id: macos-bella-malware info: name: Bella Malware - Detect author: daffainfo severity: info reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara tags: malware,file file: - extensions: - all matchers-condition: or matchers: - type: word part: raw words: - "Verified! [2FV Enabled] Account ->" - "There is no root shell to perform this command. See [rooter] manual entry." - "Attempt to escalate Bella to root through a variety of attack vectors." - "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER." condition: or - type: word part: raw words: - "user_pass_phish" - "bella_info" - "get_root" condition: and - type: word part: raw words: - "Please specify a bella server." - "What port should Bella connect on [Default is 4545]:" condition: and