleep 3;del " ascii + $x2 = "sleep 3;rm -f '" ascii + $x3 = "powershell -Noninteractive -EncodedCommand " ascii + $x4 = "runDelFileCmd" ascii fullword + condition: + uint16(0) == 0xfeca + and filesize < 50KB + and $a1 + and 1 of ($x*) +} + +rule EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_2 { + meta: + description = "Detects characteristics of JAVA files used during Cleo software exploitation (as reported by Huntress in December 2024) - file Proc" + author = "Florian Roth" + reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild" + date = "2024-12-10" + score = 75 + hash1 = "1ba95af21bac45db43ebf02f87ecedde802c7de4d472f33e74ee0a5b5015a726" + strings: + $s1 = "Timeout getting pipe-data" ascii fullword + $s2 = "Ftprootpath" ascii fullword + $s3 = "Rest cmd=" ascii fullword + $s4 = "writeToProc" ascii fullword + condition: + uint16(0) == 0xfeca + and filesize < 30KB + and 3 of them +}