id: macos-bella-malware

info:
  name: Bella Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara
  tags: malware,file,macos-bella
file:
  - extensions:
      - all

    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "Verified! [2FV Enabled] Account ->"
          - "There is no root shell to perform this command. See [rooter] manual entry."
          - "Attempt to escalate Bella to root through a variety of attack vectors."
          - "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER."
        condition: or

      - type: word
        part: raw
        words:
          - "user_pass_phish"
          - "bella_info"
          - "get_root"
        condition: and

      - type: word
        part: raw
        words:
          - "Please specify a bella server."
          - "What port should Bella connect on [Default is 4545]:"
        condition: and

# digest: 490a00463044022020ad29e486e7bd8f7024226d48a543032ac746afc8e929c68a189b2c3d312b9a02207489384ec2fcb05068a934ad391a9fcbdae8d9b1774000a5d2a643b12a2cd62a:922c64590222798bb761d5b6d8e72950