[ SEA-GHOST MINI SHELL]

Path : /usr/local/scan/lw-yara/includes/
FILE UPLOADER :
Current File : //usr/local/scan/lw-yara/includes/BabaYaga.yar

// implemented WORDFENCE RULES from the following whitepaper writeup:
// https://www.wordfence.com/wp-content/uploads/2018/06/Wordfence-BabaYaga-WhitePaper.pdf
//

rule WFYARAGEN_G4129_rules_1
{
	meta:

	description = "Malicious code meant to look like WordPress core"
	
	strings:

	$re = /\@include\s*\(\s*ABSPATH\s*\.\s*WPINC\s*\.\s*['"]\/Requests\/IPconfig\.ini['"]/ nocase

	condition:
	$re

}

rule WFYARAGEN_G4290_rules_1
{

	meta:

	description = "Matches a URL-encoded string with magic bytes fitting a zlib stream"

	strings:
	$re = /^x\%(?:01|25|9C|DA|5E)[\%A-Za-z\d\.\-\+\_]+$/ nocase

	condition:
	$re
}

rule WFYARAGEN_G4361_rules_1
{
	meta:

	description = "Unique enough typo found in some of the backdoor code"

	strings:

	$re = /usecloack/ nocase

	condition:
	$re
}

rule WFYARAGEN_G4399_rules_1
{
	meta:

	description = "Not relying on the typo to detect the backdoor here"

	strings:
	$re =/\$(?P<var>[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)\s*\=\s*md5\s*\(\s*__FILE__\s*\)\s*\;[\s\S]{1,500}?=\s*['"]ke['"]\s*\.\s*\$(?P=var)\s*\.\s*['"]ys['"]\s*\;[^=]+\=\s*['"]use['"]\s*\.\s*\$(?P=var)\s*\.\s*['"]ragents/ nocase

	condition:
	$re
}


rule WFYARAGEN_G45_rules_2
{
	meta:

	description = "Catches generic backdoor - setting an option"

	strings:
	$re = /\$home_cwd\s*+=\s*+@getcwd\s*+\(\s*+\)\s*+;\s*+if\s*+\(\s*+isset\s*+\(\s*+\$_POST\s*+\[\s*+['"]\w{1,10}\s*+['"]\s*+\]\s*+\)\s*+\)\s*+@chdir\s*+\(\s*+\$_POST\s*+\[\s*+['"]\w{1,10}['"]\s*+\]\s*+\)\s*+;\s*+\$cwd\s*+=\s*+@getcwd\s*+\(\s*+\)\s*+;\s*+if\s*+\(\s*+\$os\s*+==\s*+['"]\s*+win\s*+['"]\s*+\)/ nocase

	condition:
	$re
}


rule WFYARAGEN_G1535_rules_2
{
	meta:
	description = "Obfuscated eval-gzinflate"

	strings:
	$re = /@\$\w+\s*?=\s*?"\s*?e\\x76\\x61l\s*?\(\s*?\\x67\\x7Ai\\x6E\\x66\\x6C\\x61t\\x65\s*?\(/ nocase

	condition:
	$re
}

rule WFYARAGEN_G1832_rules_3
{
	meta:

	description = "Matches file used in various infections"

	strings:

	$re = /^0\.5\.2\.2\s*?0\.83\.4\.1\s+?1\.0\.145\.2\s+?1\.0\.145\.210\s+?1\.0\.177\.126/ nocase

	condition:
	$re
}

rule WFYARAGEN_G736_rules_8
{

	meta:

	description = "Matches backdoor found in infections - assert-eval"

	strings:

	$re = /if\s*\(\s*\w{1,255}\s*\(\$_(?:REQUEST|GET|POST|COOKIE)\s*\[\s*'\s*\w{1,255}\s*'\s*\]\s*\)\s*\)\s*\w{1,255}\s*\(\s*stripslashes\s*\(\s*\$_(?:REQUEST|GET|POST|COOKIE)\s*\[\s*bot\s*\]\s*\)\s*\)\s*;/ nocase

	condition:
	$re
}

rule WFYARAGEN_G736_rules_9
{

	meta:
	description = "Part of malware, basic backwards obfuscation"

	strings:

	$re = /strrev\s*\(\s*['"]\s*=ecruos&wordpress\?\/moc\.yadot-syasse\/\/:ptth\s*['"]\s*\)\s*;/ nocase

	condition:
	$re
}

rule WFYARAGEN_G4304_rules_1
{

	meta:
	
	description = "htaccess rule used to limit access to pages"

	strings:

	$re = /RewriteCond \%\{HTTP_USER_AGENT\}\!en\.support\.wordpress\.com\s+RewriteRule \.\* \- \[R=404\]/ nocase

	condition:
	$re
}

rule WFYARAGEN_G4472_rules_1
{

	meta:

	description = "Double-var fn around base64 string"

	strings:

	$re = /\$[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\s*\(\s*\$[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\s*\(\s*['"][A-Za-z\d\/\+]+=*['"]\s*\)/

	condition:
	$re
}

SEA-GHOST - SHELL CODING BY SEA-GHOST