Merge branch 'zardoor' into 'master'

New Queries: Zardoor Mutexes & Modules See merge request malware-team/osquery_queries!315
Cisco-Talos · Feb 2, 2024 · 5ff3f77 · 5ff3f77
2 parents 8ab4e19 + 81e92ff
commit 5ff3f77
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 0 deletions.
diff --git a/packs/win_malware.conf b/packs/win_malware.conf
@@ -784,6 +784,24 @@
                 "windows"
             ]
         },
+        "zardoor_mutex": {
+            "query": "SELECT object_name, object_type from winbaseobj WHERE object_type='Mutant' AND (object_name='ThreadMutex12453' OR object_name='3e603a07-7b2d-4a15-afef-7e9a0841e4d5' OR object_name like 'rrx_%' OR object_name='6c2711b5-e736-4397-a883-0d181a3f85ae');",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool (RAT) notably used by threat actors to maintain unauthorized access on the infected system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.",
+            "platform": [
+                "windows"
+            ]
+        },
+        "zardoor_modules": {
+            "query": "SELECT f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime,'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path = h.path WHERE (f.filename = 'oci.dll' OR f.filename = 'zor32.dll' OR f.filename = 'zar32.dll') AND f.directory = 'C:\\Windows\\System32';",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool (RAT) notably used by threat actors to maintain unauthorized access on the infected system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.",
+            "platform": [
+                "windows"
+            ]
+        },
         "ransomware_mountlocker_filepath": {
             "query": "SELECT f.path, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path=h.path WHERE f.path LIKE '%RecoveryManual.html'; ",
             "interval": 86400,

diff --git a/win_malware/zardoor_modules.yaml b/win_malware/zardoor_modules.yaml
@@ -0,0 +1,24 @@
+Zardoor Modules:
+  query: SELECT f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime,"unixepoch","UTC") AS last_access_time, DATETIME(f.mtime, "unixepoch", "UTC") AS last_modified, DATETIME(f.ctime, "unixepoch", "UTC") AS last_status_change_time, DATETIME(f.btime, "unixepoch", "UTC") AS creation_time, f.type 
+   FROM file f 
+   LEFT JOIN hash h ON f.path = h.path 
+   WHERE (f.filename = "oci.dll" OR f.filename = "zor32.dll" OR f.filename = "zar32.dll") AND f.directory = "C:\Windows\System32";
+  interval: 86400
+  snapshot: true
+  description: Zardoor backdoor components were written to disk and executed. Zardoor 
+    is a custom remote access tool (RAT) notably used by threat actors to maintain 
+    unauthorized access on the infected system. Once successfully executed, Zardoor 
+    can be used to execute arbitrary commands, interact with the file system, and 
+    connect to other systems on the local network.
+  references:
+  - c6419df4bbda5b75ea4a0b8e8acd2100b149443584390c91a218e7735561ef74
+  - f71f7c68209ea8218463df397e5c39ef5f916f138dc001feb3a60ef585bd2ac2
+  - a99a9f2853ff0ca5b91767096c7f7e977b43e62dd93bde6d79e3407bc01f661d
+  - 0058d495254bf3760b30b5950d646f9a38506cef8f297c49c3b73c208ab723bf
+  - d267e2a6311fe4e2dfd0237652223add300b9a5233b555e131325a2612e1d7ef
+  mitre_tactics:
+  - defense-evasion: TA0005
+  mitre_techniques:
+  - hide-artifacts: T1564
+  platform:
+  - windows
diff --git a/win_malware/zardoor_mutex.yaml b/win_malware/zardoor_mutex.yaml
@@ -0,0 +1,23 @@
+Zardoor Mutex:
+  query: SELECT object_name, object_type 
+    FROM winbaseobj 
+    WHERE object_type = "Mutant" AND (object_name = "ThreadMutex12453" OR object_name = "3e603a07-7b2d-4a15-afef-7e9a0841e4d5" OR object_name like "rrx_%" OR object_name = "6c2711b5-e736-4397-a883-0d181a3f85ae");
+  interval: 86400
+  snapshot: true
+  description: Zardoor backdoor components were written to disk and executed. Zardoor 
+    is a custom remote access tool (RAT) notably used by threat actors to maintain 
+    unauthorized access on the infected system. Once successfully executed, Zardoor 
+    can be used to execute arbitrary commands, interact with the file system, and 
+    connect to other systems on the local network.
+  references:
+  - c6419df4bbda5b75ea4a0b8e8acd2100b149443584390c91a218e7735561ef74
+  - f71f7c68209ea8218463df397e5c39ef5f916f138dc001feb3a60ef585bd2ac2
+  - a99a9f2853ff0ca5b91767096c7f7e977b43e62dd93bde6d79e3407bc01f661d
+  - 0058d495254bf3760b30b5950d646f9a38506cef8f297c49c3b73c208ab723bf
+  - d267e2a6311fe4e2dfd0237652223add300b9a5233b555e131325a2612e1d7ef
+  mitre_tactics:
+  - defense-evasion: TA0005
+  mitre_techniques:
+  - rundll32: T1218.011
+  platform:
+  - windows