Yara 4.0 brought along the base64
modifier! This enables us to detect on various portions of a large base64 encoded string.
Earlier today Qakbot distributed OneNote malware that used Base64 encoded powershell to download additonal payloads from external infrastructure. Todays rule detects OneNote files with suspicious base64 encoded powershell.
Here's the yara rule I wrote that today!
rule onenote_base64_malware {
meta:
author = "Colin Cowie"
description = "Detects OneNote files with base64 encoded powershell"
reference = "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama237_07.02.2023.txt"
strings:
$file_header = { E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 }
$log_supression = "@echo off" base64
$download = "powershell (new-object system.net.webclient).downloadfile(" base64
$rundll = "call ru%1ll32" base64
$programdata = "C:\\programdata\\" base64
condition:
$file_header at 0
and 3 of them
and filesize<1MB
}
Retrohunting with this rule found over 400 Qakbot samples uploaded to VirusTotal recently! Here are the various file naming schemas observed:
Cancellation.one
Document.one
Funds_######.one
Item.one
Note.one
Notes.one
Original.one