38 lines
1.0 KiB
YAML
38 lines
1.0 KiB
YAML
|
id: macos-bella-malware
|
||
|
|
|
||
|
|
info:
|
||
|
|
name: Bella Malware - Detect
|
||
|
|
author: daffainfo
|
||
|
|
severity: info
|
||
|
|
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara
|
||
|
|
tags: malware,file
|
||
|
|
|
||
|
|
file:
|
||
|
|
- extensions:
|
||
|
|
- all
|
||
|
|
|
||
|
|
matchers-condition: or
|
||
|
|
matchers:
|
||
|
|
- type: word
|
||
|
|
part: raw
|
||
|
|
words:
|
||
|
|
- "Verified! [2FV Enabled] Account ->"
|
||
|
|
- "There is no root shell to perform this command. See [rooter] manual entry."
|
||
|
|
- "Attempt to escalate Bella to root through a variety of attack vectors."
|
||
|
|
- "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER."
|
||
|
|
condition: or
|
||
|
|
|
||
|
|
- type: word
|
||
|
|
part: raw
|
||
|
|
words:
|
||
|
|
- "user_pass_phish"
|
||
|
|
- "bella_info"
|
||
|
|
- "get_root"
|
||
|
|
condition: and
|
||
|
|
|
||
|
|
- type: word
|
||
|
|
part: raw
|
||
|
|
words:
|
||
|
|
- "Please specify a bella server."
|
||
|
|
- "What port should Bella connect on [Default is 4545]:"
|
||
|
|
condition: and
|