Today I wanted to write a generic rule for suspicious archives with "cracked" software. Multiple threat groups package malware such as InfoStealers into "cracked" archives (frequently .zip or .rar). This great blog helped me learn more about rar detection:
The samples I reviewed to help guide todays rule was:
Setup2023.zip/ b5b547d7587e10ea5d0bb099e65f4fbed556f4cfRepackedSoft_1.26.rar/ 0992aefe65e2471cba2936a0dd266ed30b3ca067Microsoft Office Cracked.zip/ 0db424b09eeb15d4de69bba1f8ec9b66f96bfe65
Here is the Yara rule that I created for detecting suspicious archives with "cracked" software
rule sus_cracks_archive {
meta:
author = "Colin Cowie"
description = "Detects archives used for cracked software"
references = "https://blog.xorhex.com/blog/onehundreddiscontiguousdaysofyara-day6/"
strings:
$rar_header = { 52 61 72 21 1A 07 00 }
$cracker = "Cracker.dll" nocase
$setup = "setup" nocase
condition:
(uint32(0) == 0x04034b50 or $rar_header at 0 ) // check for zip or rar
and $cracker
and $setup
}
At first I attempted to write a rule that would detect only RedLine stealer related cracked software but had some issues and settled for this generic rule! This more generic rule had some nice results including a large amount of "cracks" and "hacks" there were uploaded to transfer[.]sh.