From 6e1ee529a93bffd8b4148ec47eef3a98925cd5f1 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Tue, 17 Nov 2020 18:20:20 +0100
Subject: [PATCH] Update APT_APT_27_Nov_2020_1.yar

---
 .../2020-11-17/Yara/APT_APT_27_Nov_2020_1.yar | 48 +++++++++----------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/China/APT/APT27/2020-11-17/Yara/APT_APT_27_Nov_2020_1.yar b/China/APT/APT27/2020-11-17/Yara/APT_APT_27_Nov_2020_1.yar
index 5e2fe4e..6962086 100644
--- a/China/APT/APT27/2020-11-17/Yara/APT_APT_27_Nov_2020_1.yar
+++ b/China/APT/APT27/2020-11-17/Yara/APT_APT_27_Nov_2020_1.yar
@@ -1,6 +1,6 @@
-rule APT_APT_27_Nov_2020_1 { 
- meta: 
-    description = "Detect APT27 ELF rootkit" 
+rule APT_APT_27_Nov_2020_1 {
+ meta:
+    description = "Detect APT27 ELF rootkit"
     author = "Arkbird_SOLG"
     reference = "Internal Research"
     date = "2020-11-16"
@@ -10,26 +10,26 @@ rule APT_APT_27_Nov_2020_1 {
     hash4 = "7de86f83f18c6c8ded0d75ab2f84f34ab115dd84d36b7e490e2bd456f77a78ce"
     hash5 = "cc1455e3a479602581c1c7dc86a0e02605a3c14916b86817960397d5a2f41c31"
  strings:
-      $s1 = "bypass_iptables" fullword ascii
-      $s2 = "PortforwardThread" fullword ascii
-      $s3 = "getfiles" fullword ascii
-      $s4 = "<LIST><name><![CDATA[%s]]></name><type>%o</type><perm>%o</perm><user>%s:%s</user><size>%llu</size><time>%s</time></LIST>" fullword ascii
-      $s5 = "portforward.c" fullword ascii
-      $s6 = "LOGNAME=root" fullword ascii
-      $s7 = "xorkeys" fullword ascii
-      $s8 = "USERNAME=root" fullword ascii
-      $s9 = "PortMapThread" fullword ascii
-      $s10 = "USER=root" fullword ascii
-      $s11 = "encrypt_pty" fullword ascii
-      $s12 = "encrypt_code" fullword ascii
-      $s13 = "DownFile" fullword ascii
-      $s14 = "get_randstr" fullword ascii
-      $s15 = "PtyShell" fullword ascii
-      $s16 = "encrypt.c" fullword ascii
-      $s17 = "ReConnect" fullword ascii
-      $s18 = "saferecv" fullword ascii
-      $s19 = "sendudp" fullword ascii
-      $s20 = "safesend" fullword ascii
+     $s1 = "PortforwardThread" fullword ascii
+     $s2 = "bypass_iptables" fullword ascii
+     $s3 = "gethostbyname@@GLIBC_2.2.5" fullword ascii
+     $s4 = "getfiles" fullword ascii
+     $s5 = "<LIST><name><![CDATA[%s]]></name><type>%o</type><perm>%o</perm><user>%s:%s</user><size>%llu</size><time>%s</time></LIST>" fullword ascii
+     $s6 = "portforward.c" fullword ascii
+     $s7 = "execve@@GLIBC_2.2.5" fullword ascii
+     $s8 = "LOGNAME=root" fullword ascii
+     $s9 = "xorkeys" fullword ascii
+     $s10 = "PortMapThread" fullword ascii
+     $s11 = "USER=root" fullword ascii
+     $s12 = "USERNAME=root" fullword ascii
+     $s13 = "getpid@@GLIBC_2.2.5" fullword ascii
+     $s14 = "encrypt.c" fullword ascii
+     $s15 = "DownFile" fullword ascii
+     $s16 = "fgets@@GLIBC_2.2.5" fullword ascii
+     $s17 = "encrypt_pty" fullword ascii
+     $s18 = "getgrgid@@GLIBC_2.2.5" fullword ascii
+     $s19 = "ReConnect" fullword ascii
+     $s20 = "getsockopt@@GLIBC_2.2.5" fullword ascii
  condition: 
-    uint16(0) == 0x7f45 and filesize > 25KB and 12 of ($s*) 
+    uint16(0) == 0x457f and filesize > 20KB and 12 of them 
 }