In the spirit of Halloween we’re giving away YARA signatures for TrickBot and Emotet. Last year we handed out signatures for malware TrickBot, Gh0stRAT and DarkComet haunting organizations worldwide.
This year, TrickBot remains an active threat despite a major takedown attempt by Microsoft, and experts warn it poses a risk to U.S. election security. Since Emotet is also in the news, and sometimes serves as the initial infection for TrickBot, we’re adding a signature to detect this evasive banking trojan.
Use these code-based “treats” to detect and hunt for the latest variants of these threats:
Why Code-based YARA Rules?
YARA rules today typically rely on strings, which can be easily replaced or encrypted by the attacker to avoid detection. Strings can also include a log message or hard-coded user agent which are criteria not guaranteed to be unique to that specific threat and can therefore lead to false positives.
Code-based rules by contrast are not subject to signature changes. Whereas a string or IP address can be replaced in a matter of minutes, changing the malware’s entire code base means the attacker must rewrite the code from scratch. This is a significant undertaking that takes time and effort, exponentially hurting the attacker’s ROI. The YARA signatures we have provided allow you to be more targeted with your hunting—generating hits only for files that contain the same malicious or unique code, rather than trusted or embedded libraries that are often common to many files.
The Code Doesn’t Lie
To see a real-life example of how code reuse detection is more tolerant to modifications than signature-based detection, check out Genetic Analysis vs. Fully Undetected Linux Threat. An attacker testing his malware for detection in VirusTotal went from 24 to 0 detections in the span of one hour just by making a few changes to its strings and encrypting them.
Don’t forget you can visit our GitHub repository year-round to hunt the latest variants of threats like APT15 and IPStorm. As a reminder, Intezer Analyze enterprise users can produce YARA signatures like these automatically for any classified threat.
Happy Halloween and stay safe!