For todays rule I wanted to practice more with using the VirusTotal yara module.
Recently proofpoint shared recent about a new threat actor they track as TA866:
Todays rule uses the VT module to detect javascript files that download a msi file.
Here's the yara rule I wrote for detecting javascript downloading a .msi file!
import "vt"
rule sus_js_msi_download {
meta:
author = "Colin Cowie"
description = "Detects JavaScript files downloading a MSI"
reference = "2cd65ad25be03b25c6deb73ddc4697ff39953742"
condition:
vt.metadata.file_type == vt.FileType.JAVASCRIPT // Check for .js file type
and for any c in vt.behaviour.http_conversations : (
c.request_method == vt.Http.Method.GET // Check sandbox network data for a GET request
and
c.url endswith ".msi" //Check for .msi in URL
)
and filesize<500KB
}
Retrohunting with this rule found a few C2 servers not mentioned in the proofpoint write up including:
- 79.137.198.61
- 79.137.198.67
The matched files from retrohunting* can be found here:
(This post was written while the retrohunting was only 75% done.)