40 lines
1.2 KiB
YAML
40 lines
1.2 KiB
YAML
id: macos-bella-malware
|
|
|
|
info:
|
|
name: Bella Malware - Detect
|
|
author: daffainfo
|
|
severity: info
|
|
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara
|
|
tags: malware,file,macos-bella
|
|
file:
|
|
- extensions:
|
|
- all
|
|
|
|
matchers-condition: or
|
|
matchers:
|
|
- type: word
|
|
part: raw
|
|
words:
|
|
- "Verified! [2FV Enabled] Account ->"
|
|
- "There is no root shell to perform this command. See [rooter] manual entry."
|
|
- "Attempt to escalate Bella to root through a variety of attack vectors."
|
|
- "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER."
|
|
condition: or
|
|
|
|
- type: word
|
|
part: raw
|
|
words:
|
|
- "user_pass_phish"
|
|
- "bella_info"
|
|
- "get_root"
|
|
condition: and
|
|
|
|
- type: word
|
|
part: raw
|
|
words:
|
|
- "Please specify a bella server."
|
|
- "What port should Bella connect on [Default is 4545]:"
|
|
condition: and
|
|
|
|
# digest: 490a00463044022020ad29e486e7bd8f7024226d48a543032ac746afc8e929c68a189b2c3d312b9a02207489384ec2fcb05068a934ad391a9fcbdae8d9b1774000a5d2a643b12a2cd62a:922c64590222798bb761d5b6d8e72950
|