Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices - YARA Rules



import "elf"

global private rule limit {
    condition:
        filesize < 500KB
}

global private rule elf_file {
    condition:
      elf.number_of_segments > 0
}

rule ngioweb_4B87
{
  meta:
    author = "Fernando Merces @ Trend Micro FTR"
    description = "AES key in the beginning for the .data section"
    target_entity = "file"
    date = "2024-07-04"
  strings:
    $aes_key = {4B877DFA470E2943C0F6E1C967B0BF3B5B642E0050F5076F787A76BC40EBC6FE}
    
  condition:
    all of them
}

rule ngioweb_76EB
{
  meta:
    author = "Fernando Merces @ Trend Micro FTR"
    description = "AES key in the beginning for the .data section"
    target_entity = "file"
    date = "2024-07-04"
  strings:
    $aes_key = {76EBEBBADA54D5B32CC77D7C7D2AA54053BA9E8934907F90C1ED1EB8A17AFE6A}
    
  condition:
    all of them
}

rule ngioweb_DB1F
{
  meta:
    author = "Fernando Merces @ Trend Micro FTR"
    description = "AES key in the beginning for the .data section"
    target_entity = "file"
    date = "2024-03-29"
  strings:
    $aes_key = {DB1F96B20679F9FB9CBD96B242AB8530102C0105B64C83C3AE544F87594A6FA9}
    
  condition:
    all of them
}

rule ngioweb_DDB3
{
  meta:
    author = "Fernando Merces @ Trend Micro FTR"
    description = "AES key in the beginning for the .data section"
    target_entity = "file"
    date = "2024-03-29"
  strings:
    $aes_key = {DDB3D94E5F0396220E6D60144F99C2A65E0472BE5B20812CC9A01F833592FB6B}
    
  condition:
    all of them
}