id: macos-bella-malware

info:
  name: Bella Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara
  tags: malware,file,macos-bella

file:
  - extensions:
      - all

    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "Verified! [2FV Enabled] Account ->"
          - "There is no root shell to perform this command. See [rooter] manual entry."
          - "Attempt to escalate Bella to root through a variety of attack vectors."
          - "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER."
        condition: or

      - type: word
        part: raw
        words:
          - "user_pass_phish"
          - "bella_info"
          - "get_root"
        condition: and

      - type: word
        part: raw
        words:
          - "Please specify a bella server."
          - "What port should Bella connect on [Default is 4545]:"
        condition: and