YARA Signature to detect LURK0 Remote Access Trojan (RAT) Malware

By | June 18, 2015

private rule LURK0Header : Family LURK0 {
meta:
description = “5 char code for LURK0”
author = “Katie Kleemola”
last_updated = “07-21-2014”

strings:
$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }

condition:
any of them
}

private rule CCTV0Header : Family CCTV0 {
meta:
description = “5 char code for LURK0”
author = “Katie Kleemola”
last_updated = “07-21-2014”

strings:
//if its just one char a time
$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
// bit hacky but for when samples dont just simply mov 1 char at a time
$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }

condition:
any of them
}

private rule SharedStrings : Family {
meta:
description = “Internal names found in LURK0/CCTV0 samples”
author = “Katie Kleemola”
last_updated = “07-22-2014”

strings:
// internal names
$i1 = “Butterfly.dll”
$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
$i3 = “ETClientDLL”

// dbx
$d1 = “\\DbxUpdateET\\” wide
$d2 = “\\DbxUpdateBT\\” wide
$d3 = “\\DbxUpdate\\” wide

// other folders
$mc1 = “\\Micet\\”

// embedded file names
$n1 = “IconCacheEt.dat” wide
$n2 = “IconConfigEt.dat” wide

$m1 = “\x00\x00ERXXXXXXX\x00\x00” wide
$m2 = “\x00\x00111\x00\x00” wide
$m3 = “\x00\x00ETUN\x00\x00” wide
$m4 = “\x00\x00ER\x00\x00” wide

condition:
any of them //todo: finetune this

}

rule LURK0 : Family LURK0 {

meta:
description = “rule for lurk0”
author = “Katie Kleemola”
last_updated = “07-22-2014”

condition:
LURK0Header and SharedStrings

}

rule CCTV0 : Family CCTV0 {

meta:
description = “rule for cctv0”
author = “Katie Kleemola”
last_updated = “07-22-2014”

condition:
CCTV0Header and SharedStrings

}

Share Button