If you have access to VirusTotal Intelligence you can make use of the vt module for retrohunting and livehunting. For todays rule I wanted to learn more about the vt module and how it can be used to detect on file behavior.
In a IcedID infection reported by researchers earlier today a CobaltStrike DLL that used was observed:
Todays rule uses the VT module to detect DLLs that use the jquery cobaltstrike C2 profile
Here's the yara rule I wrote:
import "vt"
rule dll_cobaltstrike_profile {
meta:
author = "Colin Cowie"
description = "Detects DLLs performing a request to a known cobaltstrike mallable C2 profile"
reference = "https://github.com/pan-unit42/tweets/blob/master/2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt"
condition:
vt.metadata.file_type == vt.FileType.PE_DLL
and (
for any entry in vt.behaviour.http_conversations : (entry.url contains "/jquery" and entry.url contains ".min.js")
)
and filesize<1MB
}
Retrohunting with this rule had a somewhat small amount of matched files. Ideally this rule would be expanded to have other common CobaltStrike C2 profiles.
One of the matched files was:
- logs.dll / e8c806acdb51047c30ceabd419c176e3c085bb3fe009ed3e681f82ff72d05ea9
- C2:
https[:]//datamsupd[.]com/jquery-3.3.1.min.js
- C2: